Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA Failover behavior when two firewalls are in active state


Assume, there are two ASA firewalls which are pairing and working as an Active/Standby failover pair. I would like to migrate the stand-by one to the different locaton and then, i would need to do some configuration changes including the new vlans added, IPs etc. but not any change in failover configuration, and then i should switch it become active then, i will migrate the other ASA which is already in active mode to the same place and connect them to each other. My question is to know what would be the action of the second firewall once i connect them to each other.(since both ASA are active and connected together i do not know the behavior).

Is the second one goes stand-by and get all the configuration from the first one? or the second one stays active and the first one goes to stand-by and all configuration changes which has been made is removed form the firest one?

If the the second question is the answere, then I'm going to need to have their failover configuration changed on both.

I know that configuration is always sent from the active to stand-by i just want to know what would be the behavior when both of them are active and they are connected to each other.

Hall of Fame Super Silver

ASA Failover behavior when two firewalls are in active state

When you bring the current Secondary - Standby switch up without the Primary - Active one detected as connected (via the failover link) and healthy at the new location, it will become Secondary - Active. When you then relocate the Primary - Active one to the new location, it will initially come up Primary - Standby (and get its configuration updated from the Secondary - Active unit) and remain that way (unless and until the following kicks in...).

If your failover configuration includes preempt, the Primary unit should resume the Active role (assuming all its monitored interfaces are healthy). Otherwise, you can force it back into Primary - Active mode by using "failover active" command.

I recommend you review the ASA Configuration Guide section on Configuring High Availability (guides are all posted here) and this configuration example.