ASA active/standby configuration

Ranil Herath · ‎06-05-2012

Hi Guys,

I currently have a LAN-based failover setup between two 5510s. The failover link is a crossover cable. In the current setup, if I unplug the crossover cable both units become active. From what I understood from Cisco documentation, each unit should mark the failover interface as down and there shouldn't be any failover. That's exactly how I want this setup to work.

1) Can someone please help me clarify/fix this?

2) Will a second failover link fix my problem?

3) How can I configure a second failover link?

Thank you for your time!

Cheers,

Ranil

Sent from Cisco Technical Support iPhone App

Jennifer Halim · ‎06-05-2012

If you unplug the failover cable, both units will definitely become active because they can't communicate with each other, hence both resume the active role.

It is recommended to connect the failover link to switch instead of using crossover cable because it is more difficult to troubleshoot if you are using crossover cable when it fails.

You can configure redundant interface to have a standby physical link for your failover link.

Here is the configuration guide for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html#wp1062296

Ranil Herath · ‎06-05-2012

Thank you for the reply Jennifer.

I was reffering to the following document:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1091405

Failure Event	Policy	Active Action	Standby Action	Notes
Failover link failed during operation	No failover	Mark failover interface as failed	Mark failover interface as failed	You should restore the failover link as soon as possible because the unit cannot fail over to the standby unit while the failover link is down.
Stateful Failover link failed	No failover	No action	No action	State information becomes out of date, and sessions are terminated if a failover occurs.

I think I should rephrase question 2) If I have two seperate links for Failover and Stateful failover, will that fix my problem?

How can I configure seperate Failover and Stateful failover links? If I understand correctly, they are more than just redundant links.

Sorry I didn't accurately phrase my original post.

Thank you

Jennifer Halim · ‎06-05-2012

No, it won't fix your problem because the 2 are actually passing different types of information.

The failover link is to ensure that all the interfaces are up and there is no failure on either of the ASA.

The stateful failover link is to pass the firewall connection table, xlate table, VPN session, etc.

So if the failover link fails, then you are at the same stage as when you use just 1 interface for both failover and stateful failover link.

If you would like to separate the 2 anyway, you can configure it, just assign different interface and ip address for each failover links:

eg:

failover link eth2

failover lan interface eth3

failover interface ip standby

Ranil Herath · ‎06-06-2012

Thank you Jennifer. I configured a Stateful link using the commands you mentioned.

Thought you might be interested to know that everything is now working as I expected! The ASAs do not failover when I unplug,

1) The Failover link

2) The Stateful failover link

3) Both Failover and Stateful failover links

I had to reconfigure the Active and Standby IPs of the INSIDE and OUTSIDE interfaces. Now I can see the standby IPs assigned on the Standby ASA. Whereas earlier there were no IPs assigned to the INSIDE and OUTSIDE interfaces on the Standby ASA. This might have been a config replication problem over the Failover link.

For anyone interested, the failover scenarios inhttp://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1091405should work absolutely fine in an Active/Standby ASA HA config.

Cheers

Jennifer Halim · ‎06-06-2012

Great, thanks for the update.