Solved: Add standby ASA

Difan Zhao · ‎05-16-2013

Hi experts,

I am adding a standby ASA for my client. Please review my configuration script. Here is config that I will put on the primary ASA (which is currently in production)

--- Primary ASA ----

!

interface Ethernet0/0

nameif outside <- existing

ip address 209.153.235.131 255.255.255.128 standby 209.153.235.132 <- IP address part exsits, not standby part

no shut

!

interface Ethernet0/1

nameif inside <- existing

ip address 10.26.1.1 255.255.255.0 standby 10.26.1.2 <- IP address part exsits, not standby part

no shut

!

clear configure interface e0/2

clear configure interface e0/3

!

interface Ethernet0/2

description STATE Failover Interface

no shut

interface Ethernet0/3

description LAN Failover Interface

no shut

!

failover

failover lan unit primary

failover lan interface lanfo Ethernet0/3

failover replication http

failover link stateful Ethernet0/2

failover interface ip lanfo 10.26.0.249 255.255.255.252 standby 10.26.0.250

failover interface ip stateful 10.26.0.253 255.255.255.252 standby 10.26.0.254

!

--- Secondary ASA ----

!! On the secondary ASA, I will upgrade the code to the same as primary and restore the factory default, then apply the following config

!

config then apply the following

interface Ethernet0/2

description STATE Failover Interface

no shut

interface Ethernet0/3

description LAN Failover Interface

no shut

!

failover

failover lan unit secondary

failover lan interface lanfo Ethernet0/3

failover replication http

failover link stateful Ethernet0/2

failover interface ip lanfo 10.26.0.249 255.255.255.252 standby 10.26.0.250

failover interface ip stateful 10.26.0.253 255.255.255.252 standby 10.26.0.254

!

Once done, I just have to connect E0/2 and E0/3 with primary, and it will become the standby unit correct? Will this process cause any downtime? Do you foresee any issues? Is there more recommended failover configruation that I missed or any suggestions?

Thanks!

Message was edited by: Difan Zhao

Eddy Duran · ‎05-16-2013

Difan,

I just reviewed the post, on the secondary unit you need to apply the secondary keyword instead of primary:

interface Ethernet0/2

description STATE Failover Interface

no shut

interface Ethernet0/3

description LAN Failover Interface

no shut

!

failover

failover lan unit secondary

failover lan interface lanfo Ethernet0/3

failover replication http

failover link stateful Ethernet0/2

failover interface ip lanfo 10.26.0.249 255.255.255.252 standby 10.26.0.250

failover interface ip stateful 10.26.0.253 255.255.255.252 standby 10.26.0.254

I would suggest to connect the E0/2 and E0/3 to the primary unit before applying the failover configuration, without having the failover link connected, both units might become active and that will cause some issues to the network.

Hope this works for you.

View solution in original post

Eddy Duran · ‎05-16-2013

Hello Difan,

The configuration is fine for the primary ASA, but you will need to apply the commands on the secondary firewall as well:

interface Ethernet0/2

description STATE Failover Interface

no shut

interface Ethernet0/3

description LAN Failover Interface

no shut

failover

failover lan unit secondary

failover lan interface lanfo Ethernet0/3

failover replication http

failover link stateful Ethernet0/2

failover interface ip lanfo 10.90.1.1 255.255.255.0 standby 10.90.1.2

failover interface ip stateful 10.90.2.1 255.255.255.0 standby 10.90.2.2

Once you enter those commands, the standby unit should detect its peer as active and become standby ready.

Please rate the answer if you find it useful.

Difan Zhao · ‎05-16-2013

Hey Eddy, thanks for the fast response! Actually I clicked on post by mistake.. so the one that you looked at was not complete... Could you please review the one I edited later?? Thanks!

Eddy Duran · ‎05-16-2013

Difan,

I just reviewed the post, on the secondary unit you need to apply the secondary keyword instead of primary:

interface Ethernet0/2

description STATE Failover Interface

no shut

interface Ethernet0/3

description LAN Failover Interface

no shut

!

failover

failover lan unit secondary

failover lan interface lanfo Ethernet0/3

failover replication http

failover link stateful Ethernet0/2

failover interface ip lanfo 10.26.0.249 255.255.255.252 standby 10.26.0.250

failover interface ip stateful 10.26.0.253 255.255.255.252 standby 10.26.0.254

I would suggest to connect the E0/2 and E0/3 to the primary unit before applying the failover configuration, without having the failover link connected, both units might become active and that will cause some issues to the network.

Hope this works for you.

Difan Zhao · ‎05-16-2013

Thanks!