I have configured my ASA 5520 (Software version 8.1) as active/standby failover and it works very well, however i want to perfect my configuration. regarding my network topology, i would like that the primary device will be always active when it's running properly.
How do I can force the primary to be always active ?
your primary unit will be always active until two occurances happened , a failure on primary active fw will trigger the standby to become Secondary active, or when you expliceitly force a unit to be the active firewall.. if your primary active firewall becomes primary standby for any reason you need to issue on the Secondary active the ( no failover active ) to force the of Primary firewall become active one and Secondary the standby.
As Jorge said, this can't be manually done. You may be able to script something using Except, but I've never done it. There are 3 things though that I want to mention will fail over a unit:
The primary fails over to the secondary automatically because of an interface failing
The secondary becomes primary when it doesn't get a response from the primary within the hold time
A manual failover by issuing "no failover active" on the primary or "failover active" on the secondary.
You may want to look at creating an Expect script. You could do something like poll the primary for a line like "This host: Primary - Active" if you get anything else like: "This host: Primary - Standby Ready" then you can have the Expect script run your "failover active" command on the primary unit. It's not going to be graceful, but it should work. There's nothing in the ASA that will allow you to do this automatically for active/standby.
Convention would say do NOT automate the fail back !
The ASA Primary device will fail over in many circumstances, one of which could be excessive errors on an interface or an interface 'flapping'.
If you set up the system to auto fail back , then in such circumstances the unit will be likely to fail over again, this can get you into a downward spiral (i.e. a loop) where the unit becomes so busy failing over and back again, that it fails to pass user traffic.
In all cases where a fail over has occurred investigation should be undertaken to estbalish the root cause, and when this root has been fixed, then the unit can be failed back.
please note that in the event that a transient failure causes a fail over, the unit can automatically fail over (i.e. fail back) by itself (i.e. it becomes a reverse Standby / Active configuration until manually failed back).
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :