Active Standby Failover Asa

/ Comments off



If you have a planned maintenance and you know you will hit your Failover LAN between two ASA’s in an Active/Standby configuration. If is very useful to temporary disable the Failover mechanism so the Standby firewall stays Standby and you don’t end up in a situation where you have two Active firewalls.

All

Cisco Asa Failover Reset

Cisco ASA Active Standby Failover configuration with Port-Channel December 22, 2017 Being in the field I’ve seen it way too many times where customers redundant security appliances have high availability link as a single point of failure.

Below is an example output of the show failover output of an ASA 5520: (only relevant information is shown in this output)

  • In this post I will be configuring active –standby failover with Cisco ASA. I will not be using the wizard driven configuration as the manual method allows me to understand each and every aspect of the configuration and it makes it easy to troubleshoot.
  • Our standby unit in a Cisco ASA Active/Standby cluster failed. I have received the replacement unit from Cisco and am ready to swap out the standby unit. I need to have zero downtime during this swap out. On the replacement unit I have done the following: A) Made sure the software & asdm are on the same version as the active unit.
  • If is very useful to temporary disable the Failover mechanism so the Standby firewall stays Standby and you don’t end up in a situation where you have two Active firewalls. Below is an example output of the show failover output of an ASA 5520: (only relevant information is shown in this output).

Now login to the Standby firewall and disable failover very easily via the no failover command in configuration mode:

See full list on cisco.comAsa

You can see on the output it adds NoFailover to the CLI prompt.

How To Failover Asa Firewall

We’re back on the Active unit and you can see the Secondary in Disabled where it was previously Standby Ready:

If your maintenance is finished, you should enable the failover mechanism again on the Standby node:

Asa Active/standby Failover Preempt

Now you’re done, check you Active/Standby status again, this should be the same as the first show failover command in this post.