It is difficult to make one ASA as primary in failover

HI How to make one ASA as primary in failover ? This should be easy, but in my case, it is a little unusual. There are two ASA as failover. I hope ASA1 is primary. ASA2 is secondary. I configured ASA1 as primary and ASA2 as secondary and then i run the two ASA. By command show failover state, I can see ASA1 is primary and ASA2 is secondary. sometime later, the ASA1 become secondary though it is still active, while ASA2 become primary though it is still standby. My question is why ASA1 become secondary automatically and ASA2 become primary ? I hope ASA1 is always primary and ASA2 is always secondary. Active/standby is not issue. The issue is primary/secondary. Please see the config, which show the ASA1 already become secondary:

ASA/sec/act# sh run failover
failover
failover lan unit secondary
failover lan interface folink GigabitEthernet0/5
failover key *****
failover replication http
failover interface ip folink 10.255.1.1 255.255.255.252 standby 10.255.1.2
eemoonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

td_milesCommented:
Perhaps this discussion will answer your question:

https://supportforums.cisco.com/discussion/11368691/asa-failover-change-primary-secondary-and-viceverse

It would seem the command you are looking for is:

failover group 2
  secondary

Open in new window

0
eemoonAuthor Commented:
Thank you so much for your fast reply. The active/active can only be used in context ASA, i am not sure about this.
The command "failover lan unit primary" should be able to change the asa into Primary, but in my case, it cannot
I found i missed a command "failover link folink gigabitethernet0/5" Do you this command is required ?
0
td_milesCommented:
I don't think it matters in an active/standby configuration which unit is primary and secondary. It only appears to be used if both units are booted at the same time to determine which one will initially become active (the one designated as primary).

What is the output from "show failover" ?
0
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

pgolding00Commented:
the reason they will have failed over would have been in the log at the time it happened, although it may have been overwritten now. if there is a syslog, server it may be recorded there?

to force the primary to become active, use the command "fail active", or to make the other one active, "fail exec standby fail act".

the "failover link" command is used to define which interface is used for session state replication. recommendation is that this link should not carry user traffic where possible. where devices are not co-located, this may not be possible but if they are within cable-run distance of each other and there is a spare interface available, its better to dedicate an interface for failover communications.

failover preemption is only really relevant with active/active configuration, where failover groups are used. is this your case?
0
eemoonAuthor Commented:
Thank you for your explain. This is two ASA5555 as failover. so it should be active/standby mode. After I watch its behavior, I still think the behavior is no normal. Usually, if we use command failover active in ASA which is in ASA/sec/sta, the ASA will be in ASA/sec/pri, but in my case, the ASA is ASA/pri/sta. Do you think my case is normal ?
0
pgolding00Commented:
ah, ok. the difference is because the secondary has become active. "show fail" runs on the device you connect to, which will always be the active device if the connection is network based and not by the console port. if the console port is used to access the devices, then its possible to see from the point of view of the both devices. one will always be the primary, one the secondary. one will always be active, one standby.

what you describe is quite normal. you have connected to the primary and it is in standby state. if this is the result after running  "fail act" then  a problem has been detected by one of the devices preventing the primary becoming active. once the problem is corrected the primary will be able to become active again. look at "show fail" and the log to work out why the primary wont become active. most likely you will find an interface down or in error state.

the error state can be because of link down or lack of layer 2 connectivity between the pair over each interface, or some device in the path filtering some of the failover monitoring traffic. failover is monitored by a number of processes including arp requests, mac address examination and keepalive reception.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pgolding00Commented:
here is an example of link down error. the secondary dmz interface is down:

firewall# sh fail
Failover On 
Failover unit Primary
Failover LAN Interface: failover Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 110 maximum
failover replication http
Version: Ours 8.2(5)46, Mate 8.2(5)46
Last Failover at: 04:49:46 AST Aug 20 2015
	This host: Primary - Active 
		Active time: 30913033 (sec)
		slot 0: ASA5510 hw/sw rev (2.0/8.2(5)46) status (Up Sys)
		  Interface outside (public ip): Normal (Waiting)
		  Interface inside (10.10.104.254): Normal 
		  Interface dmz (172.20.1.254): Normal (Waiting)
		slot 1: empty
	Other host: Secondary - Failed 
		Active time: 8 (sec)
		slot 0: ASA5510 hw/sw rev (2.0/8.2(5)46) status (Up Sys)
		  Interface outside (public ip+1): Normal (Waiting)
		  Interface inside (10.10.104.253): Normal 
		  Interface dmz (172.20.1.253): No Link (Waiting)
		slot 1: empty

Open in new window

0
eemoonAuthor Commented:
Excellent explanation! Thank you
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.