Cisco ASA Failover Configuration

This tutorial is for configuring Cisco ASA Failover into Active/Standby mode, assuming your primary Cisco ASA is configured and working.

Primary Cisco ASA

Setup your failover interface on Primary Cisco ASA

enable
config t
failover lan unit primary
interface gigabitEthernet 0/3
no shutdown

Assign the failover IP Address on your Primary Cisco ASA

failover lan interface FAILOVER gigabitethernet0/3
failover interfaces ip FAILOVER 10.10.10.1 255.255.255.0 standby 10.10.10.2
failover key YourSecretKey
failover link FAILOVER

Assign standby Outside IP Address on Primary Cisco ASA

Assign your Cisco ASA standby External IP Address, add “standby {SECONDARY ASA IP ADDRESS}”

ADVERTISEMENT

interface gigabitEthernet 0/0
ip address 1.1.1.1 255.255.255.224 standby 1.1.1.2

Assign standby Internal IP Address on Primary Cisco ASA

Assign Internal IP Address as you did for the External IP Address with the “standby {SECONDARY ASA IP ADDRESS}”

interface gigabitEthernet 0/1
ip address 172.16.10.1 255.255.255.0 standby 172.16.10.2

Enable monitoring on SubInterfaces on Primary Cisco ASA (optional)

By default, monitoring physical interfaces is enabled and monitoring subinterfaces is disabled. You can monitor up to 250 interfaces on a unit. You can control which interfaces affect your failover policy by disabling the monitoring of specific interfaces and enabling the monitoring of others. This lets you exclude interfaces attached to less critical networks from affecting your failover policy.

monitor-interface if_name

You can turn off monitoring the management interface:

no monitor management

Enable failover

conf t
failover

Verify your Cisco ASA Failover

show failover

[divider]

Secondary Cisco ASA

Setup failover interface on Secondary Cisco ASA

config t
no failover
failover lan unit secondary
interface gigabitEthernet 0/3
no nameif
no shutdown
failover lan interface FAILOVER gigabitEthernet0/3

Assign your failover IP Address on Secondary ASA using FAILOVER

failover interface ip FAILOVER 10.10.10.1 255.255.255.0 standby 10.10.10.2
failover key YourSecretKey
failover link FAILOVER
failover

Automatic Configuration Copy from Primary to Secondary Cisco ASA

The device configurations are automatically copied from the primary Cisco ASA device to the secondary Cisco ASA device using the following commands:

config t
interface gigabitEthernet 0/3
no shutdown

Verify your Cisco ASA Failover

show failover

Cisco ASAhttp://www.cisco.com/en/US/products/ps6120/index.html