KB ID 0001234
I’ve written at length about setting up failover firewall configurations. But what if you already have a working pair, and you need to remove one? There’s plenty of reasons to do this, i.e. another site needs a firewall in a hurry, you’re replacing failover firewalls with a single firewall, or you just need to do sone testing and don’t have a spare.
It goes without saying, before doing anything, take a backup of the firewall. I used to do this with TFTP, but now I simply run ‘more system:running config‘ and my console software logs all the output. (I use the awesome Royal TSX software, though PuTTY will do the same).
Make sure you know which is the primary firewall, and which is the secondary firewall, and which is active and which is passive.
Petes-ASA(config)# show failover Failover On Failover unit Primary Failover LAN Interface: failover GigabitEthernet0/3 Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 2 of 160 maximum failover replication http Version: Ours 9.1(4), Mate 9.1(4) Last Failover at: 15:57:12 GMT/BDT Jul 2 2016 This host: Primary - Active Active time: 5768814 (sec) slot 0: ASA5520 hw/sw rev (2.0/9.1(4)) status (Up Sys) Interface outside (184.108.40.206): Normal (Waiting) Interface inside (192.168.1.10): Normal (Waiting) slot 1: empty Other host: Secondary - Standby Ready Active time: 2755983 (sec) slot 0: ASA5520 hw/sw rev (2.0/9.1(4)) status (UP SYS) Interface outside (220.127.116.11): Normal (Monitored) Interface inside (192.168.1.10): Normal (Monitored) slot 1: empty
So above I’m going to power off the other firewall, (if there was a drama I could connect that back in, and get comms back up again quickly).
Now stop the remaining ‘primary active’ firewall from attempting to be part of a failover pair.
Petes-ASA(config)# no failover
Thankfully we can get rid of ‘nearly’ all the failover configuration with the following command;
Petes-ASA(config)# clear configure failover
Which is brilliant as it removes all the failover section and reverts statefull and failover link interfaces, back to default, what it does not do though, is remove the standby IP addresses from your interfaces, you will need to do that manually.
-----Config Removed For the Sake of Brevity----- ! interface GigabitEthernet0/0 description WAN Interface nameif outside security-level 0 ip address 18.104.22.168 255.255.255.240 standby 22.214.171.124 ! interface GigabitEthernet0/1 description LAN Interface nameif inside security-level 100 ip address 192.168.1.10 255.255.255.0 standby 192.168.1.11 ! interface GigabitEthernet0/2 speed 1000 duplex full no nameif no security-level no ip address ! interface GigabitEthernet0/3 no nameif no security-level no ip address ! interface Management0/0 description MGMT Interface shutdown no nameif security-level 100 no ip address !
-----Config Removed For the Sake of Brevity-----
So to Remove the Standby IP's Petes-ASA(config)# interface GigabitEthernet0/0 Petes-ASA(config-if)# ip address 126.96.36.199 255.255.255.240 Petes-ASA(config-if)# interface GigabitEthernet0/1 Petes-ASA(config-if)# ip address 192.168.1.10 255.255.255.0
Don’t forget to save the changes with a ‘write mem‘ command when you are happy.
Related Articles, References, Credits, or External Links