eemoon
asked on
It is difficult to make one ASA as primary in failover
HI How to make one ASA as primary in failover ? This should be easy, but in my case, it is a little unusual. There are two ASA as failover. I hope ASA1 is primary. ASA2 is secondary. I configured ASA1 as primary and ASA2 as secondary and then i run the two ASA. By command show failover state, I can see ASA1 is primary and ASA2 is secondary. sometime later, the ASA1 become secondary though it is still active, while ASA2 become primary though it is still standby. My question is why ASA1 become secondary automatically and ASA2 become primary ? I hope ASA1 is always primary and ASA2 is always secondary. Active/standby is not issue. The issue is primary/secondary. Please see the config, which show the ASA1 already become secondary:
ASA/sec/act# sh run failover
failover
failover lan unit secondary
failover lan interface folink GigabitEthernet0/5
failover key *****
failover replication http
failover interface ip folink 10.255.1.1 255.255.255.252 standby 10.255.1.2
ASA/sec/act# sh run failover
failover
failover lan unit secondary
failover lan interface folink GigabitEthernet0/5
failover key *****
failover replication http
failover interface ip folink 10.255.1.1 255.255.255.252 standby 10.255.1.2
ASKER
Thank you so much for your fast reply. The active/active can only be used in context ASA, i am not sure about this.
The command "failover lan unit primary" should be able to change the asa into Primary, but in my case, it cannot
I found i missed a command "failover link folink gigabitethernet0/5" Do you this command is required ?
The command "failover lan unit primary" should be able to change the asa into Primary, but in my case, it cannot
I found i missed a command "failover link folink gigabitethernet0/5" Do you this command is required ?
I don't think it matters in an active/standby configuration which unit is primary and secondary. It only appears to be used if both units are booted at the same time to determine which one will initially become active (the one designated as primary).
What is the output from "show failover" ?
What is the output from "show failover" ?
the reason they will have failed over would have been in the log at the time it happened, although it may have been overwritten now. if there is a syslog, server it may be recorded there?
to force the primary to become active, use the command "fail active", or to make the other one active, "fail exec standby fail act".
the "failover link" command is used to define which interface is used for session state replication. recommendation is that this link should not carry user traffic where possible. where devices are not co-located, this may not be possible but if they are within cable-run distance of each other and there is a spare interface available, its better to dedicate an interface for failover communications.
failover preemption is only really relevant with active/active configuration, where failover groups are used. is this your case?
to force the primary to become active, use the command "fail active", or to make the other one active, "fail exec standby fail act".
the "failover link" command is used to define which interface is used for session state replication. recommendation is that this link should not carry user traffic where possible. where devices are not co-located, this may not be possible but if they are within cable-run distance of each other and there is a spare interface available, its better to dedicate an interface for failover communications.
failover preemption is only really relevant with active/active configuration, where failover groups are used. is this your case?
ASKER
Thank you for your explain. This is two ASA5555 as failover. so it should be active/standby mode. After I watch its behavior, I still think the behavior is no normal. Usually, if we use command failover active in ASA which is in ASA/sec/sta, the ASA will be in ASA/sec/pri, but in my case, the ASA is ASA/pri/sta. Do you think my case is normal ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
here is an example of link down error. the secondary dmz interface is down:
firewall# sh fail
Failover On
Failover unit Primary
Failover LAN Interface: failover Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 110 maximum
failover replication http
Version: Ours 8.2(5)46, Mate 8.2(5)46
Last Failover at: 04:49:46 AST Aug 20 2015
This host: Primary - Active
Active time: 30913033 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.2(5)46) status (Up Sys)
Interface outside (public ip): Normal (Waiting)
Interface inside (10.10.104.254): Normal
Interface dmz (172.20.1.254): Normal (Waiting)
slot 1: empty
Other host: Secondary - Failed
Active time: 8 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.2(5)46) status (Up Sys)
Interface outside (public ip+1): Normal (Waiting)
Interface inside (10.10.104.253): Normal
Interface dmz (172.20.1.253): No Link (Waiting)
slot 1: empty
ASKER
Excellent explanation! Thank you
https://supportforums.cisco.com/discussion/11368691/asa-failover-change-primary-secondary-and-viceverse
It would seem the command you are looking for is:
Open in new window