Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1226
Views
0
Helpful
3
Replies

ASA 5550 Transparent Active/Standby Configuration

Go to solution
fuhrersk8
Level 3
Level 3

‎12-21-2012 06:39 AM - edited ‎03-11-2019 05:39 PM

                   Hello guys!

     I am in the process of adding a new ASA 5550 as a standby box to an existing ASA 5550 running on transparent mode. Both are on version ASA 8.0(4) and ASDM 6.2(1). I have set the new ASA 5550 to transparent mode. The configurations are the following for the HA:

Primary ASA:

!

interface GigabitEthernet1/3
description LAN Failover Interface
media-type sfp
!

failover

failover lan unit primary
failover lan interface failover GigabitEthernet1/3
failover interface ip failover 192.168.1.1 255.255.255.0 standby 192.168.1.2

!

Secondary ASA:

!

interface GigabitEthernet1/3

description LAN Failover Interface

!

failover

failover lan unit secondary

failover lan interface failover GigabitEthernet1/3

failover interface ip failover 192.168.1.1 255.255.255.0 standby 192.168.1.2

!

My questions are the following:

1. The management ip address is different than the ip used for the failover link. Since the firewalls are on transparent mode, does the failover ip needs to be the same as the management ip address?

2. Does any other additional config is needed for HA to work for basic active/stand-by failover?

3. Wich is the best method to add the second box without disrupting the active box?

Thanks in advance guys!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mariusz Bochen
Level 1
Level 1

‎12-28-2012 07:47 AM

Hi Nephtali,

1. The aswer is no, it can be different.

2. You can optionaly add statefull failover config.

3. Issue the failover command on the primary device first, and then issue it on the secondary device. After you issue the failover command on the secondary device, the secondary device immediately pulls the configuration from the primary device and sets itself as standby. The primary ASA stays up and passes traffic normally and marks itself as the active device. From that point on, whenever a failure occurs on the active device, the standby device comes up as active.

Link to a config example:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080aefd11.shtml#Reg

Regards

Mariusz

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Mariusz Bochen
Level 1
Level 1

‎12-28-2012 07:47 AM

Hi Nephtali,

1. The aswer is no, it can be different.

2. You can optionaly add statefull failover config.

3. Issue the failover command on the primary device first, and then issue it on the secondary device. After you issue the failover command on the secondary device, the secondary device immediately pulls the configuration from the primary device and sets itself as standby. The primary ASA stays up and passes traffic normally and marks itself as the active device. From that point on, whenever a failure occurs on the active device, the standby device comes up as active.

Link to a config example:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080aefd11.shtml#Reg

Regards

Mariusz

0 Helpful

Go to solution
fuhrersk8
Level 3
Level 3
In response to Mariusz Bochen

‎12-28-2012 08:20 AM

Excellent Mariusz, thanks a lot for the explanation!

0 Helpful

Go to solution
Mariusz Bochen
Level 1
Level 1
In response to fuhrersk8

‎12-28-2012 08:26 AM

You're very welcome

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card