Solved: Setting up failover on ASA in production

jkay18041 · ‎08-21-2019

I currently have an ASA in production and have a question about setting it up in Active Passive failover.

I've got a 2nd unit that is the same with same firmware and everything. If I want to setup the passive unit will it cause downtime?

My current unit is setup like this

G0/0 WAN

G0/1 and G0/2 are in a port-channel for the LAN

G0/5 is a connection to another ASA with a Local IP.

I'm assuming all 3 would need a secondary IP? and then I would need to make G0/2 the lan failover port and G0/3 the State failover port? so I would need secondary IP's for those as well I know.

For G0/1- 02 since they are in a port-channel when I set this up will it break the port channel?

Thank you for the help

paul driver · ‎08-21-2019

Hello

Yes it is indeed applicable to to have ASA HA, to dom this suggest to pick a spare interface (fastest) on each asa and use that as the fail-over link between the two ASA.

Basically all you need to do it setup the fail-over on the priamry asa and when you ready attached the secondary asa initiate failover.

Each interface on the primary will be the same on the secondary.

ASA1
int x/x
nameif outside
ip address 1.1.1.1 255.255.255.0 secondary 1.1.1.2

int x.x
nameif inside
ip address 10.10.10.1 255.255.255.0 secondary 10.10.10.2

int x.x
nameif DMZ
ip address 11.11.11.1 255.255.255.0 secondary 11.11.11.2

.

int gig 1/1 (Failover link)
no shut
exit

failover lan unit primary
failover lan interface Failover gig1/1

failover interface ip Failover 172.16.1,1 255.255.255.0 standby 172.16.1.2
failover key ASAFO

ASA2

Just make sure all interfaces are activated on secondary ASA that relate to the primary ASA ( these should be the exact same interfaces as above but they DONT need to be configured just enabled)

int x/x
no shut
exit.......

int gig 1/1 (Failover link)
no shut
exit

(only config required on ASA2)
failover lan unit secondary
failover lan interface Failover gig1/1

failover interface ip Failover 172.16.1,1 255.255.255.0 standby 172.16.1.2
failover key ASAFO

Connect the two asa's together and instate the HA replication (apply to both fw's)

ASA1/2
conf t
failover

Once initiated then the ASA's will replicate with each other

show failover

prompt hostname priority state -- <--this will show you what FW your currency connected to in the future

Optionally you can also have a stateful link between the two fw's but youll require an additional spare interface

ASA1/2
int gig1/2
no shut
exit

failover link stateful-FO gig1/2
failover interface ip stateful-FO 172.16.2.1 255.255.255.252 standby 172.16.2.2

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

marce1000 · ‎08-21-2019

- I am very skeptic as to doing this , procedural or not. Even it could be accomplished it will be difficult to establish whether you now have real fail over configuration afterwards. Such 'projects' must be realized before the ASA-pair servers a production network (then also testing can be done).

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

jkay18041 · ‎08-21-2019

Since we decided to do this after the fact it's about the only option we have.

Do you know if we do this will it kill the etherchannel that is setup for our LAN?

Thanks

paul driver · ‎08-21-2019

Hello

Yes it is indeed applicable to to have ASA HA, to dom this suggest to pick a spare interface (fastest) on each asa and use that as the fail-over link between the two ASA.

Basically all you need to do it setup the fail-over on the priamry asa and when you ready attached the secondary asa initiate failover.

Each interface on the primary will be the same on the secondary.

ASA1
int x/x
nameif outside
ip address 1.1.1.1 255.255.255.0 secondary 1.1.1.2

int x.x
nameif inside
ip address 10.10.10.1 255.255.255.0 secondary 10.10.10.2

int x.x
nameif DMZ
ip address 11.11.11.1 255.255.255.0 secondary 11.11.11.2

.

int gig 1/1 (Failover link)
no shut
exit

failover lan unit primary
failover lan interface Failover gig1/1

failover interface ip Failover 172.16.1,1 255.255.255.0 standby 172.16.1.2
failover key ASAFO

ASA2

Just make sure all interfaces are activated on secondary ASA that relate to the primary ASA ( these should be the exact same interfaces as above but they DONT need to be configured just enabled)

int x/x
no shut
exit.......

int gig 1/1 (Failover link)
no shut
exit

(only config required on ASA2)
failover lan unit secondary
failover lan interface Failover gig1/1

failover interface ip Failover 172.16.1,1 255.255.255.0 standby 172.16.1.2
failover key ASAFO

Connect the two asa's together and instate the HA replication (apply to both fw's)

ASA1/2
conf t
failover

Once initiated then the ASA's will replicate with each other

show failover

prompt hostname priority state -- <--this will show you what FW your currency connected to in the future

Optionally you can also have a stateful link between the two fw's but youll require an additional spare interface

ASA1/2
int gig1/2
no shut
exit

failover link stateful-FO gig1/2
failover interface ip stateful-FO 172.16.2.1 255.255.255.252 standby 172.16.2.2

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul