Need suggesion on ASA 5515-X High Availabilty Configuration

engrhaiderabbas · ‎06-19-2013

Dear All,

Need suggestion on ASA 5515-X High Availabilty Configuration, i want to configure our firewalls in high availability(Active/Standby). I configure the firewalls and below is the configuration of both Primary and Secondary firewalls.

Primary firewall:

failover

failover lan unit primary

failover lan interface folink GigabitEthernet0/3

failover link statelink GigabitEthernet0/2

failover interface ip folink 172.27.1.1 255.255.255.252 standby 172.27.1.2

failover interface ip statelink 172.27.1.5 255.255.255.252 standby 172.27.1.6

Secondary firewall:

failover

failover lan unit secondary

failover lan interface folink GigabitEthernet0/3

failover link statelink GigabitEthernet0/2

failover interface ip folink 172.27.1.1 255.255.255.252 standby 172.27.1.2

failover interface ip statelink 172.27.1.5 255.255.255.252 standby 172.27.1.6

Kindly suggest me is this config is right?

Also i am facing problem that, when active firewall down and standby firewall become active which is ok but when active firewall which is now standby again up then it not come to active until the active firewall down.

Please suggest is this right behaviour of firewalls in HA mode.

Jouni Forss · ‎06-19-2013

Hi,

You dont necesarily have to use 2 physical interfaces just for the Failover link. I would imagine you would be fine with just one physical interface for Failover.

Therefore you could use just Gi0/2 or Gi0/3 for this.

With regards to the Active/Standby states of the Primary and Secondary Firewalls.

When you configure an Active/Standby Failover and you originally have the Primary as Active and the Secondary as Standby and the Primary fails and Secondary changes to Active, there wont be any automatic switching back to Primary when it has recovered from the fault.

The Primary firewall will become Active only when the Secondary (that is currently Active) will fail OR if you manually change the Primary back to the Active state.

If you had Active/Active (which means the ASA is configured in Multiple Context Mode) then you are able to configure Failover groups under which you can set a "preempt" timer after which the original Primary firewall will take over after it has recovered from fault.

So in your current Active/Standby setup there wont be any automatic switching back to the Primary as the Active

Hope this helps

- Jouni

engrhaiderabbas · ‎06-19-2013

Hi,

I need failover plus link state for failover heartbeats.

So there is no "preempt" timer in Active/Standby Failover..??

Is this configuration OK for Active/Standby?

Jouni Forss · ‎06-19-2013

Hi,

There is no "preempt" with Active/Standy Failover as there are no Failover Groups in Active/Standby Failover which are only used in Active/Active.

In the original ASA5500 Series I used to configure the Management0/0 interface as the Failover interface (not possible in the new ASA5500-X series)

The Failover configuration might have been something like this for example

Primary

failover

failover lan unit primary

failover lan interface failover Management0/0

failover key

failover replication http

failover link failover Management0/0

failover interface ip failover 10.1.1.1 255.255.255.0 standby 10.1.1.2

Secondary