Cisco
Login
Search

Configure Devices And Services Configure Secure Firewall ASA Devices Managing ASAs with Pre-existing High Availability Configuration Configuration Changes Made to ASAs in Active-Active Failover Mode

Last updated: Aug 27, 2025

Configuration Changes Made to ASAs in Active-Active Failover Mode

When Firewall Manager) changes an ASA's running configuration with the one staged on Firewall Manager, or when it changes the configuration on Firewall Manager with the one stored on the ASA, it attempts to change only the relevant lines of the configuration file if that aspect of the configuration can be managed by the Firewall Manager GUI. If the desired configuration change cannot be made using the Firewall Manager GUI, Firewall Manager attempts to overwrite the entire configuration file to make the change.

Here are two examples:

  • You can create or change a network object using the Firewall Manager GUI. If Firewall Manager needs to deploy that change to an ASA's configuration, it overwrites the relevant lines of the running configuration file on the ASA when the change occurs.

  • You cannot create a new ASA user using the Firewall Manager GUI. If a new user is added to the ASA using the ASA's ASDM or CLI, when that out-of-band change is accepted and Firewall Manager updates the stored configuration file, Firewall Manager attempts to overwrite that ASA's entire configuration file staged on Firewall Manager.

These rules are not followed when the ASA is configured in active-active failover mode. When Firewall Manager manages an ASA configured in active-active failover mode, Firewall Manager cannot always deploy all configuration changes from itself to the ASA or read all configuration changes from the ASA into itself. Here are two instances in which this is the case:

  • Changes to an ASA's configuration file made in Firewall Manager, that Firewall Manager does not otherwise support in the Firewall Manager GUI, cannot be deployed to the ASA. Also, a combination of changes made to the configuration file that Firewall Manager does not support, along with changes made to the configuration file that Firewall Manager does support, cannot be deployed to the ASA. In both cases, you receive the error message, "Firewall Manager does not support replacing full configurations for devices in failover mode at this time. Please click Cancel and apply changes to the device manually." Along with the message in the Firewall Manager interface, you see a Replace Configuration button that is disabled.

  • Out-of-band changes made to an ASA configured in active-active failover mode will not be rejected by Firewall Manager. If you make an out-of-band change to an ASA's running configuration, the ASA gets marked with "Conflict Detected" on the Security Devices page. If you review the conflict and try to reject it, Firewall Manager blocks that action. You receive the message, "Firewall Manager does not support rejecting out-of-band changes for this device. Either this device is running an unsupported software version or is a member of a active/active failover pair. Please proceed to accept the out-of-band changes by clicking Continue."


 

If you find yourself having to accept out-of-band changes from the ASA, any configuration changes staged on Firewall Manager, but not yet deployed to the ASA, will be overwritten and lost.

Firewall Manager does support configuration changes made to an ASA in failover mode when those changes are supported by the Firewall Manager GUI.

Previous topic Managing ASAs with Pre-existing High Availability Configuration Next topic Manage ASA Configuration Files