Cisco ASA Failover Configuration


This tutorial is for configuring Cisco ASA Failover into Active/Standby mode, assuming your primary Cisco ASA is configured and working.

Primary Cisco ASA

Setup your failover interface on Primary Cisco ASA

enable
config t
failover lan unit primary
interface gigabitEthernet 0/3
no shutdown

Assign the failover IP Address on your Primary Cisco ASA

failover lan interface FAILOVER gigabitethernet0/3
failover interfaces ip FAILOVER 10.10.10.1 255.255.255.0 standby 10.10.10.2
failover key YourSecretKey
failover link FAILOVER

Assign standby Outside IP Address on Primary Cisco ASA

Assign your Cisco ASA standby External IP Address, add “standby {SECONDARY ASA IP ADDRESS}”

interface gigabitEthernet 0/0
ip address 1.1.1.1 255.255.255.224 standby 1.1.1.2

Assign standby Internal IP Address on Primary Cisco ASA

Assign Internal IP Address as you did for the External IP Address with the “standby {SECONDARY ASA IP ADDRESS}”

interface gigabitEthernet 0/1
ip address 172.16.10.1 255.255.255.0 standby 172.16.10.2

Enable monitoring on SubInterfaces on Primary Cisco ASA (optional)

By default, monitoring physical interfaces is enabled and monitoring subinterfaces is disabled. You can monitor up to 250 interfaces on a unit. You can control which interfaces affect your failover policy by disabling the monitoring of specific interfaces and enabling the monitoring of others. This lets you exclude interfaces attached to less critical networks from affecting your failover policy.

monitor-interface if_name

You can turn off monitoring the management interface:

no monitor management

Enable failover

conf t
failover

Verify your Cisco ASA Failover

show failover

Secondary Cisco ASA

Setup failover interface on Secondary Cisco ASA

config t
no failover
failover lan unit secondary
interface gigabitEthernet 0/3
no nameif
no shutdown
failover lan interface FAILOVER gigabitEthernet0/3

Assign your failover IP Address on Secondary ASA using FAILOVER

failover interface ip FAILOVER 10.10.10.1 255.255.255.0 standby 10.10.10.2
failover key YourSecretKey
failover link FAILOVER
failover

Automatic Configuration Copy from Primary to Secondary Cisco ASA

The device configurations are automatically copied from the primary Cisco ASA device to the secondary Cisco ASA device using the following commands:

config t
interface gigabitEthernet 0/3
no shutdown

Verify your Cisco ASA Failover

show failover

Cisco ASAhttp://www.cisco.com/en/US/products/ps6120/index.html



Subscribe
Notify of
guest
6 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Guest
Guest
6 years ago

Wonderful configuration..Thanks for it

vishal
vishal
6 years ago

Could please let me know the role of SCPS protocol (105) in ASA failover?

nstojanoski
nstojanoski
6 years ago
Reply to  vishal

The active and standby firewalls determine a failure by sending hello messages to each other at regular intervals (every 15 seconds by default). These messages are sent over the failover cable (if present) or the LAN-based failover interface to detect failures of an entire firewall. The hellos are also sent on all interfaces configured for failover so that the firewall peer can determine the health of each interface. These messages are sent as short packets using IP protocol 105.

http://my.safaribooksonline.com/9781587054570/480

vishal
vishal
6 years ago
Reply to  nstojanoski

Many Thanks for your quick response.
I searched a lot about protocol 105 but didn’t get much info on it.
Could you please provide me header details and other details of 105 protocol.

nstojanoski
nstojanoski
6 years ago
Reply to  vishal
vishal
vishal
6 years ago
Reply to  nstojanoski

Thanks a lot……
Scps.org is not working for long time. Anyway I will go through the doc.

Advertisement