Cisco ASA Failover Configuration
This tutorial is for configuring Cisco ASA Failover into Active/Standby mode, assuming your primary Cisco ASA is configured and working.
Primary Cisco ASA
Setup your failover interface on Primary Cisco ASA
enable config t failover lan unit primary interface gigabitEthernet 0/3 no shutdown
Assign the failover IP Address on your Primary Cisco ASA
failover lan interface FAILOVER gigabitethernet0/3 failover interfaces ip FAILOVER 10.10.10.1 255.255.255.0 standby 10.10.10.2 failover key YourSecretKey failover link FAILOVER
Assign standby Outside IP Address on Primary Cisco ASA
Assign your Cisco ASA standby External IP Address, add “standby {SECONDARY ASA IP ADDRESS}”
interface gigabitEthernet 0/0 ip address 1.1.1.1 255.255.255.224 standby 1.1.1.2
Assign standby Internal IP Address on Primary Cisco ASA
Assign Internal IP Address as you did for the External IP Address with the “standby {SECONDARY ASA IP ADDRESS}”
interface gigabitEthernet 0/1 ip address 172.16.10.1 255.255.255.0 standby 172.16.10.2
Enable monitoring on SubInterfaces on Primary Cisco ASA (optional)
By default, monitoring physical interfaces is enabled and monitoring subinterfaces is disabled. You can monitor up to 250 interfaces on a unit. You can control which interfaces affect your failover policy by disabling the monitoring of specific interfaces and enabling the monitoring of others. This lets you exclude interfaces attached to less critical networks from affecting your failover policy.
monitor-interface if_name
You can turn off monitoring the management interface:
no monitor management
Enable failover
conf t failover
Verify your Cisco ASA Failover
show failover
Secondary Cisco ASA
Setup failover interface on Secondary Cisco ASA
config t no failover failover lan unit secondary interface gigabitEthernet 0/3 no nameif no shutdown failover lan interface FAILOVER gigabitEthernet0/3
Assign your failover IP Address on Secondary ASA using FAILOVER
failover interface ip FAILOVER 10.10.10.1 255.255.255.0 standby 10.10.10.2 failover key YourSecretKey failover link FAILOVER failover
Automatic Configuration Copy from Primary to Secondary Cisco ASA
The device configurations are automatically copied from the primary Cisco ASA device to the secondary Cisco ASA device using the following commands:
config t interface gigabitEthernet 0/3 no shutdown
Verify your Cisco ASA Failover
show failover
Cisco ASA: http://www.cisco.com/en/US/products/ps6120/index.html
Wonderful configuration..Thanks for it
Could please let me know the role of SCPS protocol (105) in ASA failover?
The active and standby firewalls determine a failure by sending hello messages to each other at regular intervals (every 15 seconds by default). These messages are sent over the failover cable (if present) or the LAN-based failover interface to detect failures of an entire firewall. The hellos are also sent on all interfaces configured for failover so that the firewall peer can determine the health of each interface. These messages are sent as short packets using IP protocol 105.
http://my.safaribooksonline.com/9781587054570/480
Many Thanks for your quick response.
I searched a lot about protocol 105 but didn’t get much info on it.
Could you please provide me header details and other details of 105 protocol.
Wikipedia is referencing to this document: http://public.ccsds.org/publications/archive/714x0b2.pdf
http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers scps.org site is down.
Thanks a lot……
Scps.org is not working for long time. Anyway I will go through the doc.