Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6529
Views
10
Helpful
6
Replies

FirePower 2110 ASA HA Configuration

zekebashi
Level 4
Level 4

‎12-21-2018 09:19 AM - edited ‎02-21-2020 08:35 AM

Hello,

 

We've an ASA running on a FPR-2110 with a single Site-To-Site VPN. We need to create redundancy by adding another ASA/FPR-2110. What's the best way to accomplish this?

 

Thanks in advance,

~zK

0 Helpful
6 Replies 6

Mohammed al Baqari
Level 11
Level 11

‎12-21-2018 11:04 AM

You can add the 2nd ASA silently without any interruption and with minimum
configuration. Once you configure failover on both units and connect them
either directly or through l2 network (best practice) the configuration
will be replicated.

Also consider enabling stateful failover between firewalls.

Next you need to consider redundant links with redundant interfaces or not.
0 Helpful

zekebashi
Level 4
Level 4
In response to Mohammed al Baqari

‎12-24-2018 09:12 AM

Thanks for the info, Mohammed!

 

When you say "enabling stateful FO between the FWs, is there a specific command that i will need to run because I couldn't find any references to such commands on Cisco's documentation.

 

Here are the statements I'll be implementing:

 



Primary ASA:

    failover lan unit primary
        failover lan interface failover Ethernet0/3
        failover key xxxxxxxxxxxxx
        failover link failover Ethernet0/3
        failover interface ip failover 1.1.1.1 255.255.255.252 standby 1.1.1.2
       interface Ethernet0/3
    no shut  
        failover

---------------------------------------------------------------------------------
Secondary ASA

    failover lan unit secondary
    failover lan interface folink gigabitethernet0/3
    failover key failureismydestiny
    failover interface ip failover 1.1.1.1 255.255.255.252 standby 1.1.1.2
    failover link failover Ethernet0/3
    interface Ethernet0/3
    no shut  
    failover

 

Thanks in advance,

~zK

0 Helpful

zekebashi
Level 4
Level 4
In response to Abheesh Kumar

‎12-24-2018 09:13 AM

Thanks, Abeesh for sharing. The document was very helpful!

 

Best, ~zK

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-23-2018 04:13 AM

Note that ASA on Firepower 2100 series only has Management and Eth1/2 and 1/2 interfaces enabled by default. If you want more (for HA reason or anything else) you will need to assign and enable them from Firepower Chassis Manager first.

 

zekebashi
Level 4
Level 4
In response to Marvin Rhoads

‎12-24-2018 09:14 AM

Good point, Marvin!

 

I've made it a practice when configuring the FirePower is to enable all interfaces in the FXOS and put them in admin shut on the ASA.

 

Best, ~zK

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card