05-13-2014 09:56 PM - edited 03-11-2019 09:11 PM
Hi.
I am implementing ASA in failover mode so want your help to setup it. I have two 5525 ASAs ver 8.4(6) both will be connected to core switch.
I am little bit confuse that do i need to take a seperate inetrface for failover on both ASA over which no "nameif" and security level configuration be there. OR i can take same interface for failover as well as with nameif "inside" & security level 100 through which my end user behind ASA could reach to internet.
pls help.
Solved! Go to Solution.
05-16-2014 10:28 AM
Hey so here is the explanation:
Interface GigabitEthernet 0/1
nameif inside
security level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
You know that the ASA Active/Standby failover has a defined Primary ASA and a Secondary.
When you configure failover you define a Primary and a Standby with the "failover lan unit Primary or Secondary".
Then the ASA failover pair has two main roles that they perform, which are Active or Standby.
The "standby" address is only used for monitoring interface health and communication between the Primary IP and Secondary.
The only address that is used for routing through the failover pair is the first address defined on the interface command.
When failover occurs and the Secondary unit becomes active it uses the primary IP and MAC address.
All this information is on the first link that I sent you, take the time to read it.
05-14-2014 02:50 AM
Hi Anukalp,
It is good to use the seperate interface via a switch or a direct cross connectivity for Failover LAN.
Regards
Karthik
05-14-2014 06:43 AM
Hi.
It would be appreciated..if you can post failover config example on both primary and secondary ASA.
you can take ip pool 192.168.80.40/30 for failover interface and 192.168.151.0/24 for inside interface.
Also pls tell me how active ASA monitor the failover.
05-14-2014 02:58 PM
http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/77809-pixfailover.html#lanbas
That doc is used for ASA and PIX.
05-14-2014 02:59 PM
Everything is on that document buddy but you need to take the time to read.
05-14-2014 03:01 PM
http://www.petenetlive.com/KB/Article/0000048.htm
That is a configuration example without understanding really how failover works, the first link educates you on how it works.
05-14-2014 11:04 PM
Hi Jumora..
Thanks a lot for this doc..it is very helpful since i will have direct connectivity using crossover cable between two ASA so can i use /30 subnet mask to assign failover ip and do this IPs need to talk with my inside networks.
Also i will put default route from my core switch so next hop should be active ASA inside IP. But if active ASA fail then would i need to change default route towards secondary ASA.
Pls also clear this confusion.
05-16-2014 10:28 AM
Hey so here is the explanation:
Interface GigabitEthernet 0/1
nameif inside
security level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
You know that the ASA Active/Standby failover has a defined Primary ASA and a Secondary.
When you configure failover you define a Primary and a Standby with the "failover lan unit Primary or Secondary".
Then the ASA failover pair has two main roles that they perform, which are Active or Standby.
The "standby" address is only used for monitoring interface health and communication between the Primary IP and Secondary.
The only address that is used for routing through the failover pair is the first address defined on the interface command.
When failover occurs and the Secondary unit becomes active it uses the primary IP and MAC address.
All this information is on the first link that I sent you, take the time to read it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide