cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
663
Views
0
Helpful
3
Replies

ASA Failover implementation

Dave Row
Level 1
Level 1

Hi All,

I'm fairly new to ASA management so would appreciate some feedback here.   I have a single firewall at a remote site that is quickly becoming more mission ciritical.  To remove the single point of failure I have a second identical unit I intend to install as a standby unit in an Active/Standby failover configuration.

I think i've got the jist of the failover configuration on the active and the standby but, my question is this;

How much config do I need to have on the new standby unit before it will talk to the active unit and sunchronise the config? I'm guessing it'll need the following configured;

  • Interfaces
    • State & Failover
  • Clock
  • AAA
  • Failover

If someone with some expereince of this could offer some advise i'd be very grateful.

Thanks in advance!

3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

All you need is the failover configuration and connecting the interfaces to the switch, and make sure that the failover unit is secondary.

You don't need the clock nor the AAA configuration as the configuration will get synchronised from the active unit.

rizwanr74
Level 7
Level 7

Hi David,

This goes on the primary active device, please make changes, as per physical your port and ip availablity, those highlighted key-word is user's defined you can put whatever meaningful name.

Interface GigabitEthernet0/3

description LAN/STATE Failover Interface

  no shutdown

exit

no failover link

failover lan interface STATE-SYNC GigabitEthernet0/3

failover interface ip STATE-SYNC 10.0.0.1 255.255.255.252 standby 10.0.0.2

failover key your-password-goes-here-whatever-it-maybe

failover link STATE-SYNC

failover replication http

failover lan unit primary

failover lan enable

failover

----------------------------

This goes on the failover unit.

no failover link

no failover lan interface

interface GigabitEthernet0/3

no nameif

no shutdown

exit

failover key your-password-goes-here-whatever-it-maybe

failover lan interface STATE-SYNC GigabitEthernet0/3

failover interface ip STATE-SYNC 10.0.0.1 255.255.255.252 standby 10.0.0.2

failover lan unit secondary

failover lan enable

failover

exit

show failover

Hope this helps.

thanks

Rizwan Rafeek

rizwanr74
Level 7
Level 7

Hi David,

I thought I should have mentioned this as well.  When you configured the active and standby failover configuration, the standby device will synchronize the whole configuration from active FW, so all you need is a minimum configuration on standby unit as shown above.

thanks

Rizwan Rafeek

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: