Cisco ASA 5500-X Series Next-Generation Firewalls

Q&A: On the ASA, when should the write standby command be used and what happens when it is used?

Document ID: 115999

Updated: Mar 25, 2013

Contributed by Magnus Mortensen, Michael Robertson, and Andrew Ossipov, Cisco TAC Engineers.



This document provides information on when the write standby command should be used and the effect of the command.

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Q. When should I issue the command write standby, and what issues could result if that command is used?

A. You almost never need to enter the command write standby. Here is some information to help you better understand what happens when that command is used.

When you enter the write standby command, it causes the peer standby firewall to clear out its configuration. Effectively it issues a clear config all command. This causes the standby to erase its configuration within access control lists (ACLs), interfaces, and so on, and it resynchronizes its full configuration from the active peer. In addition, while the configuration is erased, all management sessions to the standby firewall are cleared. This is a result because the interfaces have reinitialized. The standby CPU load may increase because of the need to recompile the ACL data structures on the Adaptive Security Appliance (ASA) after the configuration rebuilds and resynchronizes.

Note: This command does not actually issue a write memory command on the standby firewall. The standby firewall's configuration is not written to flash memory after the configuration is synchronized as noted in the ASA command reference for write standby. In order to save the configuration on the standby firewall, enter the write memory command from the active firewall. Refer to the Cisco ASA Series Command Reference, 8.4, 8.5, 8.6, and 8.7 document for more information on write standby.

In general, the only time a write standby should be issued is if you have confirmed that the standby firewall's operational configuration does not match the active firewall's configuration. You should confirm that the configurations are out-of-sync. Enter the show run command on both units and compare the results. The only difference should be the failover lan unit command, which indicates a primary versus secondary.

Related Information

Updated: Mar 25, 2013
Document ID: 115999