Temporary disable failover on Cisco ASA

If you have a planned maintenance and you know you will hit your Failover LAN between two ASA’s in an Active/Standby configuration. If is very useful to temporary disable the Failover mechanism so the Standby firewall stays Standby and you don’t end up in a situation where you have two Active firewalls.

Below is an example output of the show failover output of an ASA 5520: (only relevant information is shown in this output)

firewall/act# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/1 (up)
...
        This host: Primary - Active
...
        Other host: Secondary - Standby Ready
...

Now login to the Standby firewall and disable failover very easily via the no failover command in configuration mode:

 
firewall/stby# conf t
firewall/stby(config)# no failover
INFO: This unit is currently in standby state. By disabling failover, this unit will remain in standby state.
firewall/stbyNoFailover(config)#

You can see on the output it adds NoFailover to the CLI prompt.

We’re back on the Active unit and you can see the Secondary in Disabled where it was previously Standby Ready:

firewall/act# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/1 (up)
...
        This host: Primary - Active
...
        Other host: Secondary - Disabled
...

If your maintenance is finished, you should enable the failover mechanism again on the Standby node:

firewall/stbyNoFailover(config)# failover
firewall/stby(config)# 

        Detected an Active mate
Beginning configuration replication from mate.
End configuration replication from mate.

firewall/stby(config)# end
firewall/stby#

Now you’re done, check you Active/Standby status again, this should be the same as the first show failover command in this post.