Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
779
Views
0
Helpful
3
Replies

Replace Primary of Failover Pair

jeffland_98
Level 1
Level 1

‎09-14-2007 10:31 AM - edited ‎03-11-2019 04:11 AM

One of my failover pair of ASA 5520s need to be replaced. It is the primary unit. Will the following commands suffice:

interface GigabitEthernet0/3

description LAN/STATE Failover Interface

speed 1000

duplex full

failover

failover lan unit primary

failover lan interface State_Failovr GigabitEthernet0/3

failover link State_Failovr GigabitEthernet0/3

failover interface ip State_Failovr 10.10.30.161 255.255.255.248 standby 10.10.30.162

interface GigabitEthernet0/3

no shutdown

I guess what I'm asking is what is the logic. Once the new unit is configured it will come up as active before it sees the secondary which is also active. Once communication is established over the failover link, will the secondary remain the active ASA since it has been up the longest or will the primary remain the active ASA since this is the first contact with the secondary as far as it knows?

Labels:
0 Helpful
3 Replies 3

didyap
Level 6
Level 6

‎09-20-2007 11:12 AM

From your description I think that you are using Active/Standby failover. In this scenario when the active (master) unit goes down the standby unit takes over as the active unit and it will constantly poll to check if the master unit is available and is working fine. if the master unit is availalbe it will then transfer the control to the master unit making it once again the active unit.

0 Helpful

whisperwind
Level 1
Level 1
In response to didyap

‎09-20-2007 11:28 AM

Actually control does not automatically flip back should the master come back up.

In regards to the question the primary/standby role as strictly defined in the pix is not really valid per se. When the new ASA comes in add the following:

Do not reverse the interface IP Addresses, the ASA will understand and assign them correctly automagically

The key points you will need to change are

Primary to Secondary

Choose the right interface and ip address for your network

?failover lan unit primary ?failover lan interface FAILOVER g0/3 ?failover link FAILOVER g0/3 ?failover interface ip FAILOVER 10.10.10.1 255.255.255.0 standby 10.10.10.2 ?failover key cisco123 ?failover replication http

0 Helpful

jeffland_98
Level 1
Level 1
In response to didyap

‎09-25-2007 08:34 AM

Yes, this is an active /standby pair in a single security context. Thanks for your reply but I've already replaced the failed unit. I first connected the failover link, then powered up the replacement ASA having put in only the config in my previous message. The new Primary unit made contact with the Active /secondary unit, downloaded the active running configuration, and then went into standby mode. I then connected the other ports on the primary unit and it is running in standby mode.

Thanks for your help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card