02-25-2010 03:31 AM - edited 03-11-2019 10:14 AM
Dear,
I have one query that in ASA Active-standby scenario, how users find out the active path (On which criteria).
If possible pls send me config example.
And also if active fw fail how it identify the standby fw path.and after active up how it revert to active.
Solved! Go to Solution.
02-25-2010 04:26 AM
Hi,
when we are configuring active-standby failover in ASA. there will be one primary ip address for active firewall and there will be one secondary ip address for standby firewall.
always primary ip address will be the gateway for the users and seconday ip will be standby.
if you want to make secondary firewall to be active , then that is also possible.In this scenario primary ip address will be in standby firewall and secondary ip will be moved to primary firewall.
there will be one back to back cross cable needs to be connect between these two firewalls to make sure the failover.
always the secondary firewall will send the keep alive messages to the primary firewall to check the availability via this cross cable.if primary firewall is not responding properly, then secondary firewall becomes active automatically.
please find the url for more info.
Regards
Karuppu
02-25-2010 04:26 AM
Hi,
when we are configuring active-standby failover in ASA. there will be one primary ip address for active firewall and there will be one secondary ip address for standby firewall.
always primary ip address will be the gateway for the users and seconday ip will be standby.
if you want to make secondary firewall to be active , then that is also possible.In this scenario primary ip address will be in standby firewall and secondary ip will be moved to primary firewall.
there will be one back to back cross cable needs to be connect between these two firewalls to make sure the failover.
always the secondary firewall will send the keep alive messages to the primary firewall to check the availability via this cross cable.if primary firewall is not responding properly, then secondary firewall becomes active automatically.
please find the url for more info.
Regards
Karuppu
02-25-2010 05:37 AM
Karuppu is correct. No matter which unit is active, the newly active unit will assume the active IP for layer 3 and mac address for layer 2. The primary units IP and mac are called as the active IP and mac.
So the users won't even know that the units failed over.
Here are some sample configs.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_examples.html
-KS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide