Solved: Cisco ASA Active / Standby Failover Setup Question

Mark Cavendish · ‎01-26-2015

Hi everyone

This is my first time implementing this, so please excuse the basic questions. We currently have a single Firewall off a single ISP feed and we want to implement a secondary ASA for failover. The spec of the ASA is a 5540 with device manager version 6.4(5).

I have attached a diagram showing the setup I plan to implement. The red lines show the current setup and the blue lines show the new setup and the green line is the failover link.

Once I have cabled this all up, can I just verify the commands I run as it seems simple enough, but not sure I am missing something?

Step 1 - Primary ASA

ASAPRI(config)#
ASAPRI(config)# failover lan unit primary
ASAPRI(config)# failover lan interface FAILOVER G0/3
ASAPRI(config)# failover key spop123
ASAPRI(config)# failover link FAILOVER G0/3
ASAPRI(config)# failover interface ip FAILOVER 192.168.1.1 255.255.255.0 standby 192.168.1.2
ASAPRI(config)# exit
ASAPRI#

Step 1 - Secondary ASA

ciscoasa#
ciscoasa# conf t
ciscoasa(config)# hostname ASASEC
ASASEC(config)#
ASASEC(config)# int g0/1
ASASEC(config-if)# ip addr 10.25.1.2 255.255.255.0 standby 10.25.1.1
ASASEC(config-if)# nameif private
ASASEC(config-if)# no shut
ASASEC(config-if)# exit
ASASEC(config)#

ASASEC(config)#
ASASEC(config)#
ASASEC(config)# failover lan unit secondary
ASASEC(config)# failover lan interface FAILOVER G0/3
ASASEC(config)# failover key spop123
ASASEC(config)# failover link FAILOVER G0/3
ASASEC(config)# failover interface ip FAILOVER 192.168.1.1 255.255.255.0
standby 192.168.1.2
ASASEC(config)# exit
ASASEC#

This is the bit I am having trouble understanding. Do I need to copy and paste the entire config from the Primary ASA and just amend each interface IP address to be the the next last octet? Ie on the DMZ interface it is 10.96.22.2, on the secondary should it be 10.96.22.3?

Step 3 - Bringing up interfaces & initialize

ASAPRI(config)#
ASAPRI(config)# int G0/3
ASAPRI(config-if)# no sh
ASAPRI(config-if)# exit
ASAPRI(config)#
ASAPRI(config)# failover
ASAPRI(config)#

ASASEC#
ASASEC# conf t
ASASEC(config)# int G0/3
ASASEC(config-if)# no sh
ASASEC(config-if)#
ASASEC(config-if)# exit
ASASEC(config)#
ASASEC(config)# failover
ASASEC(config)#
ASASEC(config)# end
ASASEC# ..

Finally write the config to memory on both.

Please let me know if I am correct with this or if I need to do anything else? Your help would be greatly appreciated.

Regards,

Mark

Marvin Rhoads · ‎01-26-2015

No need to cut and paste the main config into the Secondary - Standby unit. Once you setup the basic failover bits you noted and it sees the Primary - Active mate, the configuration will automatically replicate (assuming sanity checks of like hardware etc. pass).

View solution in original post

Marvin Rhoads · ‎01-26-2015

No need to cut and paste the main config into the Secondary - Standby unit. Once you setup the basic failover bits you noted and it sees the Primary - Active mate, the configuration will automatically replicate (assuming sanity checks of like hardware etc. pass).

Mark Cavendish · ‎01-27-2015

Many thanks Marvin for confirming that, much appreciated.

So just to be totally clear (and sorry to harp on) I don't have to configure any of the remaining interfaces on the secondary ASA after I configure the first 2 above as the replication will cover it?

Marvin Rhoads · ‎01-27-2015

You're welcome.

Yes - replication will push and synchronize the interface configurations once the failover process passes its sanity checks and links the two units. Once synchronization is complete, any future configuration changes on the Active unit will be replicated to the Standby unit.

Note that only configuration changes are synced. If you do file operations (such as deploy new AnyConnect images, VPN profiles, or device certificates) be sure to copy the new files to the standby unit and potentially test after having done a manual failover when making those sort of changes.

Mark Cavendish · ‎01-27-2015

Thanks again Marvin, feel much more confident now.

Mark Cavendish · ‎01-31-2015

I just found out the new failover unit is a Cisco ASA 5545 and not a Cisco ASA 5540, so presume this now won't work.

I think we have another Cisco ASA 5540 in our other hosting center, so hope to replace this with the new Cisco ASA 5545 and then both models will be the same.

Marvin Rhoads · ‎01-31-2015

Correct - hardware must be identical to create a failover pair of ASAs.

Mark Cavendish · ‎05-19-2015

Hi

Thanks for all your previous help with this, we finally got a window in work and implemented it successfully last w/e.

When I now connect to the ASA via the ASDM I notice I am connecting to the Secondary (active) and not the Primary via the local IP address. Will changes I make on the Secondary still become live and active over both of them? Or is it best I make the secondary I am connected to 'Standby'?

Thanks,

Mark

Marvin Rhoads · ‎05-19-2015

An ASA HA pair doesn't automatically revert to Primary unit - whichever is Active will automatically sync the configuration to the Standby (assuming the Standby unit is reachable).

Some people like to see the Primary as Active so they manually flip it back using the command "no failover active" when they find the Secondary unit is Active after a maintenance activity. You'll be kicked out of the session you're logged in on but when you re-login you should be on the Primary - (newly) Active unit.

It works fine with either unit active.

Mark Cavendish · ‎05-21-2015

Thanks again Marvin, very helpful as always.