Link to home
Start Free TrialLog in
Avatar of eemoon
eemoon

asked on

It is difficult to make one ASA as primary in failover

HI How to make one ASA as primary in failover ? This should be easy, but in my case, it is a little unusual. There are two ASA as failover. I hope ASA1 is primary. ASA2 is secondary. I configured ASA1 as primary and ASA2 as secondary and then i run the two ASA. By command show failover state, I can see ASA1 is primary and ASA2 is secondary. sometime later, the ASA1 become secondary though it is still active, while ASA2 become primary though it is still standby. My question is why ASA1 become secondary automatically and ASA2 become primary ? I hope ASA1 is always primary and ASA2 is always secondary. Active/standby is not issue. The issue is primary/secondary. Please see the config, which show the ASA1 already become secondary:

ASA/sec/act# sh run failover
failover
failover lan unit secondary
failover lan interface folink GigabitEthernet0/5
failover key *****
failover replication http
failover interface ip folink 10.255.1.1 255.255.255.252 standby 10.255.1.2
Avatar of td_miles
td_miles

Perhaps this discussion will answer your question:

https://supportforums.cisco.com/discussion/11368691/asa-failover-change-primary-secondary-and-viceverse

It would seem the command you are looking for is:

failover group 2
  secondary

Open in new window

Avatar of eemoon

ASKER

Thank you so much for your fast reply. The active/active can only be used in context ASA, i am not sure about this.
The command "failover lan unit primary" should be able to change the asa into Primary, but in my case, it cannot
I found i missed a command "failover link folink gigabitethernet0/5" Do you this command is required ?
I don't think it matters in an active/standby configuration which unit is primary and secondary. It only appears to be used if both units are booted at the same time to determine which one will initially become active (the one designated as primary).

What is the output from "show failover" ?
Avatar of pgolding00
the reason they will have failed over would have been in the log at the time it happened, although it may have been overwritten now. if there is a syslog, server it may be recorded there?

to force the primary to become active, use the command "fail active", or to make the other one active, "fail exec standby fail act".

the "failover link" command is used to define which interface is used for session state replication. recommendation is that this link should not carry user traffic where possible. where devices are not co-located, this may not be possible but if they are within cable-run distance of each other and there is a spare interface available, its better to dedicate an interface for failover communications.

failover preemption is only really relevant with active/active configuration, where failover groups are used. is this your case?
Avatar of eemoon

ASKER

Thank you for your explain. This is two ASA5555 as failover. so it should be active/standby mode. After I watch its behavior, I still think the behavior is no normal. Usually, if we use command failover active in ASA which is in ASA/sec/sta, the ASA will be in ASA/sec/pri, but in my case, the ASA is ASA/pri/sta. Do you think my case is normal ?
ASKER CERTIFIED SOLUTION
Avatar of pgolding00
pgolding00
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
here is an example of link down error. the secondary dmz interface is down:

firewall# sh fail
Failover On 
Failover unit Primary
Failover LAN Interface: failover Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 110 maximum
failover replication http
Version: Ours 8.2(5)46, Mate 8.2(5)46
Last Failover at: 04:49:46 AST Aug 20 2015
	This host: Primary - Active 
		Active time: 30913033 (sec)
		slot 0: ASA5510 hw/sw rev (2.0/8.2(5)46) status (Up Sys)
		  Interface outside (public ip): Normal (Waiting)
		  Interface inside (10.10.104.254): Normal 
		  Interface dmz (172.20.1.254): Normal (Waiting)
		slot 1: empty
	Other host: Secondary - Failed 
		Active time: 8 (sec)
		slot 0: ASA5510 hw/sw rev (2.0/8.2(5)46) status (Up Sys)
		  Interface outside (public ip+1): Normal (Waiting)
		  Interface inside (10.10.104.253): Normal 
		  Interface dmz (172.20.1.253): No Link (Waiting)
		slot 1: empty

Open in new window

Avatar of eemoon

ASKER

Excellent explanation! Thank you