Overblog Follow this blog
Edit post Administration Create my blog
Cisco & Cisco Network Hardware News and Technology

How to Configure Cisco ASA Failover into Active/Standby Mode?

January 10 2014 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

In this article we will share how to configure Cisco ASA Failover into Active/Standby mode, firstly, assume that your primary Cisco ASA is configured and working.

Primary Cisco ASA

Setup your failover interface on Primary Cisco ASA

enable

config t

failover lan unit primary

interface gigabitEthernet 0/3

no shutdown

Assign the failover IP Address on your Primary Cisco ASA

failover lan interface FAILOVER gigabitethernet0/3

failover interfaces ip FAILOVER 10.10.10.1 255.255.255.0 standby 10.10.10.2

failover key YourSecretKey

failover link FAILOVER

Assign standby Outside IP Address on Primary Cisco ASA

Assign your Cisco ASA standby External IP Address, add “standby {SECONDARY ASA IP ADDRESS}”

interface gigabitEthernet 0/0

ip address 1.1.1.1 255.255.255.224 standby 1.1.1.2

Assign standby Internal IP Address on Primary Cisco ASA

Assign Internal IP Address as you did for the External IP Address with the “standby {SECONDARY ASA IP ADDRESS}”

interface gigabitEthernet 0/1

ip address 172.16.10.1 255.255.255.0 standby 172.16.10.2

Enable monitoring on SubInterfaces on Primary Cisco ASA (optional)

By default, monitoring physical interfaces is enabled and monitoring subinterfaces is disabled. You can monitor up to 250 interfaces on a unit. You can control which interfaces affect your failover policy by disabling the monitoring of specific interfaces and enabling the monitoring of others. This lets you exclude interfaces attached to less critical networks from affecting your failover policy.

monitor-interface if_name

You can turn off monitoring the management interface:

no monitor management

Enable failover

conf t

failover

Verify your Cisco ASA Failover

show failover

Secondary Cisco ASA

Setup failover interface on Secondary Cisco ASA

config t

no failover

failover lan unit secondary

interface gigabitEthernet 0/3

no nameif

no shutdown

failover lan interface FAILOVER gigabitEthernet0/3

Assign your failover IP Address on Secondary ASA using FAILOVER

failover interface ip FAILOVER 10.10.10.1 255.255.255.0 standby 10.10.10.2

failover key YourSecretKey

failover link FAILOVER

failover

Automatic Configuration Copy from Primary to Secondary Cisco ASA

The device configurations are automatically copied from the primary Cisco ASA device to the secondary Cisco ASA device using the following commands:

config t

interface gigabitEthernet 0/3

no shutdown

Verify your Cisco ASA Failover

 

show failover

More about ASA Failover Configuration

Enter privileged EXEC mode.

asa>enable

Enter global configuration mode.

asa#configure terminal

Designate the ASA as the primary or secondary unit (default is secondary).

asa(config)#failover lan unit [primary |secondary]

Configure the ASA link that will be used as the failover link.

Notes: The if_name is used to assign the name of the interface (don't use thenameif command).

The interface_id can be a physical interface, subinterface, or redundant interface; or an EtherChannel interface ID. On the ASA 5505, the interface_idspecifies a VLAN ID.

asa(config)#failover lan interfaceif_name interface_id

Configure the primary and secondary IP addresses.

Note: Both the primary and secondary IP addresses must be in the same subnet.

asa(config)#failover interface ip if_name ip_address netmask standby ip_address

Configure the ASA link that will be used as the stateful failover link.

Notes: The if_name is used to assign the name of the interface; this is the same as the failover link if_name if they are being shared. The interface_id can be a physical interface, subinterface, or redundant interface; or an EtherChannel interface ID. On the ASA 5505, the interface_idspecifies a VLAN ID. This command is optional and is required only if stateful failover is being configured.

asa(config)#failover link if_name interface_id

Configure the primary and secondary IP address for the state interface.

Note: This step is required only if the link that is being used for the stateful failover link is different from the failover link. If it is being shared with the failover link, the information configured in Step 5 is used.

asa(config)#failover interface ip if_name ip_address netmask standby ip_address

Configure the use of IPsec on the LAN-to-LAN failover links (failover and stateful failover, if configured).

Notes: The key parameter can be up to 128 characters in lengthThis is the preferred method to be used to encrypt information over these links.

OR Configure a failover key.

Notes: The key parameter when used with the hex keyword is 32 characters. When it is used without it, it can be a string from 1 to 63 characters. This is a depreciated method of encrypting on these links, and it is not recommended in favor of the IPsec option above.

asa(config)#failover key {hex key | key}

Create a failover group.

Notes: By default, group 1 is assigned to the primary failover unit (as configured in Step 3).

This command is used only when configuring an active/active failover.

asa(config)#failover group {2}

Assign the group to a unit.

Notes: Typically, group 1 is assigned to the primary unit (the default), and group 2 is assigned to the secondary unit). This command is used only when configuring active/active failover.

asa(config-fover-group)#primary OR asa(config-fover-group)#secondary

Enter context configuration mode.

Note: This command is used only when configuring active/active failover.

asa(config)#context name

Configure the context to be a member of a failover group.

Notes: All unassigned contexts are assigned into failover group 1. The admin context is always configured into failover group 1. This command is used only when configuring active/active failover.

asa(config-ctx)#join-failover-group {2}

Enable the use of failover on the ASA.

 

asa(config)#failover

More Cisco ASA Topics:

Cisco ASA Failover, Failover Modes & ASA Failover Configuration

Cisco ASA IPS Module Configuration

How to Configure New ASA 5510 in Transparent Mode?

Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software

Cisco ASA SNMP Polling Via VPN Site-to-Site Tunnel

Create IPv6 LAN-to-LAN VPN Tunnel on Cisco ASAs

Share this post

Repost 0

Comment on this post