Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
797
Views
10
Helpful
3
Replies

ASA Failover

Go to solution
tech_gubby
Level 1
Level 1

‎03-16-2022 01:24 AM - edited ‎03-16-2022 01:25 AM

I have 2 asas. ASA-A and ASA-B. I want to configure ASA-B as an active unit and ASA-A as an standby unit. Could any one tell me how could i do that? IS there any election process will happen for selecting active/standby units between asa?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-16-2022 01:28 AM

The config guide has details on setting up HA.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/asdm77/general/asdm-77-general-config/ha-failover.html

The first one that is up will take the Active role and the second will be Standby. There's no election process per se other than checking if the unit is healthy. Assuming both units are healthy, whichever is active will stay that way until the admin changes it manually of the unit becomes unhealthy.

View solution in original post

3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-16-2022 01:28 AM

The config guide has details on setting up HA.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/asdm77/general/asdm-77-general-config/ha-failover.html

The first one that is up will take the Active role and the second will be Standby. There's no election process per se other than checking if the unit is healthy. Assuming both units are healthy, whichever is active will stay that way until the admin changes it manually of the unit becomes unhealthy.

Go to solution
Jitendra Kumar
Spotlight
Spotlight

‎03-16-2022 01:49 AM

@tech_gubby

Below is active/standby guide 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/failover.html#wp1091288

 

For Active/Active

https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/failover.html#wp1052847

 

other Document is below for Active/standby

https://www.thegeekstuff.com/2011/09/cisco-asa-high-availability/

 

Those documents will help you to understand step by step config.

 

Thanks,

Jitendra

Thanks,
Jitendra
0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP

‎03-16-2022 02:21 AM

By default ASA is in secondary mode.

for ASA-B to be active(primary) here is the config

ASA-B
failover lan unit primary
interface gigabitEthernet 0/3
no shutdown
!
failover lan interface LANFAIL gigabitethernet 0/3
failover interfaces ip LANFAIL x.x.x.x 255.255.255.0 standby x.x.x.y
failover link LANFAIL
exit

 

once ASA-B is configured as Primary (Active) as soon as you configured the ASA-A as standby (Secondary) all the configuration from the ASA-B (which is primary active) will replicate to secondary ASA-A.

ASA-A
failover lan unit secondary
interface gigabitEthernet 0/3
no shutdown
!
failover lan interface LANFAIL gigabitethernet 0/3
failover interfaces ip LANFAIL x.x.x.x 255.255.255.0 standby x.x.x.y
failover link LANFAIL
exit

 

few command to check if the ASA failover is working

show failover | i host
show failover detail

 

once failover is working you can configure the active and standby ip interfaces on you data interfaces and also monitoring on the interface. If you have sub-interface on your firewall they need to be configured as monitoring as sub-interface by default are not in monitoring.

 

 

please do not forget to rate.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card