Cisco – Dissolve / Break ASA Failover Firewall Configuration

KB ID 0001234 

Problem

I’ve written at length about setting up failover firewall configurations. But what if you already have a working pair, and you need to remove one? There’s plenty of reasons to do this, i.e. another site needs a firewall in a hurry, you’re replacing failover firewalls with a single firewall, or you just need to do sone testing and don’t have a spare.

Active Passive ASA 5500-X

Solution

It goes without saying, before doing anything, take a backup of the firewall. I used to do this with TFTP, but now I simply run ‘more system:running config‘ and my console software logs all the output. (I use the awesome Royal TSX software, though PuTTY will do the same).

Make sure you know which is the primary firewall, and which is the secondary firewall, and which is active and which is passive.

Petes-ASA(config)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/3 
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 160 maximum
failover replication http
Version: Ours 9.1(4), Mate 9.1(4)
Last Failover at: 15:57:12 GMT/BDT Jul 2 2016
        This host: Primary - Active
                Active time: 5768814 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/9.1(4)) status (Up Sys)
                  Interface outside (123.123.123.123): Normal (Waiting)
                  Interface inside (192.168.1.10): Normal (Waiting)
                slot 1: empty
        Other host: Secondary - Standby Ready
                Active time: 2755983 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/9.1(4)) status (UP SYS)
                  Interface outside (123.123.123.123): Normal (Monitored)
                  Interface inside (192.168.1.10): Normal (Monitored)
                slot 1: empty

So above I’m going to power off the other firewall, (if there was a drama I could connect that back in, and get comms back up again quickly).

Now stop the remaining ‘primary active’ firewall from attempting to be part of a failover pair.

Petes-ASA(config)# no failover

Thankfully we can get rid of ‘nearly’ all the failover configuration with the following command;

Petes-ASA(config)# clear configure failover

Which is brilliant as it removes all the failover section and reverts statefull  and failover link interfaces, back to default, what it does not do though, is remove the standby IP addresses from your interfaces, you will need to do that manually.

-----Config Removed For the Sake of Brevity-----
!
interface GigabitEthernet0/0
 description WAN Interface
 nameif outside
 security-level 0
 ip address 123.123.123.123 255.255.255.240 standby 123.123.123.124
!
interface GigabitEthernet0/1
 description LAN Interface
 nameif inside
 security-level 100
 ip address 192.168.1.10 255.255.255.0 standby 192.168.1.11
!
interface GigabitEthernet0/2
 speed 1000
 duplex full
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 description MGMT Interface
 shutdown
 no nameif
 security-level 100
 no ip address
!
-----Config Removed For the Sake of Brevity-----
So to Remove the Standby IP's

Petes-ASA(config)# interface GigabitEthernet0/0
Petes-ASA(config-if)# ip address 123.123.123.123 255.255.255.240
Petes-ASA(config-if)# interface GigabitEthernet0/1
Petes-ASA(config-if)# ip address 192.168.1.10 255.255.255.0

 

Don’t forget to save the changes with a ‘write mem‘ command when you are happy.

Related Articles, References, Credits, or External Links

Deploy Cisco ASA 55xx in Active / Standby Failover

Cisco ASA 5500 Active/Standby – Zero Downtime Upgrade

Cisco ASA – Active / Active Failover

 

Author: PeteLong

Share This Post On

2 Comments

  1. Could you please do the same dissolve/break firewall active/standby configuration while in a live environment? We recently had to do this because we wanted to double our AnyConnect VPN sessions. All went well until we tried to update the management address on the standby and got kicked out. It’s a tricky change in a live environment as you don’t want to cause a split brain situation with both devices becoming active. We also noticed that post the change you get a new prompt which I understand can’t be updated eg hostname/sec/actNoFailover rather than hostname/pri/act.

    It would be interesting see too if you have a better method for a live split.

    Post a Reply
    • Hi Alan,That pretty much is the live procedure, the only reason changing the MGMT interface might trip you up is if you have ‘OLD ASAs’ and you are using that interface for failover, or you have NEW ASAs and that interface is used for FirePOWER. The prompt changes because it’s set using a variable.

      Post a Reply

Leave a Reply to Alan Brown Cancel reply

Your email address will not be published. Required fields are marked *