Configuration Changes Made to ASAs in Active-Active Failover Mode

When Security Cloud Control Firewall Management ) changes an ASA's running configuration with the one staged on Security Cloud Control Firewall Management , or when it changes the configuration on Security Cloud Control Firewall Management with the one stored on the ASA, it attempts to change only the relevant lines of the configuration file if that aspect of the configuration can be managed by the Security Cloud Control Firewall Management GUI. If the desired configuration change cannot be made using the Security Cloud Control Firewall Management GUI, Security Cloud Control Firewall Management attempts to overwrite the entire configuration file to make the change.

Here are two examples:

  • You can create or change a network object using the Security Cloud Control Firewall Management GUI. If Security Cloud Control Firewall Management needs to deploy that change to an ASA's configuration, it overwrites the relevant lines of the running configuration file on the ASA when the change occurs.

  • You cannot create a new ASA user using the Security Cloud Control Firewall Management GUI. If a new user is added to the ASA using the ASA's ASDM or CLI, when that out-of-band change is accepted and Security Cloud Control Firewall Management updates the stored configuration file, Security Cloud Control Firewall Management attempts to overwrite that ASA's entire configuration file staged on Security Cloud Control Firewall Management .

These rules are not followed when the ASA is configured in active-active failover mode. When Security Cloud Control Firewall Management manages an ASA configured in active-active failover mode, Security Cloud Control Firewall Management cannot always deploy all configuration changes from itself to the ASA or read all configuration changes from the ASA into itself. Here are two instances in which this is the case:

  • Changes to an ASA's configuration file made in Security Cloud Control Firewall Management , that Security Cloud Control Firewall Management does not otherwise support in the Security Cloud Control Firewall Management GUI, cannot be deployed to the ASA. Also, a combination of changes made to the configuration file that Security Cloud Control Firewall Management does not support, along with changes made to the configuration file that Security Cloud Control Firewall Management does support, cannot be deployed to the ASA. In both cases, you receive the error message, "Security Cloud Control Firewall Management does not support replacing full configurations for devices in failover mode at this time. Please click Cancel and apply changes to the device manually." Along with the message in the Security Cloud Control Firewall Management interface, you see a Replace Configuration button that is disabled.

  • Out-of-band changes made to an ASA configured in active-active failover mode will not be rejected by Security Cloud Control Firewall Management . If you make an out-of-band change to an ASA's running configuration, the ASA gets marked with "Conflict Detected" on the Security Devices page. If you review the conflict and try to reject it, Security Cloud Control Firewall Management blocks that action. You receive the message, "Security Cloud Control Firewall Management does not support rejecting out-of-band changes for this device. Either this device is running an unsupported software version or is a member of a active/active failover pair. Please proceed to accept the out-of-band changes by clicking Continue."

Caution

If you find yourself having to accept out-of-band changes from the ASA, any configuration changes staged on Security Cloud Control Firewall Management , but not yet deployed to the ASA, will be overwritten and lost.

Security Cloud Control Firewall Management does support configuration changes made to an ASA in failover mode when those changes are supported by the Security Cloud Control Firewall Management GUI.