Cisco ASA HA Active Standby Query

Posted on 2011-09-23
Last Modified: 2012-05-12

My firewall pairs are currently set to Active / Standby

Could i manually flip the standby firewall to be active and the active to be standby by powercycling the firewall in sequence standby first then active

Would the previously active firewall try to become active when it comes online or will it stay passive till its forced to go active in another sequence powercycle the next week?

Question by:OnaIt
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 79

Assisted Solution

lrmoore earned 50 total points
ID: 36586206
Yes  you can manually cause the failover
No, they don't automatically fail back. As long as one is active and one is standby it doesn't really care which one is which.
LVL 16

Accepted Solution

InteraX earned 50 total points
ID: 36586243
If you want to manually fail between the devices without power cycling you can issue the following from pivilege exec mode on the standby.

failover active

You can also issue the no form of the command on the active firewall.


Author Comment

ID: 36586309
Thankyou for the response Guys

The problem we have (discussed in the past on EE) is that when the active fails the standby takes over fine
But when we fall back from standby to active (failover to how it originally was), both firewalls drop all sessions, and we have to end up going on site, switching off and powering up the firewalls in sequence

All our HA code looks fine and the debugs don’t show anything..

Our ISP is performing planned maintenance which falls in the working day time zone of a client we service so we just wanted to flip firewalls around manually by power cycling them on either weekends of the outage so our customers don’t experience any outage..

so the ISP outage on the active feed is on a Monday the plan is to go in on and flip the firewalls around
i.e. force standby to become active and active to become  standby.
The ISP's maint on their active link won’t affect us
the following weekend we could go in and flip the firewalls back as they were before

Hope this makes sense
LVL 16

Expert Comment

ID: 36586783
It makes sense, but if you are having problems with failover, do the software versions match exactly. I know cisco say that only the major and minor versions need to match, but if you have different releases on the 2 boxes, this may be the cause of the problems you are seeing. Also, which version of software are you running. It may be that there is a bug that is fixed in a newer release. You could take the oportunity of visiting site to upgrade the software if necessary. Have you checked the cisco bug tool?

Author Comment

ID: 36587023
Everything is identical
have practically done everything possible but of no use
another problem we face is that since this is a production enviroment we cant have major testing outages. The only ones we negotiate are spent on system & SAN maintainance.
Thanx for ur suggestion though.

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
decoding the error message TEI_ASSIGNED 8 120
PIM sparse mode question 1 27
Error after upgrade of 3850s 15 95
Install Cisco Unified Comunication Manager Subscriber 6 48
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question