Change ASA Secondary device into Primary permanently

naveen98 · ‎02-08-2023

Hi Community,

We have a FPR-2130 with ASA appliance in 2 Firewall cluster. I will refer 2 Firewall as FW-01 and FW-02. Currently FW-02 is in the primary active state and FW-01 is in the secondary standby state. We need to change the FW-01 permanently into primary active state. Kindly assist us on how to this ?

If we add the command failover lan unit primary on the FW-01 while changing same configuration failover lan unit secondary in the FW-02, will this cause any service impact on our production environment?

FW-02

/pri/act# show running-config | i failover
failover
failover lan unit primary
failover lan interface HA Ethernet1/11
failover key *****
failover replication http
failover link MONITOR Ethernet1/12
failover interface ip HA 198.1.1.1 255.255.255.252 standby 198.1.1.2
failover interface ip MONITOR 198.1.2.1 255.255.255.252 standby 198.1.2.2
no failover wait-disable

FW-02

sec/stby# show running-config | i failover
failover
failover lan unit secondary
failover lan interface HA Ethernet1/11
failover key *****
failover replication http
failover link MONITOR Ethernet1/12
failover interface ip HA 198.1.1.1 255.255.255.252 standby 198.1.1.2
failover interface ip MONITOR 198.1.2.1 255.255.255.252 standby 198.1.2.2
no failover wait-disable

Marvin Rhoads · ‎02-08-2023

This can be a bit tricky. It is generally better to take the unit you want to be secondary offline and disconnect its network cables (or disable the interfaces from the connected switch(es). Then make the commands you indicated (doing the secondary unit from console connection). Make sure the primary is Active and then connect the secondary unit cabling - failover cable first, verify is is standby in the HA pair and then the LAN cables.

MHM Cisco World · ‎02-08-2023

failover active

I will run small lab check the effect of failover active in re-config the unit primary secondary

Marvin Rhoads · ‎02-08-2023

@MHM Cisco World "failover active" will just change the current state - not make the unit primary.

Marius Gunnerud · ‎02-08-2023

If you are looking to make the Standby unit the Primary then I think Marvin's suggestion is a good one. The thing is, that to change the roles of the ASAs you need to break failover and reconfigure it. When you break failover on the Secondary unit it will erase all configuration and will need to be added back.

Remove standby ASA from the network (leave the active device to handle traffic)
Reconfigure the ASA to meet your needs
Remove the active ASA from the network and connect the newly configured ASA back into the network
Test to make sure everything is working as expected
Reconfigure failover on the ASA you just removed from the network to be Secondary
Add the ASA back into the network

Removing a device from the network could be unplugging the cables from the device or shutdown the switch interfaces that connect to the ASA as well as the failover interface.

--
Please remember to select a correct answer and rate helpful posts

johnlloyd_13 · ‎02-09-2023

hi,

i did the same exercise recently. see link below.

https://ccnpsecuritywannabe.blogspot.com/2022/11/change-cisco-asa-firewall-primary-and.html

in the lab was a straightforward change, i.e. change/reverse the current FW02 primary-active to secondary-standby

but when i did in production i needed to "break" HA by issuing a "no failover" in each ASA FW, then apply the "lan unit <PRIMARY/SECONDARY> and re-enable failover.

make sure your doing this in planned change window, you're either onsite or have a remote backdoor/console server as you'll lose SSH connectivity when doing this.

paul driver · ‎02-09-2023

Hello
Just tested with the procedure below and it seem to work okay without any interruption to network traffic

1) Failover to the secondary unit

stby/sec failover active

Switching to Active
act/sec#

2) on stby/primary fw disable failover
no failover

stbyNoFailover/pri

3) shutdown FO /State links and inside/outside/dmz interfaces on now stbyNoFailover/pri
stbyNoFailover/pri
int x/x ,,,,,
shut

4) Change lan unit roles on both fws
Failover lan unit Primary
Failover lan unit secondary

5) re enable FO /State link and inside/outside/dmz interfaces and failover on now standby secondary

stbyNoFailover/sec
int gig0/x
no shut
etc,,,,

stbyNoFailover/sec(config)#
failover

stby/sec(config)# .

Detected an Active mate
Beginning configuration replication from mate

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul