ASA active/standby failover configuration

mnoureddine · ‎06-14-2010

Hi every body,

I have configured my ASA 5520 (Software version 8.1) as active/standby failover and it works very well, however i want to perfect my configuration. regarding my network topology, i would like that the primary device will be always active when it's running properly.

How do I can force the primary to be always active ?

Thank you very much,

Nour-Eddine

JORGE RODRIGUEZ · ‎06-14-2010

Nour-Eddine,

See some guidelines here..

http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/ef.html#wp1930580

your primary unit will be always active until two occurances happened , a failure on primary active fw will trigger the standby to become Secondary active, or when you expliceitly force a unit to be the active firewall.. if your primary active firewall becomes primary standby for any reason you need to issue on the Secondary active the ( no failover active ) to force the of Primary firewall become active one and Secondary the standby.

Regards

Jorge Rodriguez

mnoureddine · ‎06-15-2010

Hi,

Yes I know that, but I want to automate this process. I dont want to each time the firewall failover accede to the standby and execute the commande.

is there any configuration line that can do this automatically ?

Best regards,

Nour-Eddine

JORGE RODRIGUEZ · ‎06-15-2010

AFAIK it cannot be automated in active/standby by configuration , you have to manually force it.

Regards

Jorge Rodriguez

mnoureddine · ‎06-15-2010

I know that we can use the preempt command to force a group to be always the active one in active/active mode.

Is there any one can help me to do that in active/standby mode ?

Many thanks,

Nour-Eddine

John Blakley · ‎06-15-2010

As Jorge said, this can't be manually done. You may be able to script something using Except, but I've never done it. There are 3 things though that I want to mention will fail over a unit:

The primary fails over to the secondary automatically because of an interface failing

The secondary becomes primary when it doesn't get a response from the primary within the hold time

A manual failover by issuing "no failover active" on the primary or "failover active" on the secondary.

You may want to look at creating an Expect script. You could do something like poll the primary for a line like "This host: Primary - Active" if you get anything else like: "This host: Primary - Standby Ready" then you can have the Expect script run your "failover active" command on the primary unit. It's not going to be graceful, but it should work. There's nothing in the ASA that will allow you to do this automatically for active/standby.

HTH,

John

HTH, John *** Please rate all useful posts ***

david.g.white · ‎07-12-2010

Convention would say do NOT automate the fail back !

The ASA Primary device will fail over in many circumstances, one of which could be excessive errors on an interface or an interface 'flapping'.

If you set up the system to auto fail back , then in such circumstances the unit will be likely to fail over again, this can get you into a downward spiral (i.e. a loop) where the unit becomes so busy failing over and back again, that it fails to pass user traffic.

In all cases where a fail over has occurred investigation should be undertaken to estbalish the root cause, and when this root has been fixed, then the unit can be failed back.

please note that in the event that a transient failure causes a fail over, the unit can automatically fail over (i.e. fail back) by itself (i.e. it becomes a reverse Standby / Active configuration until manually failed back).