Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4720
Views
10
Helpful
3
Replies

Disable failover before changing config

Go to solution
philbe
Level 1
Level 1

‎01-09-2014 04:22 PM - edited ‎03-11-2019 08:27 PM

hi

I'm making some major changes to the config on an active/standby asa this evening and am planning the roll back in case things go bad.

I'm planning to wr mem the config and then 'no failover' on the Active asa

THen make the changes.

If all goes well, hopefully i can re-enable failover and sync the configs with 'failover' on the Active asa  ? And the wr mem the config.

If all goes bad, i can 'reload' the Active and it should reload the the old config and it can 'failover' to re-enable the clustering.

Am i correct in these commands? Will 'failover' re-enable or actually failover!

Also should i be doing these on the Active or Standby asa.

thanks

phil  

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to philbe

‎01-12-2014 03:41 PM

Hello Phil,

Is there something else that you need from this discussion? Otherwise you can mark it as answered.

Kudos to you for the explanation

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎01-10-2014 08:15 AM

Hello Philbe,

The thing is that as long as you take out the no failover active, the other ASA (standby) will claim to be the active and this one (ex-active) as do not have any failover config will be forwarding traffic so you might get havving network problems as both of the firewalls will be claiming to have the same IP address but different MAC addresses.

If you want to follow this path you will need to disable failover on the secondary unit first and then on the primary and make the changes (you will miss the failover functionality but at least you will not cause any network outage).

For me the best way to go is to do it while having the network with failover, make sure you have a backup of the config and a console connection to the firewall so you can inmediatly go back to the previous setup.

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
philbe
Level 1
Level 1
In response to Julio Carvajal

‎01-12-2014 02:40 PM

hi Julio

thanks for that. All the changes went well, so no need to roll back in the end.

I did on the primary/active : conf t, no failover

i then did a show failover on each, i then made some changes, and they weren't replicated to the secondary/standby.

When all was well , i did on the primary/active, : conf t , failover

I lost connectivity to the secondary/standby as it was sync-ing the config, but no issues on the prim.

thanks

phil

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to philbe

‎01-12-2014 03:41 PM

Hello Phil,

Is there something else that you need from this discussion? Otherwise you can mark it as answered.

Kudos to you for the explanation

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card