This post describes how to configure two Cisco ASA’s in Active / Standby Fail-over configuration. The standby ASA will take over a failed unit.
Topology
Configuration: ASA-Primary
ASA-1# show run | begin fail
failover
failover lan unit primary
failover lan interface Fail-Over GigabitEthernet0/0
failover link Fail-Over GigabitEthernet0/0
failover interface ip Fail-Over 192.168.0.1 255.255.255.0 standby 192.168.0.2
!
!
ASA-1(config)# failover ?
lan - Specify the unit as primary or secondary or configure the interface and vlan to be used for failover communication
!
ASA-1(config)# failover lan ?
configure mode commands/options:
interface Configure the interface and vlan to be used for failover
communication
unit Configure the unit as primary or secondary
!
ASA-1(config)# failover lan unit ?
configure mode commands/options:
primary Configure the unit as primary
secondary Configure the unit as secondary
!
ASA-1(config)# failover lan unit primary
!
ASA-1(config)# failover lan interface ?
configure mode commands/options:
WORD Specify the interface name
!
ASA-1(config)# failover lan interface Fail-Over ?
configure mode commands/options:
WORD Specify physical or sub interface
!
ASA-1(config)# failover lan interface Fail-Over Gi0/0
!
INFO: Non-failover interface config is cleared on GigabitEthernet0/0 and its sub-interfaces
!
ASA-1(config)# failover ?
link Configure the interface and vlan to be used as a link for stateful update information
!
ASA-1(config)# failover link ?
configure mode commands/options:
WORD Specify the interface name
!
ASA-1(config)# Failover link Fail-Over ?
configure mode commands/options:
WORD Specify physical or sub interface
!
ASA-1(config)# Failover link Fail-Over Gi0/0
!
ASA-1(config)# failover ?
interface Configure the IP address to be used for failover and/or stateful update information
!
ASA-1(config)# failover interface ?
configure mode commands/options:
ip Configure the IP address and mask after this keyword
!
ASA-1(config)# failover interface ip ?
configure mode commands/options:
Current available interface(s):
Fail-Over Name of interface GigabitEthernet0/0
!
ASA-1(config)# failover interface ip Fail-Over ?
configure mode commands/options:
Hostname or A.B.C.D Specify the IP address
Hostname/<0-128> or X:X:X:X::X/<0-128> Specify the IPv6 prefix
!
ASA-1(config)# failover interface ip Fail-Over 192.168.0.1 255.255.255.0 ?
configure mode commands/options:
standby Configure the standby IP address after this keyword
!
failover interface ip Fail-Over 192.168.0.1 255.255.255.0 standby 192.168.0.2
!
ASA-1(config)# failover
failover Enable/disable failover feature
!
ASA-1(config)# interface gigabitEthernet 0/0
ASA-1(config-if)# no shutdown
!
ASA-1(config)# .
No Active mate detected
Configuration: ASA-Secondary
ciscoasa(config)# failover lan unit secondary
ciscoasa(config)# failover lan interface Fail-Over Gi0/0
INFO: Non-failover interface config is cleared on GigabitEthernet0/0 and its sub-interfaces
ciscoasa(config)# failover link Fail-Over Gi0/0
ciscoasa(config)# failover interface ip FO 192.168.0.1 255.255.255.0 standby 192.168.0.2
ciscoasa(config)# interface gi0/0
ciscoasa(config)# failover
ciscoasa(config)# .
Detected an Active mate
Beginning configuration replication from mate.
WARNING: Disabling auto import may affect Smart Licensing
Creating trustpoint "_SmartCallHome_ServerCA" and installing certificate...
Trustpoint CA certificate accepted.
WARNING: Trustpoint _SmartCallHome_ServerCA is already authenticated.
End configuration replication from mate.
Verification:
ASA-1# show failover
Failover On
Failover unit Primary
Failover LAN Interface: Fail-Over GigabitEthernet0/0 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 0 of 61 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.7(1), Mate 9.7(1)
Serial Number: Ours 9APBRLWL1CL, Mate 9AUTVN4XK9E
Last Failover at: 01:13:15 UTC Jan 14 2019
This host: Primary - Active
Active time: 623 (sec)
slot 0: empty
Other host: Secondary - Standby Ready
Active time: 0 (sec)
Stateful Failover Logical Update Statistics
Link : Fail-Over GigabitEthernet0/0 (up)
