When we talk about ASA

rajitoor55 · ‎02-20-2015

First I am new to ASA. Second, I have come across this configuration where 2x5525 ASA's are setup in active standby. But I am little confused how this is setup. For active I am doing ssh to 10.0.0.24 and for standby 10.0.0.23

Both ASA-active and standby have exactly same ip configuration when I check with sh run or ASDM. To confirm I was on different devices I did sh log and results were different. Is this a correct configuration and some explanation please. Thanks

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 20.0.0.24 255.255.255.248 standby 20.0.0.28
!
interface GigabitEthernet0/1
 description inside vlan 5
 nameif inside
 security-level 100
 ip address 10.0.1.21 255.255.255.0 standby 10.0.1.22

!interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 10.0.0.24 255.255.255.0 standby 10.0.0.23

David paull · ‎02-20-2015

When the primary asa fails over and becomes standby, the secondary asa becomes primary. The interface then assumes the IP of 10.0.0.24.

You'll see a failover in your syslog and you'll see MAC address changes -- because obviously the NIC's have different MAC addresses. But the routes, the IP, etc stays the same.

--

You can do "show failover"

and you should see something along the lines of "This unit is primary active." or "this unit is secondary standby" etc.

You can also set your prompts to display something along the lines of devicexx\pri\active: that way as soon as you log in, if a failover occured you would see devicexx\sec\active and know something was wrong.

Kamal Malhotra · ‎02-21-2015

When we talk about ASA Failover, we need to understand 4 terms :

Primary

Secondary

Active

Standby

Primary and Secondary are what we configure and Active and Standby is what the failover decides. So, we could have the following combinations :

Primary - Active, Secondary - Standby

Primary - Standby, Secondary - Active

For failover, on Cisco ASAs, to successfully work, the configuration, hardware, licenses etc have to be the same. Otherwise the FO breaks. Therefore you see the same IP addressing on both. Which ASA will have which IP is governed by the following command :

ip address 10.0.0.24 255.255.255.0 standby 10.0.0.23

Please note whichever box is active (whether primary or secondary) will have the first IP address and the other will have the standby IP address.

Hope that helps answer the queries.

Richard Burts · ‎02-22-2015

The original poster asks if this is correct configuration. The answer is that yes this is a correct configuration for an active/standby pair of ASA. One thing that might help understand this is that both ASA share the same config file when they operate as active/standby failover. So the configuration must specify an IP address for the active ASA and also an IP address for the standby.

It can be confusing when you log in to an ASA that is in an active/standby pair since both ASA will have exactly the same host name and therefore the same prompt. I find using the command show standby to be very helpful in figuring out which ASA I am on. I also advocate changing the prompt so that it identifies the device current role in the standby pair.

HTH

Rick

HTH

Rick

rajitoor55 · ‎02-27-2015

Thanks everyone...I was thinking it on the line of HSRP but its little different. I would not know until I watched some videos to understand the concept behind it.

ASA config confusion