Currently we have two 5510s in a failover pair (running v8.4(7)). Things are working great. Now we are working on a project to move from one ISP to another. Due to the configuration change between us and the ISP (mainly switching from a connection where there is only one VLAN to a configuration where there are 2 VLANS that go from us to the ISP and then get routed differently from the ISP...one to the Internet and one to our rack at our disaster recovery site) I need to split these apart temporarily. I want to take the current standby firewall and configure it as an active firewall that will route traffic to the new ISP. Mainly I think I need to do this because I've got to split the outside interface into virtual interfaces so I can use VLAN tagging. Once I get the new config working I'll put the firewalls back in a failover pair.
My initial thought is that I can just log into the firewall that is currently "active" and turn off failover by unchecking the "Enable failover" checkbox. Is this correct or are there other gotchas that I need to consider?
The fact is that if you make the Secondary the Active unit and then disable failover from the Primary/Standby it stays in pseudo standby since Primary was defined standby, this means it will not act as an Active unit it will still route traffic with the standby IPs.
Now regarding the New ISP, if it is routed through the same cable that connects to the ASA all the ISP needs to do is make the current line VLAN native VLAN on the trunk and then add the additional VLAN to that trunk and configure the sub-interface on the ASA, you wouldn’t even need to disable failover but the guy on the ISP needs to know what he is doing and if you are connecting the interface that is connected to the ISP through a switch that you own then this would be the configuration that you would need to place.
It would be a good idea to post a little more detail like configuration and diagrams.
The existing ASAs currently don't have a sub-interface on the inside or outside interfaces.This is part of the reason I have to pull the secondary ASA out and disable failover. I want as much time as possible to mess with the configuration in case something happens. I can't have my websites or Internet email down while I get the config correct. I will then configure the setup as 2 active ASAs. One will be for our current traffic so I don't disrupt anything and the other will be for my new configuration. I will only have a test PC connected to the second ASA just to make sure everything works. Once I have everything working on that ASA then I'll continue to work on migrating to the new ISP and eventually put everything back in a failover configuration.
I will completely wipe out the config on what is now the standby ASA and replace it with my new config.
Basically what I got out of jcarvaja's post is that on the active I can't just turn off the monitoring and uncheck the "enable failover" checkbox. I actually have to delete the failover config but only after I disconnect what was the standby ASA from the network. This shouldn't be an issue since I've got a copy of the config that's running now.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :