I had a scenario wherein I needed to relocate a pair Cisco ASA Firewalls in Active-Standby setup and also change their Primary and Secondary role. It's just a straightforward configuration and you first need to perform a "forced" failover and then reverse their roles without the need to disable failover/sync between the two. Note the serial numbers on the two Cisco ASAv firewalls.
ASAv1
S/N: 9A81V5LKN5F
FW-1/pri/actNoFailover(config)# show interface ip brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 200.1.1.1 YES CONFIG up up
GigabitEthernet0/1 172.16.1.1 YES CONFIG up up
GigabitEthernet0/2 10.1.1.1 YES CONFIG up up
GigabitEthernet0/3 unassigned YES unset administratively down down
GigabitEthernet0/4 unassigned YES unset administratively down down
GigabitEthernet0/5 unassigned YES unset administratively down down
GigabitEthernet0/6 10.0.0.1 YES unset up up
Management0/0 192.168.1.1 YES manual down down
FW-1/pri/actNoFailover(config)# show run failover
no failover // FAILOVER STILL DISABLED
failover lan unit primary // ASAv1 IS THE PRIMARY FW
failover lan interface FAILOVER GigabitEthernet0/6
failover key *****
failover link FAILOVER GigabitEthernet0/6
failover interface ip FAILOVER 10.0.0.1 255.255.255.252 standby 10.0.0.2
-----
ASAv2
S/N: 9AK137KWDWB
ciscoasa(config)# show interface ip brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 unassigned YES unset
down down // NOTE ASAv2 PORTS ARE DOWN
GigabitEthernet0/1 unassigned YES unset down down
GigabitEthernet0/2 unassigned YES unset administratively down down
GigabitEthernet0/3 unassigned YES unset administratively down down
GigabitEthernet0/4 unassigned YES unset administratively down down
GigabitEthernet0/5 unassigned YES unset administratively down down
GigabitEthernet0/6 10.0.0.2 YES unset up up
Management0/0 unassigned YES unset down down
ciscoasa(config)#
ciscoasa(config)# show run failover
no failover
failover lan unit secondary // ASAv2 IS THE SECONDARY FW
failover lan interface FAILOVER GigabitEthernet0/6
failover key *****
failover link FAILOVER GigabitEthernet0/6
failover interface ip FAILOVER 10.0.0.1 255.255.255.252 standby 10.0.0.2
-----
Configure the Active-Standby failover between the the ASAv firewalls.
FW-1/pri/actNoFailover(config)# failover // ENABLE FAILOVER/SYNC
FW-1/pri/act(config)#
. // ASAv1 BECAME PRIMARY-ACTIVE
No Active mate detected
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate
ciscoasa(config)# failover
ciscoasa(config)# ..
Detected an Active mate
Beginning configuration replication from mate.
WARNING: Disabling auto import may affect Smart Licensing
WARNING: Local user database is empty and there are still 'aaa' commands for 'LOCAL'.
Creating trustpoint "_SmartCallHome_ServerCA" and installing certificate...
Trustpoint CA certificate accepted.
WARNING: Failover is enabled but standby IP address is not configured for this interface.
WARNING: Failover is enabled but standby IP address is not configured for this interface.
WARNING: Failover is enabled but standby IP address is not configured for this interface.
WARNING: Trustpoint _SmartCallHome_ServerCA is already authenticated.
WARNING: This command will not take effect until interface 'inside' has been assigned an IPv4 address
End configuration replication from mate.
FW-1/sec/stby(config)# // ASAv2 BECAME SECONDARY STANDBY
-----
FW-1/pri/act# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet0/6 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 61 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.8(1), Mate 9.8(1)
Serial Number: Ours 9A81V5LKN5F, Mate 9AK137KWDWB
Last Failover at: 13:30:13 UTC Nov 11 2022
This host: Primary - Active
Active time: 59 (sec)
slot 0: empty
Interface outside (200.1.1.1): Normal (Waiting)
Interface inside (172.16.1.1): Normal (Waiting)
Interface dmz (10.1.1.1): Normal (Waiting)
Interface management (192.168.1.1): No Link (Waiting)
Other
host: Secondary - Failed // SECONDARY FAILED DUE TO SEVERAL PORTS WERE DOWN
Active time: 0 (sec)
Interface outside (0.0.0.0): No Link (Waiting)
Interface inside (0.0.0.0): No Link (Waiting)
Interface dmz (0.0.0.0): No Link (Waiting)
Interface management (192.168.1.2): No Link (Waiting)
<OUTPUT TRUNCATED>
FW-1/pri/act# show failover state
State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Failed Ifc Failure 13:30:49 UTC Nov 11 2022
outside: No Link
inside: No Link
dmz: No Link
management: No Link
====Configuration State===
Sync Done
====Communication State===
Mac set
-----
I connected ASAv2 ports to a switch in order to form HA.
FW-1/sec/stby# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: FAILOVER GigabitEthernet0/6 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 61 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.8(1), Mate 9.8(1)
Serial Number: Ours 9AK137KWDWB, Mate 9A81V5LKN5F
Last Failover at: 13:07:11 UTC Nov 11 2022
This host: Secondary - Failed
Active time: 0 (sec)
slot 0: empty
Interface outside (0.0.0.0): No Link (Waiting)
Interface inside (0.0.0.0): No Link (Waiting)
Interface dmz (0.0.0.0): No Link (Waiting)
Interface management (192.168.1.2): No Link (Waiting)
Other host: Primary - Active
Active time: 88 (sec)
Interface outside (200.1.1.1): Normal (Waiting)
Interface inside (172.16.1.1): Normal (Waiting)
Interface dmz (10.1.1.1): Normal (Waiting)
Interface management (192.168.1.1): No Link (Waiting)
<OUTPUT TRUNCATED>
FW-1/sec/stby# Secondary: Switching to Ok for reason Interface check.
FW-1/sec/stby# show interface ip brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 unassigned YES CONFIG up up
GigabitEthernet0/1 unassigned YES CONFIG up up
GigabitEthernet0/2 unassigned YES CONFIG up up
GigabitEthernet0/3 unassigned YES unset administratively down down
GigabitEthernet0/4 unassigned YES unset administratively down down
GigabitEthernet0/5 unassigned YES unset administratively down down
GigabitEthernet0/6 10.0.0.2 YES unset up up
Management0/0 192.168.1.2 YES CONFIG down down
FW-1/sec/stby# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: FAILOVER GigabitEthernet0/6 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 61 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.8(1), Mate 9.8(1)
Serial Number: Ours 9AK137KWDWB, Mate 9A81V5LKN5F
Last Failover at: 13:07:11 UTC Nov 11 2022
This host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: empty
Interface outside (0.0.0.0): Normal (Waiting)
Interface inside (0.0.0.0): Normal (Waiting)
Interface dmz (0.0.0.0): Normal (Waiting)
Interface management (192.168.1.2): No Link (Waiting)
Other host: Primary - Active
Active time: 486 (sec)
Interface outside (200.1.1.1): Normal (Waiting)
Interface inside (172.16.1.1): Normal (Waiting)
Interface dmz (10.1.1.1): Normal (Waiting)
Interface management (192.168.1.1): No Link (Waiting)
<OUTPUT TRUNCATED>
-----
Perform a "forced" failover to Secondary-Standby FW.
FW-1/pri/act# no failover active
FW-1/pri/act#
Switching to Standby
FW-1/pri/stby#
FW-1/pri/stby# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet0/6 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 61 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.8(1), Mate 9.8(1)
Serial Number: Ours 9A81V5LKN5F, Mate 9AK137KWDWB
Last Failover at: 13:38:53 UTC Nov 11 2022
This host: Primary - Standby Ready
Active time: 515 (sec)
slot 0: empty
Interface outside (0.0.0.0): Normal (Waiting)
Interface inside (0.0.0.0): Normal (Waiting)
Interface dmz (0.0.0.0): Normal (Waiting)
Interface management (192.168.1.2): No Link (Waiting)
Other host: Secondary - Active
Active time: 22 (sec)
Interface outside (200.1.1.1): Normal (Waiting)
Interface inside (172.16.1.1): Normal (Waiting)
Interface dmz (10.1.1.1): Normal (Waiting)
Interface management (192.168.1.1): No Link (Waiting)
<OUTPUT TRUNCATED>
-----
Secondary became the Active FW.
FW-1/sec/stby#
Switching to Active
FW-1/sec/act#
FW-1/sec/act# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: FAILOVER GigabitEthernet0/6 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 61 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.8(1), Mate 9.8(1)
Serial Number: Ours 9AK137KWDWB, Mate 9A81V5LKN5F
Last Failover at: 13:38:53 UTC Nov 11 2022
This host: Secondary - Active
Active time: 52 (sec)
slot 0: empty
Interface outside (200.1.1.1): Normal (Waiting)
Interface inside (172.16.1.1): Normal (Waiting)
Interface dmz (10.1.1.1): Normal (Waiting)
Interface management (192.168.1.1): No Link (Waiting)
Other host: Primary - Standby Ready
Active time: 515 (sec)
Interface outside (0.0.0.0): Normal (Waiting)
Interface inside (0.0.0.0): Normal (Waiting)
Interface dmz (0.0.0.0): Normal (Waiting)
Interface management (192.168.1.2): No Link (Waiting)
<OUTPUT TRUNCATED>
Change the Secondary FW to become Primary-Active.
FW-1/sec/act# configure terminal
FW-1/sec/act(config)# failover lan unit primary
FW-1/pri/act(config)# show run failover
failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet0/6
failover key *****
failover link FAILOVER GigabitEthernet0/6
failover interface ip FAILOVER 10.0.0.1 255.255.255.252 standby 10.0.0.2
FW-1/pri/act(config)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet0/6 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 61 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.8(1), Mate 9.8(1)
Serial Number: Ours 9AK137KWDWB, Mate 9A81V5LKN5F
Last Failover at: 13:38:53 UTC Nov 11 2022
This host: Primary - Active
Active time: 190 (sec)
slot 0: empty
Interface outside (200.1.1.1): Normal (Waiting)
Interface inside (172.16.1.1): Normal (Waiting)
Interface dmz (10.1.1.1): Normal (Waiting)
Interface management (192.168.1.1): No Link (Waiting)
Other host: Secondary - Standby Ready
Active time: 515 (sec)
Interface outside (0.0.0.0): Normal (Waiting)
Interface inside (0.0.0.0): Normal (Waiting)
Interface dmz (0.0.0.0): Normal (Waiting)
Interface management (192.168.1.2): No Link (Waiting)
<OUTPUT TRUNCATED>
FW-1/pri/act(config)# show failover history
==========================================================================
From State To State Reason
==========================================================================
13:07:21 UTC Nov 11 2022
Not Detected Disabled No Error
13:30:12 UTC Nov 11 2022
Disabled Negotiation Set by the config command
13:30:14 UTC Nov 11 2022
Negotiation Cold Standby Detected an Active mate
13:30:16 UTC Nov 11 2022
Cold Standby Sync Config Detected an Active mate
13:30:25 UTC Nov 11 2022
Sync Config Sync File System Detected an Active mate
13:30:25 UTC Nov 11 2022
Sync File System Bulk Sync Detected an Active mate
13:30:37 UTC Nov 11 2022
Bulk Sync Standby Ready Detected an Active mate
13:30:49 UTC Nov 11 2022
Standby Ready Failed Interface check
13:36:23 UTC Nov 11 2022
Failed Standby Ready Interface check
13:38:53 UTC Nov 11 2022
Standby Ready Just Active Other unit wants me Active
13:38:53 UTC Nov 11 2022
Just Active Active Drain Other unit wants me Active
13:38:53 UTC Nov 11 2022
Active Drain Active Applying Config Other unit wants me Active
13:38:53 UTC Nov 11 2022
Active Applying Config Active Config Applied Other unit wants me Active
13:38:53 UTC Nov 11 2022
Active Config Applied Active Other unit wants me Active
==========================================================================
-----
Change the former Primary FW to Secondary (still on Standby).
FW-1/pri/stby# configure terminal
**** WARNING ****
Configuration Replication is NOT performed from Standby unit to Active unit.
Configurations are no longer synchronized.
FW-1/pri/stby(config)# failover lan unit secondary
FW-1/sec/stby(config)#
FW-1/sec/stby(config)# show run failover
failover
failover lan unit secondary
failover lan interface FAILOVER GigabitEthernet0/6
failover key *****
failover link FAILOVER GigabitEthernet0/6
failover interface ip FAILOVER 10.0.0.1 255.255.255.252 standby 10.0.0.2
FW-1/sec/stby(config)#
FW-1/sec/stby(config)# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: FAILOVER GigabitEthernet0/6 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 61 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.8(1), Mate 9.8(1)
Serial Number: Ours 9A81V5LKN5F, Mate 9AK137KWDWB
Last Failover at: 13:38:53 UTC Nov 11 2022
This host: Secondary - Bulk Sync
Active time: 515 (sec)
slot 0: empty
Interface outside (0.0.0.0): Normal (Waiting)
Interface inside (0.0.0.0): Normal (Waiting)
Interface dmz (0.0.0.0): Normal (Waiting)
Interface management (192.168.1.2): No Link (Waiting)
Other host: Primary - Active
Active time: 146 (sec)
Interface outside (200.1.1.1): Normal (Waiting)
Interface inside (172.16.1.1): Normal (Waiting)
Interface dmz (10.1.1.1): Normal (Waiting)
Interface management (192.168.1.1): No Link (Waiting)
<OUTPUT TRUNCATED>
Failover or HA is re-established and Primary and Secondary role were reversed.
FW-1/sec/stby(config)# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: FAILOVER GigabitEthernet0/6 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 61 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.8(1), Mate 9.8(1)
Serial Number: Ours 9A81V5LKN5F, Mate 9AK137KWDWB
Last Failover at: 13:38:53 UTC Nov 11 2022
This host: Secondary - Standby Ready
Active time: 515 (sec)
slot 0: empty
Interface outside (0.0.0.0): Normal (Waiting)
Interface inside (0.0.0.0): Normal (Waiting)
Interface dmz (0.0.0.0): Normal (Waiting)
Interface management (192.168.1.2): No Link (Waiting)
Other host: Primary - Active
Active time: 296 (sec)
Interface outside (200.1.1.1): Normal (Waiting)
Interface inside (172.16.1.1): Normal (Waiting)
Interface dmz (10.1.1.1): Normal (Waiting)
Interface management (192.168.1.1): No Link (Waiting)
Stateful Failover Logical Update Statistics
Link : FAILOVER GigabitEthernet0/6 (up)
Stateful Obj xmit xerr rcv rerr
General 105 0 104 1
sys cmd 104 0 103 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
SIP Tx 0 0 0 0
SIP Pinhole 0 0 0 0
Route Session 0 0 0 1
Router ID 0 0 0 0
User-Identity 1 0 1 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 17 328
Xmit Q: 0 44 450
FW-1/sec/stby(config)# show failover history
==========================================================================
From State To State Reason
==========================================================================
13:07:19 UTC Nov 11 2022
Not Detected Disabled No Error
13:30:09 UTC Nov 11 2022
Disabled Negotiation Set by the config command
13:30:13 UTC Nov 11 2022
Negotiation Just Active No Active unit found
13:30:13 UTC Nov 11 2022
Just Active Active Drain No Active unit found
13:30:13 UTC Nov 11 2022
Active Drain Active Applying Config No Active unit found
13:30:13 UTC Nov 11 2022
Active Applying Config Active Config Applied No Active unit found
13:30:13 UTC Nov 11 2022
Active Config Applied Active No Active unit found
13:38:53 UTC Nov 11 2022
Active Standby Ready Set by the config command
13:41:17 UTC Nov 11 2022
Standby Ready Bulk Sync No Error
13:41:29 UTC Nov 11 2022
Bulk Sync Standby Ready No Error
==========================================================================
No comments:
Post a Comment