Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
9603
Views
0
Helpful
1
Comments

Introducing Failed Primary Unit back in the HA Fail-over Pair

Vibhor Amrodia
Cisco Employee
Cisco Employee

‎08-13-2014 12:32 AM - edited ‎03-08-2019 06:56 PM

This document lists the basic steps that we need to follow when we need to introduce the Failed (Primary) unit back in the High Availibilty configuration.

Verify these things on both the Units:-

  1. The two units in a failover configuration must be the same model, have the same number and types of interfaces, the same SSMs installed (if any), and the same RAM installed.
  2. The two units in a failover configuration must be in the same operating modes (routed or transparent, single or multiple contexts). They must have the same major (first number) and minor (second number) software version. However, you can use different versions of the software during an upgrade process; for example, you can upgrade one unit from Version 7.0(1) to Version 7.0(2) and have failover remain active. We recommend upgrading both units to the same version to ensure long-term compatibility.
  3. Both the units need to have the same licenses. For ASA 8.3.1 and above, the two units in a failover configuration do not need to have identical licenses; the licenses combine to make a failover cluster license. Still make sure that both units have failover license enabled.
  4. Make sure the Failover interface cables are connected to the switch in the same VLAN with PORTFAST ports configuration or directly before continuing with these steps.

We have two options while introducing the Failed (Primary) unit back in the HA Pair:-

  1. Introducing the Failed (Primary) unit as Primary (Standby) device.

No configuration changes are required. You just need to copy the exact failover configuration from the existing Secondary (Active) unit with the exception of this command:-

Failover lan unit primary

NOTE: - The configuration replication will happen from the Active to the Standby Unit. When the Failed (Primary) unit is introduced into the network, if the cable are connected properly between the Fail-over interfaces, it will detect the Secondary (Active) as the active unit and will automatically become the Primary (Standby).

 2. Making the Failed (Primary) unit as Secondary (Standby) device.

  1. Disable the failover on the Secondary (Active) unit.
  2. Change this command on this unit to:-

               Failover lan unit Primary

  1. Configure the Failed (Primary) unit with the same configuration with exception of this command:-

               Failover lan unit secondary

  1. Enable the failover and the configuration will replicate successfully between these two devices.

Note: - If you have a switch connecting the Failover interface, please clear the arp for the failover interfaces as the MAC address would be different for the replaced unit.

Refer:-

ASA device configuration Guide

http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/ha_overview.html

ASA device command reference

http://www.cisco.com/c/en/us/td/docs/security/asa/command-reference/cmdref.html

License requirement (before or on ASA 8.2)

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/license/license82.html

Labels:
0 Helpful
Comments
networks
Level 1
Level 1
‎01-27-2015 06:30 AM

Hi,

I am preparing to replace the primary ASA in an HA pair and We want Failed Primary unit come as Secondary Standy.

We are not replacing the hardware, was a PSU issue which is resolved now, so config is already there on Primary Failed ASA.

My question is about Disable the failover and enable the failover - do I need to peform this on Both ASA's

 

=======
ASA-1# show failover state

               State          Last Failure Reason      Date/Time
This host  -   Secondary
               Active         Ifc Failure              22:19:06 GMT/BST Feb 28 2013
                              admin management: No Link
Other host -   Primary
               Failed         Comm Failure             04:53:06 GMT/BST Jan 18 2015

====Configuration State===
    Sync Done - STANDBY
====Communication State===

ASA-1#


1. Disable the failover on the Secondary (Active)

In order to disable failover, enter this command:
no failover

Change this command on Secondary (Active)  

From :
Failover lan unit secondary
To:
Failover lan unit Primary

Change this command on the Failed (Primary)
From:
Failover lan unit Primary

To:
Failover lan unit secondary


Enable the failover

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents