Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
649
Views
0
Helpful
4
Replies

ASA Active/Standby replication order, blank config copied

John Peterson
Level 1
Level 1

‎03-21-2012 02:44 PM - edited ‎03-11-2019 03:45 PM

Hi,

I'm in the process of configure active/standby on two asa.

The first time I made the change, I issued failover on the secondary 1st and then failover on the primary and the unit started copying from secondary to primary.

I next wiped the secondary config and removed the config from the primary, followed cisco guide and issued failover on the secondary and then primary and it worked perfect.

My cmds on both attemps were excaulty the same.

Has anyone experienced this before?

Labels:
0 Helpful
4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

‎03-22-2012 01:36 AM

Hi,

I might be missing something but wouldn't it be better to start with the Primary unit?

I mean if you have a configured ASA to which you want to attach a failover pair, it would be better to configure the original ASA with all the failover configurations and activate the failover.

After the Primary ASA has detected that is has no "failover mate" it should be in active state. Now you could configure the ASA with no configurations with failover configurations, activate the failover and connect the Failover pair physically. After the ASA should see their failover pairs and the Prmary ASA with the configurations would replicate them to the blank Secondary ASA.

0 Helpful

arikawahyono
Level 1
Level 1

‎03-22-2012 01:45 AM

Hi John,

After you change the configuration, had you use command "Write Standby"  from the active ASA?

thanks,

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni

‎03-22-2012 01:56 AM

If you have an active failover in stable state it should be enough to issue "write memory" on the Active unit. It should save all the changes also to the secondary unit.

I guess the "write standby" command copies the whole Active ASA configurations to the Secondary ASA.

0 Helpful

John Peterson
Level 1
Level 1

‎03-22-2012 01:00 PM

Hi,

Thanks for your input.

I have not saved the config to flash, but from what I know this should not matter.

I have today done the same configuration on both the ASA in my lab and works perfect.

The problem is, I have heard other people who also experience the same issue, but know one seems to know why.

In my current setup, I can issue failover in any order and the ASA know which is the active mate. But yesteday the ASA copyied the configuration from the secondary firewall thinking that it was active when it was the other device.

I would like to know what determines tha ASA to know its the active mate?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card