I haven't really had to move any firewall equipment in the failover pair but I have had to disconnect a secondary firewall because of a failover related problem (Configuration Sync didnt go through and the Secondary Firewall caused the whole pair to loose connectivity....for some reason).
Basically what I did in the situation was the following
- Disconnected the Secondary firewall from the network
- Erased the configurations from the Secondary firewall and reloaded it
- Configured the Secondary firewall with Failover configurations only
- Connected the Secondary firewall back to the network (everything but the actual Failover interface)
- Connected the Secondary firewall to Primary firewall with the failover cable (Actual firewalls located in 2 different datacenters)
- Watched as the Secondary firewall found the Primary firewall and started receiving the configuration from the Primary unit
The failover configuration on the Secondary device is the following (Primary devices configuration only difference is naturally that its defined as primary unit)
failover lan unit secondary
failover lan interface failover GigabitEthernet0/1
failover link failover GigabitEthernet0/1
failover interface ip failover x.x.x.x 255.255.255.252 standby y.y.y.y
That is exactly the thing I'd like to do (move one ASA to other datacenter)
Disconnecting the sync is not the hard part. The ASAs won't bother (active remains active, standby remains standby)
However, when the secondary's sync link goes back up (and suppose the sync transit network is not correctly configured) it won't see the primary, it will go active and we'll have a split brain scenario which I'd like to avoid...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...