Cisco ASA HA Active Standby Query

Posted on 2011-09-23
Last Modified: 2012-05-12

My firewall pairs are currently set to Active / Standby

Could i manually flip the standby firewall to be active and the active to be standby by powercycling the firewall in sequence standby first then active

Would the previously active firewall try to become active when it comes online or will it stay passive till its forced to go active in another sequence powercycle the next week?

Question by:OnaIt
  • 2
  • 2
LVL 79

Assisted Solution

lrmoore earned 50 total points
ID: 36586206
Yes  you can manually cause the failover
No, they don't automatically fail back. As long as one is active and one is standby it doesn't really care which one is which.
LVL 16

Accepted Solution

InteraX earned 50 total points
ID: 36586243
If you want to manually fail between the devices without power cycling you can issue the following from pivilege exec mode on the standby.

failover active

You can also issue the no form of the command on the active firewall.


Author Comment

ID: 36586309
Thankyou for the response Guys

The problem we have (discussed in the past on EE) is that when the active fails the standby takes over fine
But when we fall back from standby to active (failover to how it originally was), both firewalls drop all sessions, and we have to end up going on site, switching off and powering up the firewalls in sequence

All our HA code looks fine and the debugs don’t show anything..

Our ISP is performing planned maintenance which falls in the working day time zone of a client we service so we just wanted to flip firewalls around manually by power cycling them on either weekends of the outage so our customers don’t experience any outage..

so the ISP outage on the active feed is on a Monday the plan is to go in on and flip the firewalls around
i.e. force standby to become active and active to become  standby.
The ISP's maint on their active link won’t affect us
the following weekend we could go in and flip the firewalls back as they were before

Hope this makes sense
LVL 16

Expert Comment

ID: 36586783
It makes sense, but if you are having problems with failover, do the software versions match exactly. I know cisco say that only the major and minor versions need to match, but if you have different releases on the 2 boxes, this may be the cause of the problems you are seeing. Also, which version of software are you running. It may be that there is a bug that is fixed in a newer release. You could take the oportunity of visiting site to upgrade the software if necessary. Have you checked the cisco bug tool?

Author Comment

ID: 36587023
Everything is identical
have practically done everything possible but of no use
another problem we face is that since this is a production enviroment we cant have major testing outages. The only ones we negotiate are spent on system & SAN maintainance.
Thanx for ur suggestion though.

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco ASA -- weird connection issue 6 48
not output on the show arp command 5 45
Cisco Air AP 6 30
Access List 2 7
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video discusses moving either the default database or any database to a new volume.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now