07-16-2013 11:59 AM - edited 03-10-2019 12:04 AM
During an Internet upgrade, I changed the roles of my ASA's. The site that was originally designedf to be Secondary is now a better fit as Primary.
So, what used to be my Secondary ASA is now my Primary. Howvere, the command "failover lan unit secondary" was set on the Secondary unit and
failover lan unit Primary was set on original Primary device.
Can I change these to reflect the correct role "failover lan unit Primary or Secondary" without causing any outages or problems??
Solved! Go to Solution.
07-17-2013 09:29 AM
Hi,
We are talking about 2 different things.
Primary and Secondary are the roles configured for the firewalls. As I said they arent that important (atleast doesnt seem to be) in an Active/Standy type Failover.
Then you have the actual State of the device in Failover which are Active and Standby Ready.
Naturally the start situation might be that you have
Now lets consider that the Primary unit reboots because of power failure. The new situation would be
If Secondary device would suffer from a reboot caused by a power outage the roles would again change to
So the most important things to watch is which unit is Active and which is in Standby Ready state. Those tell which device is handling the traffic currently. As long as neither devices fail and cause a Failover, the same device will stay Active whether its configured as Primary or Secondary. As I said before, if you had Active/Active setup, there you could control the Failover so that one unit its always the Primary/Active and in the vent of failure (and recovery) the original Primary/Active unit would return to the Active state with a small delay.
- Jouni
07-16-2013 12:25 PM
As far as I know, you can not swap the failover units roles on the fly. There is a proper procedure that can be performed from the console session of both the ASA's.
~BR
Jatin Katyal
**Do rate helpful posts**
07-16-2013 12:42 PM
Jatin
Thnaks for your response.
At the time we did issue a command that made the secondary ACTIVE. So now I have the following:
(I have modified IP's to remain anonymous)
ASA-5520# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: Heartbeat GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 160 maximum
Version: Ours 8.2(3), Mate 8.2(3)
Last Failover at: 13:43:59 CST Dec 21 2012
This host: Secondary - Active
Active time: 17894886 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.2(3)) status (Up Sys)
Interface outside (216.x.x.2): Normal
Interface inside (192.168.x.1): Normal
Interface dmz (192.168.x.1): Normal (Not-Monitored)
Interface management (192.168.x.84): No Link (Waiting)
slot 1: empty
Other host: Primary - Standby Ready
Active time: 5267283 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.2(3)) status (Up Sys)
Interface outside (216.x.x.12): Normal
Interface inside (192.168.x.2): Normal
Interface dmz (192.168.x.2): Normal (Not-Monitored)
Interface management (0.0.0.0): No Link (Waiting)
slot 1: empty
I also modified the ip route statements to make the Internet router connecting to what is currently called the Secondary as my default toute out to world.
route outside 0.0.0.0 0.0.0.0 216.x.x.11 1 track 1
route outside 0.0.0.0 0.0.0.0 216.x.x.1 254
I simply want the ASA I am using as Primary to be called the Primary. What would you/anyone advise?
07-17-2013 08:48 AM
Can anyone advise on this issue?
07-17-2013 09:06 AM
Hi,
Is the above "show failover" output now correct for you?
Is the one that you configured as Secondary/Primary showing as you have configured?
Atleast the start of the output suggests that the unit where the output was taken is configured as Secondary and showing up as Secondary.
If you are referring to the name of the ASA showing as Primary and Secondary then that is not possible as they share the "hostname" configuration.
What you could do though is a configure an additional global command that will show you on the unit you are logged into
You could use this command for example
prompt hostname priority state
What I mean by this is that it would actually show you on the command line interface all the time the status of the unit with regards to the failover
Cant give you a good example since my own ASA is only ASA5505 which is not configured for Failover. But with the above command its hostname prompt is now
ASA/sec/actNoFailover(config)#
Its showing Secondary as the default setting for a ASA unit in Failover is Secondary unless otherwise configured to be Primary specifically.
Do also notice that configuring one unit as Primary and one as Secondary doesnt have generally that noticiable affect on the operation. If both of the firewalls were to boot at the sametime then the Primary unit would become the Active unit. If however the Primary unit was Active and then Failed and recovered again IT WOULD NOT become Active automatically. You would have to manually make it Active again or the Secondary unit (which would then be Active) would have to fail.
Only Active/Active Failover can use a command/configuration that will return the original unit back to Active when its recovered.
Hope this helps
- Jouni
07-17-2013 09:24 AM
Question?
The device shows a Secondary, but also states it is the ACTIVE device. "This host: Secondary - Active"
Doesn't ACTIVE mean the the device is being used as PRIMARY/?
07-17-2013 09:26 AM
Traffic passing thru the ASA's is being sent first to the physical device which is currently showing up as Secondary-ACTIVE?
07-17-2013 09:29 AM
Hi,
We are talking about 2 different things.
Primary and Secondary are the roles configured for the firewalls. As I said they arent that important (atleast doesnt seem to be) in an Active/Standy type Failover.
Then you have the actual State of the device in Failover which are Active and Standby Ready.
Naturally the start situation might be that you have
Now lets consider that the Primary unit reboots because of power failure. The new situation would be
If Secondary device would suffer from a reboot caused by a power outage the roles would again change to
So the most important things to watch is which unit is Active and which is in Standby Ready state. Those tell which device is handling the traffic currently. As long as neither devices fail and cause a Failover, the same device will stay Active whether its configured as Primary or Secondary. As I said before, if you had Active/Active setup, there you could control the Failover so that one unit its always the Primary/Active and in the vent of failure (and recovery) the original Primary/Active unit would return to the Active state with a small delay.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide