cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
507
Views
5
Helpful
7
Replies

ASA 8.4(6) in HA

Anukalp S
Level 1
Level 1

 

 Hi.

 I am implementing ASA in failover mode so want your help to setup it. I have two 5525 ASAs ver 8.4(6) both will be connected to core switch.

 I am little bit confuse that do i need to take a seperate inetrface for failover on both ASA over which no "nameif" and security level configuration be there. OR i can take same interface for failover as well as with nameif "inside" & security level 100 through which my end user behind ASA could reach to internet.

pls help.

1 Accepted Solution

Accepted Solutions

Hey so here is the explanation:

 

Interface GigabitEthernet 0/1

nameif inside

security level 100

ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2

 

You know that the ASA Active/Standby failover has a defined Primary ASA and a Secondary.

 

When you configure failover you define a Primary and a Standby with the "failover lan unit Primary or Secondary".

 

Then the ASA failover pair has two main roles that they perform, which are Active or Standby.

 

The "standby" address is only used for monitoring interface health and communication between the Primary IP and Secondary.

 

The only address that is used for routing through the failover pair is the first address defined on the interface command.

 

When failover occurs and the Secondary unit becomes active it uses the primary IP and MAC address.


All this information is on the first link that I sent you, take the time to read it.

Value our effort and rate the assistance!

View solution in original post

7 Replies 7

nkarthikeyan
Level 7
Level 7

Hi Anukalp,

 

It is good to use the seperate interface via a switch or a direct cross connectivity for Failover LAN.

 

Regards

Karthik

 

 Hi.

It would be appreciated..if you can post failover config example on both primary and secondary ASA.

you can take ip pool 192.168.80.40/30 for failover interface and 192.168.151.0/24 for inside interface.

Also pls tell me how active ASA monitor the failover.

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/77809-pixfailover.html#lanbas

 

That doc is used for ASA and PIX.

Value our effort and rate the assistance!

Everything is on that document buddy but you need to take the time to read.

Value our effort and rate the assistance!

http://www.petenetlive.com/KB/Article/0000048.htm

 

That is a configuration example without understanding really how failover works, the first link educates you on how it works.

Value our effort and rate the assistance!

 

Hi Jumora..

Thanks a lot for this doc..it is very helpful since i will have direct connectivity using crossover cable between two ASA so can i use /30 subnet mask to assign failover ip and do this IPs need to talk with my inside networks.

Also i will put default route from my core switch so next hop should be active ASA inside IP. But if active ASA fail then would i need to change default route towards secondary ASA.

Pls also clear this confusion.

Hey so here is the explanation:

 

Interface GigabitEthernet 0/1

nameif inside

security level 100

ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2

 

You know that the ASA Active/Standby failover has a defined Primary ASA and a Secondary.

 

When you configure failover you define a Primary and a Standby with the "failover lan unit Primary or Secondary".

 

Then the ASA failover pair has two main roles that they perform, which are Active or Standby.

 

The "standby" address is only used for monitoring interface health and communication between the Primary IP and Secondary.

 

The only address that is used for routing through the failover pair is the first address defined on the interface command.

 

When failover occurs and the Secondary unit becomes active it uses the primary IP and MAC address.


All this information is on the first link that I sent you, take the time to read it.

Value our effort and rate the assistance!
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: