Graceful Failover in ASA Pair (Active/Passive)

Today we had a memory problem on our ASA 5510’s. I had to do a passive reload, failover, then a primary reload. Luckily it fixed our problem, so I decided to write something simple up on how to do a graceful failover.

This assumes that your firewalls are already configured in an active/passive configuration. There are many Cisco documents on how to do this.

1. Save your configuration.

ASA(active)# copy running start

2. Failover your standby node.

ASA(active)# failover reload-standby

3. Verify status of your passive device.

ASA(active)# sh failover

4. If your secondary device is standby ready, you can failover the primary to it

ASA(active)# no failover active

Be careful of what device you are on at this point, if you connect via SSH to the same IP again you will be on the secondary-active node, but you already reloaded this one. Run a sh failover and get the IP of the Primary node in Standby Ready mode. Connect to that device.

5. Reload the primary device.

ASA(passive)# reload

6. Once the primary is done reloading (sh failover), you can move back to the primary or leave it on the secondary. This step is up to you.

ASA(passive)# failover active

Refer to this article for the detailed write-up.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s