Temporary disable failover on Cisco ASA

If you have a planned maintenance and you know you will hit your Failover LAN between two ASA’s in an Active/Standby configuration. If is very useful to temporary disable the Failover mechanism so the Standby firewall stays Standby and you don’t end up in a situation where you have two Active firewalls.

Below is an example output of the show failover output of an ASA 5520: (only relevant information is shown in this output)

firewall/act# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/1 (up)
...
        This host: Primary - Active
...
        Other host: Secondary - Standby Ready
...

Now login to the Standby firewall and disable failover very easily via the no failover command in configuration mode:

 
firewall/stby# conf t
firewall/stby(config)# no failover
INFO: This unit is currently in standby state. By disabling failover, this unit will remain in standby state.
firewall/stbyNoFailover(config)#

You can see on the output it adds NoFailover to the CLI prompt.

We’re back on the Active unit and you can see the Secondary in Disabled where it was previously Standby Ready:

firewall/act# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/1 (up)
...
        This host: Primary - Active
...
        Other host: Secondary - Disabled
...

If your maintenance is finished, you should enable the failover mechanism again on the Standby node:

firewall/stbyNoFailover(config)# failover
firewall/stby(config)# 

        Detected an Active mate
Beginning configuration replication from mate.
End configuration replication from mate.

firewall/stby(config)# end
firewall/stby#

Now you’re done, check you Active/Standby status again, this should be the same as the first show failover command in this post.

Posted in Firewall, Networking Tagged with: , , ,
5 comments on “Temporary disable failover on Cisco ASA
  1. Kurt says:

    Thanks!

  2. Robetonteri says:

    Would it still work the same if my Standby is the active unit ?
    Currently:
    This host: Secondary – Active

    Other host: Primary – Standby Ready

    I would do #no failover on the primary in order to keep the stadby active ?

    • I don’t have a unit to test this now. But I would expect the same behavior yes.
      The “Secondary – Active” unit stays active until you switch the status.
      The “Primary – Standby Ready” won’t become active if you configure the ‘no failover’ comment.

      The unit is currently in standby state and by disabling failover, this unit will remain in standby state.

  3. Louis 000 says:

    Hi,
    if you were changing ISP’s, how would you go about doing this? eg disable failover on standby, add new IP’s, routing and standby IP to active and make sure it’s connected. Then just bring the standby back into standby ie so the config is copied from the active to the standby?
    is it that easy?

  4. Brendan Choi says:

    Thanks for this helpful post! If my testing causes a problem on the Primary unit, and it either locks up or I’m forced to power it off, how do I then force the healthy Secondary to be Active? Do I run “failover active” on the Secondary? Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *

*