How to Configure Cisco ASA Failover into Active/Standby Mode?
In this article we will share how to configure Cisco ASA Failover into Active/Standby mode, firstly, assume that your primary Cisco ASA is configured and working.
Primary Cisco ASA
Setup your failover interface on Primary Cisco ASA
enable
config t
failover lan unit primary
interface gigabitEthernet 0/3
no shutdown
Assign the failover IP Address on your Primary Cisco ASA
failover lan interface FAILOVER gigabitethernet0/3
failover interfaces ip FAILOVER 10.10.10.1 255.255.255.0 standby 10.10.10.2
failover key YourSecretKey
failover link FAILOVER
Assign standby Outside IP Address on Primary Cisco ASA
Assign your Cisco ASA standby External IP Address, add “standby {SECONDARY ASA IP ADDRESS}”
interface gigabitEthernet 0/0
ip address 1.1.1.1 255.255.255.224 standby 1.1.1.2
Assign standby Internal IP Address on Primary Cisco ASA
Assign Internal IP Address as you did for the External IP Address with the “standby {SECONDARY ASA IP ADDRESS}”
interface gigabitEthernet 0/1
ip address 172.16.10.1 255.255.255.0 standby 172.16.10.2
Enable monitoring on SubInterfaces on Primary Cisco ASA (optional)
By default, monitoring physical interfaces is enabled and monitoring subinterfaces is disabled. You can monitor up to 250 interfaces on a unit. You can control which interfaces affect your failover policy by disabling the monitoring of specific interfaces and enabling the monitoring of others. This lets you exclude interfaces attached to less critical networks from affecting your failover policy.
monitor-interface if_name
You can turn off monitoring the management interface:
no monitor management
Enable failover
conf t
failover
Verify your Cisco ASA Failover
show failover
Secondary Cisco ASA
Setup failover interface on Secondary Cisco ASA
config t
no failover
failover lan unit secondary
interface gigabitEthernet 0/3
no nameif
no shutdown
failover lan interface FAILOVER gigabitEthernet0/3
Assign your failover IP Address on Secondary ASA using FAILOVER
failover interface ip FAILOVER 10.10.10.1 255.255.255.0 standby 10.10.10.2
failover key YourSecretKey
failover link FAILOVER
failover
Automatic Configuration Copy from Primary to Secondary Cisco ASA
The device configurations are automatically copied from the primary Cisco ASA device to the secondary Cisco ASA device using the following commands:
config t
interface gigabitEthernet 0/3
no shutdown
Verify your Cisco ASA Failover
show failover
More about ASA Failover Configuration
Enter privileged EXEC mode.
asa>enable
Enter global configuration mode.
asa#configure terminal
Designate the ASA as the primary or secondary unit (default is secondary).
asa(config)#failover lan unit [primary |secondary]
Configure the ASA link that will be used as the failover link.
Notes: The if_name is used to assign the name of the interface (don't use thenameif command).
The interface_id can be a physical interface, subinterface, or redundant interface; or an EtherChannel interface ID. On the ASA 5505, the interface_idspecifies a VLAN ID.
asa(config)#failover lan interfaceif_name interface_id
Configure the primary and secondary IP addresses.
Note: Both the primary and secondary IP addresses must be in the same subnet.
asa(config)#failover interface ip if_name ip_address netmask standby ip_address
Configure the ASA link that will be used as the stateful failover link.
Notes: The if_name is used to assign the name of the interface; this is the same as the failover link if_name if they are being shared. The interface_id can be a physical interface, subinterface, or redundant interface; or an EtherChannel interface ID. On the ASA 5505, the interface_idspecifies a VLAN ID. This command is optional and is required only if stateful failover is being configured.
asa(config)#failover link if_name interface_id
Configure the primary and secondary IP address for the state interface.
Note: This step is required only if the link that is being used for the stateful failover link is different from the failover link. If it is being shared with the failover link, the information configured in Step 5 is used.
asa(config)#failover interface ip if_name ip_address netmask standby ip_address
Configure the use of IPsec on the LAN-to-LAN failover links (failover and stateful failover, if configured).
Notes: The key parameter can be up to 128 characters in lengthThis is the preferred method to be used to encrypt information over these links.
OR Configure a failover key.
Notes: The key parameter when used with the hex keyword is 32 characters. When it is used without it, it can be a string from 1 to 63 characters. This is a depreciated method of encrypting on these links, and it is not recommended in favor of the IPsec option above.
asa(config)#failover key {hex key | key}
Create a failover group.
Notes: By default, group 1 is assigned to the primary failover unit (as configured in Step 3).
This command is used only when configuring an active/active failover.
asa(config)#failover group {1 | 2}
Assign the group to a unit.
Notes: Typically, group 1 is assigned to the primary unit (the default), and group 2 is assigned to the secondary unit). This command is used only when configuring active/active failover.
asa(config-fover-group)#primary OR asa(config-fover-group)#secondary
Enter context configuration mode.
Note: This command is used only when configuring active/active failover.
asa(config)#context name
Configure the context to be a member of a failover group.
Notes: All unassigned contexts are assigned into failover group 1. The admin context is always configured into failover group 1. This command is used only when configuring active/active failover.
asa(config-ctx)#join-failover-group {1 | 2}
Enable the use of failover on the ASA.
asa(config)#failover
More Cisco ASA Topics:
Cisco ASA Failover, Failover Modes & ASA Failover Configuration
Cisco ASA IPS Module Configuration
How to Configure New ASA 5510 in Transparent Mode?
Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software