Solved

Cisco ASA HA Active Standby Query

Posted on 2011-09-23
5
897 Views
Last Modified: 2012-05-12
Hello

My firewall pairs are currently set to Active / Standby

Could i manually flip the standby firewall to be active and the active to be standby by powercycling the firewall in sequence standby first then active

Would the previously active firewall try to become active when it comes online or will it stay passive till its forced to go active in another sequence powercycle the next week?


0
Comment
Question by:OnaIt
  • 2
  • 2
5 Comments
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 50 total points
ID: 36586206
Yes  you can manually cause the failover
No, they don't automatically fail back. As long as one is active and one is standby it doesn't really care which one is which.
0
 
LVL 16

Accepted Solution

by:
InteraX earned 50 total points
ID: 36586243
If you want to manually fail between the devices without power cycling you can issue the following from pivilege exec mode on the standby.

failover active

You can also issue the no form of the command on the active firewall.

0
 

Author Comment

by:OnaIt
ID: 36586309
Thankyou for the response Guys

The problem we have (discussed in the past on EE) is that when the active fails the standby takes over fine
But when we fall back from standby to active (failover to how it originally was), both firewalls drop all sessions, and we have to end up going on site, switching off and powering up the firewalls in sequence

All our HA code looks fine and the debugs don’t show anything..

Our ISP is performing planned maintenance which falls in the working day time zone of a client we service so we just wanted to flip firewalls around manually by power cycling them on either weekends of the outage so our customers don’t experience any outage..

so the ISP outage on the active feed is on a Monday the plan is to go in on and flip the firewalls around
i.e. force standby to become active and active to become  standby.
The ISP's maint on their active link won’t affect us
the following weekend we could go in and flip the firewalls back as they were before

Hope this makes sense
0
 
LVL 16

Expert Comment

by:InteraX
ID: 36586783
It makes sense, but if you are having problems with failover, do the software versions match exactly. I know cisco say that only the major and minor versions need to match, but if you have different releases on the 2 boxes, this may be the cause of the problems you are seeing. Also, which version of software are you running. It may be that there is a bug that is fixed in a newer release. You could take the oportunity of visiting site to upgrade the software if necessary. Have you checked the cisco bug tool?
0
 

Author Comment

by:OnaIt
ID: 36587023
@InteraX:
Everything is identical
have practically done everything possible but of no use
another problem we face is that since this is a production enviroment we cant have major testing outages. The only ones we negotiate are spent on system & SAN maintainance.
Thanx for ur suggestion though.
D
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
This is a video that shows how the OnPage alerts system integrates into ConnectWise, how a trigger is set, how a page is sent via the trigger, and how the SENT, DELIVERED, READ & REPLIED receipts get entered into the internal tab of the ConnectWise …
Need to grow your business through quality cloud solutions? With everything required to build a cloud platform and solution, you may feel like the distance between you and the cloud is quite long. Help is here. Spend some time learning about the Con…

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now