Cisco ASA Failover Configuration


This tutorial is for configuring Cisco ASA Failover into Active/Standby mode, assuming your primary Cisco ASA is configured and working.

Primary Cisco ASA

Setup your failover interface on Primary Cisco ASA

enable
config t
failover lan unit primary
interface gigabitEthernet 0/3
no shutdown

Assign the failover IP Address on your Primary Cisco ASA

failover lan interface FAILOVER gigabitethernet0/3
failover interfaces ip FAILOVER 10.10.10.1 255.255.255.0 standby 10.10.10.2
failover key YourSecretKey
failover link FAILOVER

Assign standby Outside IP Address on Primary Cisco ASA

Assign your Cisco ASA standby External IP Address, add “standby {SECONDARY ASA IP ADDRESS}”

interface gigabitEthernet 0/0
ip address 1.1.1.1 255.255.255.224 standby 1.1.1.2

Assign standby Internal IP Address on Primary Cisco ASA

Assign Internal IP Address as you did for the External IP Address with the “standby {SECONDARY ASA IP ADDRESS}”

interface gigabitEthernet 0/1
ip address 172.16.10.1 255.255.255.0 standby 172.16.10.2

Enable monitoring on SubInterfaces on Primary Cisco ASA (optional)

By default, monitoring physical interfaces is enabled and monitoring subinterfaces is disabled. You can monitor up to 250 interfaces on a unit. You can control which interfaces affect your failover policy by disabling the monitoring of specific interfaces and enabling the monitoring of others. This lets you exclude interfaces attached to less critical networks from affecting your failover policy.

monitor-interface if_name

You can turn off monitoring the management interface:

no monitor management

Enable failover

conf t
failover

Verify your Cisco ASA Failover

show failover

Secondary Cisco ASA

Setup failover interface on Secondary Cisco ASA

config t
no failover
failover lan unit secondary
interface gigabitEthernet 0/3
no nameif
no shutdown
failover lan interface FAILOVER gigabitEthernet0/3

Assign your failover IP Address on Secondary ASA using FAILOVER

failover interface ip FAILOVER 10.10.10.1 255.255.255.0 standby 10.10.10.2
failover key YourSecretKey
failover link FAILOVER
failover

Automatic Configuration Copy from Primary to Secondary Cisco ASA

The device configurations are automatically copied from the primary Cisco ASA device to the secondary Cisco ASA device using the following commands:

config t
interface gigabitEthernet 0/3
no shutdown

Verify your Cisco ASA Failover

show failover

Cisco ASAhttp://www.cisco.com/en/US/products/ps6120/index.html



6
Leave a Reply

avatar
2 Comment threads
4 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
3 Comment authors
nstojanoskivishalGuest Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Guest
Guest
Guest

Wonderful configuration..Thanks for it

vishal
Guest
vishal

Could please let me know the role of SCPS protocol (105) in ASA failover?

nstojanoski
Guest
nstojanoski

The active and standby firewalls determine a failure by sending hello messages to each other at regular intervals (every 15 seconds by default). These messages are sent over the failover cable (if present) or the LAN-based failover interface to detect failures of an entire firewall. The hellos are also sent on all interfaces configured for failover so that the firewall peer can determine the health of each interface. These messages are sent as short packets using IP protocol 105.

http://my.safaribooksonline.com/9781587054570/480

vishal
Guest
vishal

Many Thanks for your quick response.
I searched a lot about protocol 105 but didn’t get much info on it.
Could you please provide me header details and other details of 105 protocol.

nstojanoski
Guest
nstojanoski
vishal
Guest
vishal

Thanks a lot……
Scps.org is not working for long time. Anyway I will go through the doc.

Advertisement