Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5520 - Active/Standby - Reverse Primary/Secondary

Hi all,

 

I didn't find an answer to my question in this forum, even if some persons have spoken about this subject.

I am running with a current Active/Standby configuration of two ASA 5520 with version 8.2(5).

I want to reverse their configuration as this:

  • The current Primary one should become the Secondary one
  • The current Secondary one should become the Primary one

 

I want a final configuration, so the command "failover active" on the Secondary unit will only activate the failover, but the Primary/Secondary configuration will remain the same, so it's not the aim.

 

Is someone has a procedure to proceed?

 

Thank you very much for your help.

 

Best regards,

Damien

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

Issuing the command failover

Issuing the command failover active on the standby unit will do what you want.  It is done often if someone wants to perform some maintenance on the ASA that is currently the active ASA.

once you do this the standby unit will remain the primary until either a failover situation occurs or you perform another manual failover.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
7 REPLIES
VIP Green

I want a final configuration,

I want a final configuration, so the command "failover active" on the Secondary unit will only activate the failover, but the Primary/Secondary configuration will remain the same, so it's not the aim.

I am not entirely sure I understand what you want to accomplish here.  Do you want to be able to do a failover, but the IP addresses on the interfaces remain the same?  Such as active ip is x.x.x.x and standby ip is y.y.y.y, then initiate a failover and the active ip is now y.y.y.y and standby is x.x.x.x?

if this is the case, this is not possible.

If this is not what you are trying to do, then please explain in more detail what it is you want to happen.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

Hi, Thank you for your reply

Hi,

 

Thank you for your reply.

In fact, to make it simple, I want to reverse the current Active/Standby cluster. I know that the command "failover active" will force the failover, but I assume it's not a good situation ?

 

If ASA 1 is the current active firewall and ASA 2 the current standby one. I want to make ASA 2 the Active one (Primary) and ASA 1 the Standby one (Secondary).

Therefore, I need to change the command "failover lan unit primary" on ASA 1 by "failover lan unit secondary" and the opposite for ASA 2 (from "failover lan unit secondary" to "failover lan unit primary"). I don't know how to proceed...

 

I hope you understand my need.

 

Thank you again.

 

Best regards,

Damien

VIP Green

Issuing the command failover

Issuing the command failover active on the standby unit will do what you want.  It is done often if someone wants to perform some maintenance on the ASA that is currently the active ASA.

once you do this the standby unit will remain the primary until either a failover situation occurs or you perform another manual failover.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
VIP Green

Also, keep in mind that once

Also, keep in mind that once the failover pair are up and running and the configuration is synchronized, both ASAs will have the exact same configuration.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

Great, thank you very much !

Great, thank you very much ! I'll proceed with the failover active so.

Therefore, there is no way to change the command "failover lan unit primary/secondary" to have a proper configuration ?

VIP Green

If you really must change

If you really must change them, you will need to break the failover by using the command no failover (make sure to make a backup of the commands first) and then re-add the commands after you have made the appropriate changes to both units.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

Thank you very much for your

Thank you very much for your help !

264
Views
0
Helpful
7
Replies