One of the appliances in an Active/Standby failover configuration is set as the primary unit and the other the secondary one. Thus, the devices are able to negotiate which one will be Active after to complete the boot process (it will be the primary, whether everything has loaded fine).
If for some reason you need to swap the device roles (primary/secondary) without an outage, it will be necessary to break the cluster link. Otherwise both boxes would change to the Active state simultaneously, what results in a conflict making them lose the failover connectivity (HELLO messages are not sent/received properly). Furthermore, you'd create a lockout situation for one of the units, since both would be using the same IP addresses.
The steps to swap the unit roles may be performed on the Active firewall or the Standby following the instructions below (I did it on the Standby):
1. Break the failover link:
asa(config)# show failover state
State                Last Failure Reason     Date/Time
This host - Primary
Standby Ready        None
Other host - Secondary
Active               None
asa(config)# no failover 
INFO: This unit is currently in standby state. By disabling failover, this unit will remain in standby state.
2. Change the role:
asa(config)# failover lan unit secondary
3. Reenable the cluster:
asa(config)# failover
Detected an Active mate
Beginning configuration replication from mate.
asa(config)# show failover state
State                Last Failure Reason     Date/Time
This host - Secondary
Standby Ready        None
Other host - Primary
Active               None
If you've performed the swapping without to disable the failover configuration, you just need to roll back the settings to recover from the lockout situation (if you've set the box to primary, just set it back to secondary).
asa(config)# end
asa# wr mem
 
No comments:
Post a Comment