KB ID 0001234
Problem
I’ve written at length about setting up failover firewall configurations. But what if you already have a working pair, and you need to remove one? There’s plenty of reasons to do this, i.e. another site needs a firewall in a hurry, you’re replacing failover firewalls with a single firewall, or you just need to do sone testing and don’t have a spare.
Solution
It goes without saying, before doing anything, take a backup of the firewall. I used to do this with TFTP, but now I simply run ‘more system:running config‘ and my console software logs all the output. (I use the awesome Royal TSX software, though PuTTY will do the same).
Make sure you know which is the primary firewall, and which is the secondary firewall, and which is active and which is passive.
Petes-ASA(config)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/3
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 160 maximum
failover replication http
Version: Ours 9.1(4), Mate 9.1(4)
Last Failover at: 15:57:12 GMT/BDT Jul 2 2016
This host: Primary - Active
Active time: 5768814 (sec)
slot 0: ASA5520 hw/sw rev (2.0/9.1(4)) status (Up Sys)
Interface outside (123.123.123.123): Normal (Waiting)
Interface inside (192.168.1.10): Normal (Waiting)
slot 1: empty
Other host: Secondary - Standby Ready
Active time: 2755983 (sec)
slot 0: ASA5520 hw/sw rev (2.0/9.1(4)) status (UP SYS)
Interface outside (123.123.123.123): Normal (Monitored)
Interface inside (192.168.1.10): Normal (Monitored)
slot 1: empty
So above I’m going to power off the other firewall, (if there was a drama I could connect that back in, and get comms back up again quickly).
Now stop the remaining ‘primary active’ firewall from attempting to be part of a failover pair.
Petes-ASA(config)# no failover
Thankfully we can get rid of ‘nearly’ all the failover configuration with the following command;
Petes-ASA(config)# clear configure failover
Which is brilliant as it removes all the failover section and reverts statefull and failover link interfaces, back to default, what it does not do though, is remove the standby IP addresses from your interfaces, you will need to do that manually.
-----Config Removed For the Sake of Brevity----- ! interface GigabitEthernet0/0 description WAN Interface nameif outside security-level 0 ip address 123.123.123.123 255.255.255.240 standby 123.123.123.124 ! interface GigabitEthernet0/1 description LAN Interface nameif inside security-level 100 ip address 192.168.1.10 255.255.255.0 standby 192.168.1.11 ! interface GigabitEthernet0/2 speed 1000 duplex full no nameif no security-level no ip address ! interface GigabitEthernet0/3 no nameif no security-level no ip address ! interface Management0/0 description MGMT Interface shutdown no nameif security-level 100 no ip address !
-----Config Removed For the Sake of Brevity-----
So to Remove the Standby IP's Petes-ASA(config)# interface GigabitEthernet0/0 Petes-ASA(config-if)# ip address 123.123.123.123 255.255.255.240 Petes-ASA(config-if)# interface GigabitEthernet0/1 Petes-ASA(config-if)# ip address 192.168.1.10 255.255.255.0
Don’t forget to save the changes with a ‘write mem‘ command when you are happy.
Related Articles, References, Credits, or External Links
Deploy Cisco ASA 55xx in Active / Standby Failover
Cisco ASA 5500 Active/Standby – Zero Downtime Upgrade
Cisco ASA – Active / Active Failover
15/05/2020
Could you please do the same dissolve/break firewall active/standby configuration while in a live environment? We recently had to do this because we wanted to double our AnyConnect VPN sessions. All went well until we tried to update the management address on the standby and got kicked out. It’s a tricky change in a live environment as you don’t want to cause a split brain situation with both devices becoming active. We also noticed that post the change you get a new prompt which I understand can’t be updated eg hostname/sec/actNoFailover rather than hostname/pri/act.
It would be interesting see too if you have a better method for a live split.
15/05/2020
Hi Alan,That pretty much is the live procedure, the only reason changing the MGMT interface might trip you up is if you have ‘OLD ASAs’ and you are using that interface for failover, or you have NEW ASAs and that interface is used for FirePOWER. The prompt changes because it’s set using a variable.