The Active device in the Active/Standby stays as Active as long as its operational and doesnt have any problems.
So even if you have a Failover device configured as "primary" and it happens to fail and come back up again, it shouldnt to my knowledge return back as Active UNLESS its manually set so or if the currently Active device fails.
To my understanding it mostly matter in the event that both devices boot pretty much at the same time. Then the "primary" and "secondary" settings will determine which one of the units is selected as Active.
There should be no preempt type of action in an Active/Standby setup. Active/Active on the other hand permits the use of "preempt" setting which will return the "primary" device as the Active when its operational again from a possible fault.
I have not had to change this setting on any existing Failover environments we have so I am not sure if it will have any effect on the Failover.
Evenif it doesnt have any issues on operations and on active/standby status, we need it as a part of our standardisatin policy. As we want all firewalls in our primary data center to be active and primary.
Currently firewall in my primary data center is active and secondary which should be primary as per our policy.
I would like to know if changing primary/secondary will impact failover operation and how to add it with least searvice disruption?
As I have not had to do this personally I can't say anything for sure.
I can't also remember reading anything from Cisco related to this so I can only guess that this wont affect the state of the Failover as it doesnt really play a part in the roles of the Active/Standby devices unless they are both booted up.
But as it is with any things I personally dont know I rather schedule a maintanance break or use an already planned break to do these changes to be able to react to unexpected behaviour and cause the least amount of downtime to any services.
So I can't really give an 100% sure answer on this and I dont currently have devices at hand that could be used to test this.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :