Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
988
Views
0
Helpful
1
Replies

New ASA 5515x failover setup

ethutchinson
Level 1
Level 1

‎10-01-2014 05:10 AM - edited ‎03-11-2019 09:50 PM

Just an architecture setup question. We have purchased two 5515x ASA firewalls. I will be setting them up in a stateful failover setup. I know this sounds like a basic question but here goes. I am thinking we should get the first one working on my network and then install the failover ASA once the first one is working properly....? Any thoughts?

Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎10-01-2014 05:30 AM

Hi,

 

Yes, you can just configure the single ASA first with the configurations and after its configurations are finished install the Secondary unit.

 

Naturally while you are configuring the Primary unit you should already setup the interfaces with a "standby" IP address under the interface configuration.

 

After you have setup the Primary ASA and made sure that for each of its interfaces/subinterfaces you have a L2 connection through the connecting networking devices to the Secondary ASAs corresponding interfaces/subinterfaces, then you are ready to install the Secondary ASA to the network.

 

What you could do on the Secondary ASA is that you remove its default factory configuration and then configure "no shutdown" on each physical interface that you are going to use. Then you could configure the required Failover configurations using the multiple different "failover" configuration commands. (You wont need to configure the actual physical port separately, just need to enable it with "no shutdown", the "failover" commands should handle the rest) After the physical interfaces are configured up and the "failover" commands are set up on the Secondary ASA (and naturally the Primary ASA) then you could basically save the configuration on the Secondary ASA, power down the Secondary ASA, connect it to the network and boot it up. It should then sync the configuration from the Primary ASA after it has booted up and noticed the Active unit (Primary ASA) through the Failover link. So you should not really need to configure the Secondary ASA a lot since it syncs majority of the configurations from the Primary ASA. Naturally the above "failover" configurations are required so the Failover link can be formed for the sync.

 

I have had to do this a couple of times lately because of broken down ASAs in Failover pairs. Naturally I would suggest that you take backups of the Primary ASAs configurations before you start setting up the Failover environment so that incase of some error in the setup you still have the configuration. Some people have mentioned the other unit wiping the others configuration but it has not happened to me atleast.

 

Hope this helps and that I made any sense :)

 

- Jouni

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card