Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2797
Views
0
Helpful
9
Replies

FPR2120-ASA-K9 failover configuration

Go to solution
Steev112
Level 1
Level 1

‎12-16-2018 10:51 PM - edited ‎03-12-2019 07:10 AM

Hi All,

I have FPR2120-ASA license and with this software:

1. Cisco Adaptive Security Appliance Software Version 9.8(2) 

2. Device Manager Version 7.8(2)

 

i am new in security section my questions are:

1. how to configure fail over between two ASAs?

2. what is the recommended image?

3.. if i want to migrate the VPN configuration from  ASA5550 version 9.1(7)21, is there any tool or the same configuration i can copy ti the FPR2120 ?

 

Thanks,

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Steev112

‎12-23-2018 03:48 AM

Here's a link to the section in the "Cisco ASA for Firepower 2100 Series Getting Started Guide:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/fp2100/asa-2100-gsg/getting-started.html#id_55142

 

As it notes:

 

"By default, the Management 1/1, Ethernet 1/1, and Ethernet 1/2 interfaces are physically enabled for the chassis and logically enabled in the ASA configuration. To use any additional interfaces, you must enable it for the chassis using this procedure, and then later enable it in the ASA configuration."

 

Once you assigned and enabled the interfaces from FCM, they are available to configure and use on your ASA logical device.

View solution in original post

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Steev112

‎12-26-2018 02:42 AM

You can use any available interface except management. The interface must be dedicated for failover purpose.

 

Reference:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-config/ha-failover.html#ID-2107-0000004d

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Steev112
Level 1
Level 1

‎12-17-2018 02:57 AM

I tried to configure failover on eth1/3 but the link not coming up, the link is direct connected. anyone has idea

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Steev112

‎12-17-2018 04:32 AM - edited ‎12-23-2018 03:44 AM

A Firepower 2100 series running an ASA image (as opposed to FTD) has two management systems. You manage the physical chassis (including assignment of physical interfaces to the ASA and enabling them) from the Firepower Chassis Manager GUI.

 

You then manage the ASA logical device just like a regular ASA, including when you want to build a HA pair with a mate.

0 Helpful

Go to solution
Steev112
Level 1
Level 1
In response to Marvin Rhoads

‎12-18-2018 03:40 AM

Hi Marvin,

i am accessing via console via connect asa command, but the problem only interface eth1/1 and eth1/2 is coming up when i connected back to back cable on eth1/3-8 the port not coming up ?

 

is there any configuration need to do it?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Steev112

‎12-18-2018 09:37 AM - edited ‎12-23-2018 03:45 AM

You need to use the Firepower Chassis Manager to assign and enable the interfaces to the ASA logical device.

0 Helpful

Go to solution
Steev112
Level 1
Level 1
In response to Marvin Rhoads

‎12-22-2018 09:38 PM

do you have any document explain the steps ?

 

Thanks

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Steev112

‎12-23-2018 03:48 AM

Here's a link to the section in the "Cisco ASA for Firepower 2100 Series Getting Started Guide:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/fp2100/asa-2100-gsg/getting-started.html#id_55142

 

As it notes:

 

"By default, the Management 1/1, Ethernet 1/1, and Ethernet 1/2 interfaces are physically enabled for the chassis and logically enabled in the ASA configuration. To use any additional interfaces, you must enable it for the chassis using this procedure, and then later enable it in the ASA configuration."

 

Once you assigned and enabled the interfaces from FCM, they are available to configure and use on your ASA logical device.

0 Helpful

Go to solution
Steev112
Level 1
Level 1
In response to Marvin Rhoads

‎12-25-2018 10:01 PM

Hi Marvin,

Thanks a lot for your answer, one more question can i use any interface for failover.

 

Thanks again.

 

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Steev112

‎12-26-2018 02:42 AM

You can use any available interface except management. The interface must be dedicated for failover purpose.

 

Reference:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-config/ha-failover.html#ID-2107-0000004d

0 Helpful

Go to solution
Steev112
Level 1
Level 1
In response to Marvin Rhoads

‎12-26-2018 03:41 AM

Hi Marvin,
Many thanks for you assistant.
Thanks
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card