ASA 5520: Configuring Active/Standby High Availability

Similar Messages

• ASA 8.4 Active/Standby issue

  Hi,
  Have configured Active/Standby and configuration has been copied fine from one device to other.
  All interfaces that have been auto created (to match the original device) are showing IP addresses correctly (UP,UP)
  The ASA are connected via 2 switches using trunk ports and status is UP for both trunk ports (I have connected to the same ports as in original device)
  Though it was going to work when the configuration transfer was completed and the same interfaces connected. Let me know if you can suggest why interfaces on the standby ASA when active become (UP, UP) with correct IP Addresses but no traffic passes except on the failover interface. 
  Thanks

  in fact this is the problem that even after entering command "no failover active" on the Active ASA and therefore the second ASA becomes the Active one - still no traffic works except between the interfaces of the Failover between the two ASA's. So the second ASA is yes becoming Active but it seems that no device is able to communicate with it even if all its interfaces match the primary one.
  Attached is a diagram of the setup.
  (Update seems that isakmp site to site link is not coming up now - other than that internal communication is working from the ASA on failover)

• ASA 5550 Transparent Active/Standby Configuration

                     Hello guys!
       I am in the process of adding a new ASA 5550 as a standby box to an existing ASA 5550 running on transparent mode. Both are on version ASA 8.0(4) and ASDM 6.2(1). I have set the new ASA 5550 to transparent mode. The configurations are the following for the HA:
  Primary ASA:
  interface GigabitEthernet1/3
  description LAN Failover Interface
  media-type sfp
  failover
  failover lan unit primary
  failover lan interface failover GigabitEthernet1/3
  failover interface ip failover 192.168.1.1 255.255.255.0 standby 192.168.1.2
  Secondary ASA:
  interface GigabitEthernet1/3
  description LAN Failover Interface
  failover
  failover lan unit secondary
  failover lan interface failover GigabitEthernet1/3
  failover interface ip failover 192.168.1.1 255.255.255.0 standby 192.168.1.2
  My questions are the following:
  1. The management ip address is different than the ip used for the failover link. Since the firewalls are on transparent mode, does the failover ip needs to be the same as the management ip address?
  2. Does any other additional config is needed for HA to work for basic active/stand-by failover?
  3. Wich is the best method to add the second box without disrupting the active box?
  Thanks in advance guys!

  Hi Nephtali,
  1. The aswer is no, it can be different.
  2. You can optionaly add statefull failover config.
  3. Issue the failover command on the primary device first, and then issue it on the secondary device. After you issue the failover command on the secondary device, the secondary device immediately pulls the configuration from the primary device and sets itself as standby. The primary ASA stays up and passes traffic normally and marks itself as the active device. From that point on, whenever a failure occurs on the active device, the standby device comes up as active.
  Link to a config example:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080aefd11.shtml#Reg
  Regards
  Mariusz

• ASA 5520 Dual Active ISPs

  I inherited a network redesign project mid implementation and ran across an issue that I was not 100% sure able to be resolved.  Implementation is occurring in which the organization is changing over to a different ISP and we have some customers that will not be able to change their settings over to our new addresses from some time.  I have seen a lot of posts about fail over and dual ISP configurations, but I could not relate them to this particular scenario. 
  Theoretical Layout:
  ISP1 - Old
  ISP2 - New
  ISP1          ISP2
      2x ASA 5520 - DMZ
              |
         Internal
  ASA 5520s are on version 8.0 and running Active/Active
  We have an FTP server in our DMZ and a secondary server in our Internal LAN that customers communicate with.  The issue that I have been faced with is that some customers will be using ISP1 while others are using ISP2 until the full transition occurs.  Since the customers have explicit firewall rules that only accept communication from a certain source address, we cannot send out the traffic just on ISP2 until they change their settings.
  Any ideas or thoughts on how to configure to be able to make this happen?

  Hello,
  I think you are looking for load balancing implementation and unfortunately the ASA does not support that feature yet.
  There are some workarounds that are not supported by Cisco because as I told you this is supported yet, but you definitly can give it a try.
  Here is the link you can use to get more information about the workaround:
  https://supportforums.cisco.com/docs/DOC-15622
  Please rate helpful posts,.
  Kind regards,
  Julio

• ASA Failover pair Active/Standby

  Hi,
  Two days ago I had a problem with secondary unit in the ASA HA. The problem is because of the CX module failed in the secondary unit (service module failed) showing the standby unit failed in the "show fail" output. 
  Just I reloaded CX module in the secondary unit and then it was working fine.
  Now the same problem facing in Active unit. Kindly find the show fail output below. we are running ASA 5.1(5) in ASA and 9.3.2.1 system image in CX module.
  SOC-FW# sh fail
  Failover On
  Failover unit Secondary
  Failover LAN Interface: fail-1 GigabitEthernet0/4 (up)
  Unit Poll frequency 1 seconds, holdtime 6 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 4 of 114 maximum
  Version: Ours 9.1(5), Mate 9.1(5)
  Last Failover at: 03:54:49 IST Mar 28 2015
          This host: Secondary - Active
                  Active time: 206373 (sec)
                  slot 0: ASA5515 hw/sw rev (1.0/9.1(5)) status (Up Sys)
                    Interface OUTSIDE (112.133.222.218): Normal (Monitored)
                    Interface INSIDE (10.0.60.1): Normal (Monitored)
                    Interface DMZ_1 (10.0.40.1): Normal (Monitored)
                    Interface DMZ_2 (10.0.50.1): Normal (Monitored)
                    Interface management (172.16.10.49): Normal (Not-Monitored)
                  slot 1: CXSC5515 hw/sw rev (N/A/9.3.2.1) status (Up/Up)
                    ASA CX, 9.3.2.1, Up
          Other host: Primary - Failed
                  Active time: 326213 (sec)
                  slot 0: ASA5515 hw/sw rev (1.0/9.1(5)) status (Up Sys)
                    Interface OUTSIDE (112.133.222.219): Normal (Monitored)
                    Interface INSIDE (10.0.60.2): Normal (Monitored)
                    Interface DMZ_1 (10.0.40.2): Normal (Monitored)
                    Interface DMZ_2 (10.0.50.2): Normal (Monitored)
                    Interface management (172.16.10.50): Normal (Not-Monitored)
                  slot 1: CXSC5515 hw/sw rev (N/A/9.3.2.1) status (Up/Down)
                    ASA CX, 9.3.2.1, Up
  Kindly help if anybody have the solution.
  Thanks in advance.
  Thanks and regards,
  Ashok Kumar S.

  Hi,
  Thank you for opening a separate thread. This seems to be the issue with the DATA plane going down on the CX module and causing the fail-over event.
  Were there any configuration / updates etc done on the CX which caused this ?
  I think this might require some diagnostics log analysis on the CX and so i would request you to open a Cisco TAC case.
  If you want you can send the diagnostic from the CX to my email address and i can check the issue if possible. ([email protected])
  Thanks and Regards,
  Vibhor Amrodia

• How to configure current SQL high availability cluster using mirroring with dedicated replication NICS?

  We have a current HA cluster at center1 which is mirrored to another HA cluster in center2.   We have several instances already installed and working which are using one NIC for data and replication.  We want to prevent mirror failovers by
  configuring a NIC on a replication network which has no DNS server.   What are the steps to configure the current SQL instances to use this dedicated NIC for mirror replication? 

  Hi dskim111,
  You can refer the following step by step article to create the dedicated mirroring NIC,
  Step by Step Guide to Setup a Dedicated SQL Database Mirroring(DBM on dedicated Nic card)
  http://blogs.msdn.com/b/sqlserverfaq/archive/2010/03/31/step-by-step-guide-to-setup-a-dedicated-sql-database-mirroring-dbm-on-dedicated-nic-card.aspx?Redirected=true
  I’m glad to be of help to you!
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• ASA 5520 Upgrade From 8.2 to 9.1

  To All Pro's Out There,
  I have 2 x ASA 5520 in Active/Standby state (Routed, Single context) running 8.2(3) image. They are working great and everybody is happy. Now it's time for us to upgrade to the latest and greatest version: 9.1 and as you know there are some architectural changes Cisco made to NAT statements and Access Lists. As one can tell, we have a monster environment in terms of NAT statements and access list that are currently configured on the appliances.
  In order to make the upgrade process "less" painful, I was able to find a loaner ASA 5520 device so I can practice the upgrade process offline and if needed, I use it in production (in conjunction with existing Primary and Secondary devices) should it be helpful. I currently don't have any plans on how to move forward with these 3 devices and put together an smooth upgrade. I am asking advice from experts that perhaps have done this in the past and know some Do's and Don’ts and can provide me some options toward getting best result: Minimum downtime and Smooth upgrade.
  I appreciate all the help in advance.

  Hi,
  My personal approach from the start has been to learn the new NAT configuration format on the ASA CLI and manually convert the configurations for the new ASA software. I am under the impression that the automatic conversion that the ASA does by rebooting straight into a new software level causes quite a lot of configurations and they arent really optimal.
  In your case it seems that you have a pretty much better situation than most people that dont have the chance to use a test device to test out the setup before actually putting it in production.
  What you can basically do is
  Insert the 8.2 configuration to the test ASA and boot it straight to the higher software levels and see what the conversion has done to the ASA configurations.
  You can use "packet-tracer" command to test if correct NAT rules are still hit after the conversion
  So far I have been lucky in the sense that most of the upgrades I have done have involved new hardware which has basically let me configure everything ready and just switch devices for the customer. So far everything has went really well and there has been only a 1-2 mistakes in NAT configurations because of misstyping some IP address or interface name which basically resulted from a lot of copy/paste when building the configurations. And these couple of mistakes have been from around 150 firewall migrations (of which most from FWSM Security Context to a ASA Security Context)
  If you have time to put into this then I would suggest you try to learn the new NAT format and write your NAT configurations yourself. Converting the existing configurations should essentially give you the tools to then maintain that firewall configuration easily in the future and apply that knowledge elsewhere.
  If you want to read a bit about the new NAT configuration format then I would suggest having a look at the NAT 8.3+ document I made:
  https://supportforums.cisco.com/docs/DOC-31116
  My personal approach when starting to convert NAT configurations for the upgrade is
  Collect all NAT configurations from the current ASA including any ACLs associated with the Policy type NATs and NAT0 configurations
  Divide NAT configurations based on type   
  Dynamic NAT/PAT
  Static NAT
  Static PAT
  NAT0
  All Policy Dynamic/Static NAT/PAT
  Learn the basic configuration format for each type of NAT configuration
  Start by converting the easiest NAT configurations   
  Dynamic NAT/PAT
  Static NAT/PAT
  Next convert the NAT0 configurations
  And finally go through the Policy NAT/PAT configurations
  Finally go through the interface ACLs and change them to use the real IP address as the destination in all cases since the NAT IP address is not used anymore. In most common screnarios this basically usually only involves modifying the "outside" interfaces ACL but depending if the customer has some other links to external resourses then its highly likely that same type of ACL changes are required on those interfaces also.
  The most important thing is to understand how the NAT is currently working and then configure the new NAT configuration to match that. Again, the "packet-tracer" command is a great tool to confirm that everything is working as expected.
  One very important thing to notice also is that you might have a very large number of Identity NAT configurations between your local networks interfaces of the ASA.
  For example
  static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
  In the new software you can pretty much leave all of these out. If you dont need to perform NAT between your local interfaces then you simply leave out all NAT configurations.
  Naturally you can also use these forums to ask help with NAT configuration conversions. Even though its a very common topic, I dont personally mind helping out with those.
  So to summarize
  Try out the ASAs automatic configuration conversion when simply booting to new software levels on the test ASA you have
  Learn the new NAT configuration format
  Ask for help here on CSC about NAT configuration formats and help with converting old to new configurations.
  Personally if I was looking at a samekind of upgrade (which I will probably be looking at again soon) I would personally do the following
  Convert the configurations manually
  Lab/test the configurations on an test ASA
  During Failover pairs upgrade I would remove the Standby device from network, erase its configurations, reboot it to new software, insert manually written configurations.
  Put the upgraded ASA to the device rack and have cables ready connected to the customer devices if possible (or use existing ones)
  Disconnect currently active ASA running 8.2 and connect the new ASA to the network while clearing ARP on the connected routers to avoid any problems with traffic forwarding.
  Test connectivity and monitor ASAs connection and xlate tables to confirm everything is working
  Will add more later if anything comes to mind as its getting quite late here
  Hope this helps
  - Jouni

• ASA 5520 upgrade from 8.4.6 to 9.1.2

  Dear All,
    I am having ASA 5520 in Active Standby failover configuration . I want to know if I can upgrade it from 8.4.6 to 9.1.2 using the zero downtime upgrade process mentioned on cisco site .
  Below is the process :
  Upgrade an Active/Standby Failover Configuration
  Complete these steps in order to upgrade two units in an       Active/Standby failover configuration:
  Download the new software to both units, and specify the new image to           load with the boot system command.
  Refer to           Upgrade           a Software Image and ASDM Image using CLI for more           information.
  Reload the standby unit to boot the new image by entering the           failover           reload-standby command on the active unit as shown           below:
  active#failover reload-standby
  When the standby unit has finished reloading and is in the Standby           Ready state, force the active unit to fail over to the standby unit by entering           the no           failover active command on the active unit.
  active#no failover active
  Note: Use the show             failover command in order to verify that the standby unit             is in the Standby Ready state.
  Reload the former active unit (now the new standby unit) by entering           the reload command:
  newstandby#reload
  When the new standby unit has finished reloading and is in the           Standby Ready state, return the original active unit to active status by           entering the failover           active command:
  newstandby#failover active
  This completes the process of upgrading an Active/Standby Failover       pair.
  Also after upgrade are there any changes required after IOS migration ( i.e are there any changes in the command line of 8.4.6 and 9.1.2 ) 
  It is mentioned on cisco site that
  Major Release
  —You can upgrade from the last minor           release of the previous version to the next major release. For example, you can           upgrade from 7.9 to 8.0, assuming that 7.9 is the last minor version in the 7.x           release. 

  Hi Tushar,
  The steps you mentioned are perfectly fine. There is no major difference in the commands of the 2 versions, it's just that in access-rule from 9.1 you have to any4 instead of any for ipv4 and any6 for ipv6. During conversion it will get convert automatically.
  Also, please refer to the following document (release notes of 9.1.2) for viewing the new features added in that version:
  http://www.cisco.com/en/US/docs/security/asa/asa91/release/notes/asarn91.html#wp685480
  - Prateek Verma

• Cisco ASA 5520s in Cluster Outside interface stops sending traffic

  Hi,
  We are running a Pair of ASA 5520s in active/standby mode.  In the last couple days the active device will just stop communicating on the outside interface.  Because the rest of the interfaces are still up,  it will not fail over, so we have to fail it manually.  The secondary unit works and passes traffic correctly.  We then reboot the Primary. 
  Then after some undetermined time,  it happens again and we have to manually fail it the other way,  reboot the affected ASA and wait for it to happen again.
  We have a case with TAC but they have not been able to figure this one out.  Has anyone else seen this behavior?
  This is the version info:
  Cisco Adaptive Security Appliance Software Version 8.4(7)
  Device Manager Version 7.3(1)100
  Thanks

  Hi,
  There are various possibilities on the ASA device which might be causing this issue:-
  1) Block depletion
  2) Memory depletion
  Other things might be related to the external ISP as well.
  Can we collect some outputs from the ASA device at the time when the issue is seen on the ASA device.
  If you can share the output , i can have a look at it otherwise you can open a TAC case.
  Thanks and Regards,
  Vibhor Amrodia

• ASA 5520 Activation Key Help

  Hi All,
  we recently installed a activaiton key for the Anyconnect License on our ASA 5520. We have a pair runnning, in Active/Standby mode, on IOS 8.0. The Activation/License was installed on the Primary ASA. Once installed the all failover configuration was removed, and we were left with 2 ASAs running in Active/Active mode. This cause haoc across the network. I would like to go back and recover and reinstall the old activation key. Is this possible?? If so how would I be able to achieve this. Or do I need to ontain a new license key. Ultimately I would like to get back to the stage before instlaling the Anyconnect License, where we had a 2 ASAs running in Active/Standby mode.
  Thank you for your help and suggestions.
  Cheers
  Deena
  oput put from sh activation-key detail and sh version
  CH-ASA# sh act det
  Serial Number:  JMX1101K2SU
  Permanent Flash Activation Key: 0x370fc559 0x2476a024 0xccc355a4 0xacd81440 0x4110329d
  Licensed features for this platform:
  Maximum Physical Interfaces  : Unlimited
  Maximum VLANs                : 150
  Inside Hosts                 : Unlimited
  Failover                     : Active/Active
  VPN-DES                      : Enabled
  VPN-3DES-AES                 : Enabled
  Security Contexts            : 2
  GTP/GPRS                     : Disabled
  VPN Peers                    : 750
  WebVPN Peers                 : 2
  AnyConnect for Mobile        : Disabled
  AnyConnect for Linksys phone : Disabled
  Advanced Endpoint Assessment : Disabled
  UC Proxy Sessions            : 2
  Temporary Flash Activation Key: 0x29249e66 0x500f33dc 0xcd79274e 0x534c7c93 0x81bc53bc
  Licensed features for this platform:
  Maximum Physical Interfaces  : Unlimited
  Maximum VLANs                : 150
  Inside Hosts                 : Unlimited
  Failover                     : Active/Active
  VPN-DES                      : Enabled
  VPN-3DES-AES                 : Disabled
  Security Contexts            : 2
  GTP/GPRS                     : Disabled
  VPN Peers                    : 750
  WebVPN Peers                 : 750
  AnyConnect for Mobile        : Disabled
  AnyConnect for Linksys phone : Disabled
  Advanced Endpoint Assessment : Disabled
  UC Proxy Sessions            : 2
  This is a time-based license that will expire in 27 day(s).
  Running Activation Key: 0x29249e66 0x500f33dc 0xcd79274e 0x534c7c93 0x81bc53bc
  Licensed features for this platform:
  Maximum Physical Interfaces  : Unlimited
  Maximum VLANs                : 150
  Inside Hosts                 : Unlimited
  Failover                     : Active/Active
  VPN-DES                      : Enabled
  VPN-3DES-AES                 : Enabled
  Security Contexts            : 2
  GTP/GPRS                     : Disabled
  VPN Peers                    : 750
  WebVPN Peers                 : 750
  AnyConnect for Mobile        : Disabled
  AnyConnect for Linksys phone : Disabled
  Advanced Endpoint Assessment : Disabled
  UC Proxy Sessions            : 2
  This platform has an ASA 5520 VPN Plus license.
  This is a time-based license that will expire in 27 day(s).
  The flash activation key is the SAME as the running key.
  CH-ASA# sh ver
  Cisco Adaptive Security Appliance Software Version 8.0(5)
  Device Manager Version 6.2(5)53
  Compiled on Mon 02-Nov-09 21:22 by builders
  System image file is "disk0:/asa805-k8.bin"
  Config file at boot was "startup-config"
  CH-ASA up 18 hours 30 mins
  Hardware:   ASA5520-K8, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
  Internal ATA Compact Flash, 256MB
  BIOS Flash AT49LW080 @ 0xffe00000, 1024KB
  Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                               Boot microcode   : CN1000-MC-BOOT-2.00
                               SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                               IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05
  0: Ext: GigabitEthernet0/0  : address is 0019.0665.6dfc, irq 9
  1: Ext: GigabitEthernet0/1  : address is 0019.0665.6dfd, irq 9
  2: Ext: GigabitEthernet0/2  : address is 0019.0665.6dfe, irq 9
  3: Ext: GigabitEthernet0/3  : address is 0019.0665.6dff, irq 9
  4: Ext: Management0/0       : address is 0019.0665.6dfb, irq 11
  5: Int: Internal-Data0/0    : address is 0000.0001.0002, irq 11
  6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
  Licensed features for this platform:
  Maximum Physical Interfaces  : Unlimited
  Maximum VLANs                : 150
  Inside Hosts                 : Unlimited
  Failover                     : Active/Active
  VPN-DES                      : Enabled
  VPN-3DES-AES                 : Enabled
  Security Contexts            : 2
  GTP/GPRS                     : Disabled
  VPN Peers                    : 750
  WebVPN Peers                 : 750
  AnyConnect for Mobile        : Disabled
  AnyConnect for Linksys phone : Disabled
  Advanced Endpoint Assessment : Disabled
  UC Proxy Sessions            : 2
  This platform has an ASA 5520 VPN Plus license.
  This is a time-based license that will expire in 27 day(s).
  Serial Number: JMX1101K2SU
  Running Activation Key: 0x29249e66 0x500f33dc 0xcd79274e 0x534c7c93 0x81bc53bc
  Configuration register is 0x1
  Configuration has not been modified since last system restart.
  CH-ASA#

  If you upgrade your ASA software to a bit more recent image first you can share the AnyConnect license (activation key) across both devices. Otherwise you would need to install a separate activation key on the second unit.
  Sent from Cisco Technical Support iPad App

• Issues with IPSEC on active standby ASA 5545-X

  We have two 500 meg layer 2 links with ethernet presentation. Each end of these links connected to the outside interface of an ASA firewall in active standby. So four firewalls total. 
  When I configure an IPsec between them and failover one end, the tunnel fails over correctly. When I failover back to the primary, it stalls until manually cleare in the ASDM or cli. 
  I dont really understand why it works at all rather than just the first time so would appreciate some assistance. Is some sort of tracking required? I've attached a diagram which I hope helps.
  Running asa912-smp-k8.bin and asdm-713.bin

  GurjitSra
  Correct. In order to reload IPS without triggering failover you'll need to remove IPS inspection from policy-maps so that failover will not track IPS status.
  Johan.

• Single AIP-SSM in Cisco ASA Failover Active / Standby Mode

  Hi,
  I can add single AIP-SSM on Cisco ASA in failover active / standby mode?

  No, both units need the same hardware, that includes the installed modules.
  Sent from Cisco Technical Support iPad App

• Configuring two 11g OID servers in High Availability mode.

  I have OID1 server where I have installed OID11g and WLS using SSL Port 3131 and Non SSL Port 3060. The ldap set up is working as the sqlnet connections are using ldap adapter to resolve the request.
  I have OID2 server where I have installed OID11g using the same port.
  Now, I want to setup a cluster for these two so that the the load balancer will automatically route the requests to either of the two servers so that if one is unavailable, the other will fill the request. I am following "Configuring High Availability for Identity Management Components" document, but it is not very what steps needs to be followed.
  Any suggestion will be appreciated;
  I am also having problem using ldapbind or any of the oid commands as it gives "unable to locate message file: ldap<language>.msb" despite the fact that I am seting all the env vars such as ORACLE_HOME, ORACLE_INTANCE, ORA_NLS33 and so on.

  You don't need to setup a cluster for Load balancer. The Load balancer configuration can point to both the server and depending on the configuration in LBR act in failover and load balanced mode. All you need to take care of is that the two OID servers are using the same schema.
  When installing first OID server it gives a option to install in cluster mode and when installing the second server you can use the option to expand the cluster created in first installation. But that should not stop you from configuring OID in highly available mode using Load balancer as explained above.
  "unable to locate message file: ldap<language>.msb" occurs if you have not set the ORACLE_HOME variable. See that it is set to <MiddlewareHome>/Oracle_IDM1 if you have used the defaults.
  Hope this helps,
  Sagar

• High availibility on 2500

  Hello guys,
  I have an environment with 1 AIR-CT2504-K9 implemented.
  I'm trying to configure N+1 High Availability with AIR-CT2504-HA-K9 following this article:
  http://www.cisco.com/c/en/us/td/docs/wireless/technology/hi_avail/N1_High_Availability_Deployment_Guide/N1_HA_Overview.html
  I configured the primary controller as the following:
  In the secondary controller (AIR-CT2504-HA-K9), i'm trying to configure the Redundancy > Global Configuration parameters, but the option "Redundancy" is not available on this controller. There is anything to be activated about the license to Redundancy option become available?
  The information that I have is saying that this WLC doesn't need license.
  Thank you in advance.
  Thiago Santos
  CCNA R&S
  CCNA Security

  Hi,
  Yes it will work.But I will suggest you to configure separate manually.
  Treat them as 2 separate wlc.
  These WLCs are independent of each other and do not share configuration or IP addresses on any of their interfaces. Each WLC needs to be managed and configure separately.
   Simply configure your standby controller to match the wireless configuration on your primary, then add the standby information to the AP (Under High Availability). When the primary controller becomes unreachable, the AP moves to the standby.
  Once first wlc go down and AP will join to 2nd wlc then automatic evalu license will start.
  Hope it helps.
  Regards
  Dont forget to rate helpful posts

• Tuxedo and High Availability

  Can you provide some information on how Tuxedo can be configured in a high availability
  environment. Specifically running Tux 7.1 on AIX 4.3 with HACMP/ES. I am planning
  on running with a 'cascading N+1' configuration and have concerns over the ability
  of the standby node to take over a failed node succesfully due to config dependancies
  on the machine name. Is there a white paper detailing use of Tux in a high availability
  environment ?

  Found the answers and thought would share it.
  1. Can load balancing be achieved in MP setup or is this a high availability configuration?
  Both - MP supports load balancing and high availability 2. In an MP setup, can a workstation client continue to work even after the master node gets migrated? If so, can we have both (or all nodes and their WSL) listed in WSNADDR for this to happen
  Correct.