Philipp's knowledge base: Active/standby Failover on Cisco ASA

Thursday, 14 November 2013

Active/standby Failover on Cisco ASA

What we have, are two identical ASAs. Both of them are connected to the Internet and LAN.
Do not forget to upload ASDM image to the secondary ASA.

Configuration of primary ASA

Configure Internet interface
ciscoasa(config)# int g1
ip address 172.20.1.5 255.255.255.0 standby 172.20.1.6

Configure LAN interface
ciscoasa(config-if)# int g0
ciscoasa(config-if)# ip address 172.20.2.2 255.255.255.0 standby 172.20.2.3

Configure failover interface
ciscoasa(config)# int g2
ciscoasa(config-if)# no shut
ciscoasa(config-if)# failover lan interface fail-1 g2
ciscoasa(config)# failover interface ip fail-1 1.1.1.1 255.255.255.252 standby 1.1.1.2

Configure stateful interface
ciscoasa(config)# interface g3
ciscoasa(config-if)# no shut

ciscoasa(config-if)# failover link fail-2 g3

ciscoasa(config)#failover interface ip fail-2 2.2.2.1 255.255.255.252 standby 2.2.2.2

Configure shared key

ciscoasa(config)# failover key cisco

Configure HTTP sessions replications

ciscoasa(config-if)# failover replication http

Enable Primary mode

ciscoasa(config)# failover lan unit primary

Change promt to always no what role this ASA is:

ciscoasa(config)# prompt hostname priority state

ciscoasa/pri/actNoFailover(config)#

Turn on failover:

ciscoasa/pri/actNoFailover(config)# failover

Verify

ciscoasa/pri/act(config)# show fail

Save config

ciscoasa/pri/act(config)# wr mem

Configuration of secondary ASA

Configure failover interface
ciscoasa(config)# int g2
ciscoasa(config-if)# no shut
ciscoasa(config-if)# failover lan interface fail-1 g2
ciscoasa(config)# failover interface ip fail-1 1.1.1.1 255.255.255.252 standby 1.1.1.2

Configure shared key
ciscoasa(config)# failover key cisco

Configure mode
ciscoasa(config)# failover lan unit secondary

Enable failover
ciscoasa(config)# failover

Save config

ciscoasa/pri/act(config)# wr mem

Now, if we turn off the primary ASA, secondary will become active. Next, if we turn on primary ASA, it will become primary - standby, to make it active again we can use command:
ciscoasa/pri/stby(config)# failover active

Philipp's knowledge base

Thursday, 14 November 2013

Active/standby Failover on Cisco ASA

No comments:

Post a Comment

Ping does not work

Report Abuse

Labels