Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
305
Views
0
Helpful
1
Replies

Setting up ASA 5512 HA Active / Standby

Seano
Level 1
Level 1

‎05-02-2018 05:13 AM - edited ‎02-21-2020 07:41 AM

Looking for advice on setting up 2 ASA 5512 HA Pair.

 

I have a primary ASA 5512 configured with all my vlans. I want to setup an Active/Standby pair for HA.

I installed the Security Licences on both, the original ASA was not configured with the mind to have a second HA pair.

From research all I needed to do was setup the Failover ports and link state on both firewalls. So on the primary I set gi0/2 for the failover configuration and then on the unconfigured second firewall I set up the same HA config on gi0/2 I plugged a network cable linking both ports and enabled failover, the config then copied across. I plugged ports gi0/0 and gi0/1 into the same switching infrastructure as the Primary ASA. Doing a show failover showed the config was enabled and showed primary and secondary switch. The vlans for the primary ASA all showed the IP addresses and the IPs for the secondary were all 0.0.0.0.

 

So I powered off the primary ASA to test the failover. From the console CLI in the second firewall the failover showed that all the IP's on the vlans had now failed over to the second ASA and all the primary ip's were showing as 0.0.0.0, so seemed like it should work. However routing was not working.

 

So apparently I should have configured a standby ip address for each vlan. However some posts say this is just good practice and so in theory my failover should have still worked.

 

I turned on the primary switch and routing came back and we could get out to the internet. From the ASDM the second firewall was still the active one.

 

So my question is what do I need to get this working and to best practice. Should it have worked and maybe the ports that connect into the switching network are not configured properly? I was not able to see the ports I was just told they have been configured identically to what the primary ASA plus into.

 

Thanks for the help

Labels:
0 Helpful
1 Reply 1

Marius Gunnerud
VIP
VIP

‎05-02-2018 05:51 AM

Without actually seeing your full running configuration and the output of show failover it is difficult to say what is wrong.

I have a many clients with ASAs set up as active/standby and in only one instance do they not use the standby keyword on the interface IP.  So theoretically it should not be a problem not configuring a standby address.  but If you do not configure the standby address for at least one interface (lets say management interface) then you will not be able to log in to the secondary ASA if you have a requirement to do so.

 

As for routing not working, this is most likely an ARP issue.  Check to make sure that the MAC address on the primary switches to the secondary when the failover happens.  Check on the switch show mac add add xxxx.xxxx.xxxx

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card