1 Reply Latest reply: Apr 17, 2012 2:13 PM by Keith Barker - CCIE RS/Security, CISSP RSS

    A/A failover: 'failover lan unit primary' vs 'primary/secondary'




      Can someone explain what is the purpose of the command 'failover lan unit primary' when we implement A/A failover and its difference with the 'primary' keyword that we put under the failover group submode?

      From Cisco's config guides:

      "Unlike Active/Standby failover, this designation does not indicate which unit becomes active when both units start simultaneously. Instead, the primary/secondary designation does two things:

      •Determines which unit provides the running configuration to the pair when they boot simultaneously.

      •Determines on which unit each failover group appears in the active state when the units boot simultaneously"


      On the following link is mentioned the 'failover lan unit primary':

      1 Determines which appliance provides the running configuration to the pair

      2 On which appliance each failover group is active when they boot simultaneously

      3 Determining on which appliance each failover group is active when both appliances start simultaneously is accomplished by configuring a primary or secondary appliance preference for each group



      Can someone explain me the difference between point 2 and 3? I cannot clearly differentiate them.


      Thank you in advance

        • 1. Re: A/A failover: 'failover lan unit primary' vs 'primary/secondary'
          Keith Barker - CCIE RS/Security, CISSP

          Hello MIKIS-


          In the old days, we used a serial cable between 2 PIX firewalls, for failover.   This special cable would be be configured with one end as primary and the other as secondary.    Which ever firewall got the primary end of the cable, would assume that title of primary.


          Then, a few years into it, they came out with lan based failover.   Now the challenge was that if we use a crossover ethernet cable between 2 firewalls (now ASAs), one still nees the title of PRIMARY, and the other have the role of SECONDARY.   That is what the command "failover lan unit primary" does, it tells the ASA what its title is.   This line of the config doesn't replicate with the rest of the config.   On a good day, the Primary will be Active, and the Secondary will be Standby.    Even if you are doing ACTIVE/ACTIVE, one  of the units will still have the title of PRIMARY and the other SECONDARY, regardless of who is active or standby for which contexts.


          Using this for your prompt, will help out a TON for when you are at the console:


          Keith-asa1(config)# prompt hostname context priority state


          Best wishes,