Security

Cisco ASA – Configure Active Standby Failover

January 13, 2019

This post describes how to configure two Cisco ASA’s in Active / Standby Fail-over configuration. The standby ASA will take over a failed unit.

Topology

Configuration: ASA-Primary

ASA-1# show run | begin fail
failover
failover lan unit primary
failover lan interface Fail-Over GigabitEthernet0/0
failover link Fail-Over GigabitEthernet0/0
failover interface ip Fail-Over 192.168.0.1 255.255.255.0 standby 192.168.0.2
!
!
ASA-1(config)# failover ?
lan - Specify the unit as primary or secondary or configure the interface and vlan to be used for failover communication
!
ASA-1(config)# failover lan ?
configure mode commands/options:
  interface  Configure the interface and vlan to be used for failover
             communication
  unit       Configure the unit as primary or secondary
!
ASA-1(config)# failover lan unit ?
configure mode commands/options:
  primary    Configure the unit as primary
  secondary  Configure the unit as secondary
!
ASA-1(config)# failover lan unit primary
!
ASA-1(config)# failover lan interface ?
configure mode commands/options:
  WORD  Specify the interface name
!
ASA-1(config)# failover lan interface Fail-Over ?
configure mode commands/options:
  WORD  Specify physical or sub interface
!
ASA-1(config)# failover lan interface Fail-Over Gi0/0
!
INFO: Non-failover interface config is cleared on GigabitEthernet0/0 and its sub-interfaces
!
ASA-1(config)# failover ?
link  Configure the interface and vlan to be used as a link for stateful update information
!
ASA-1(config)# failover link ?
configure mode commands/options:
  WORD  Specify the interface name
!
ASA-1(config)# Failover link Fail-Over ?
configure mode commands/options:
  WORD  Specify physical or sub interface
!
ASA-1(config)# Failover link Fail-Over Gi0/0
!
ASA-1(config)# failover ?
interface  Configure the IP address to be used for failover and/or stateful update information
!
ASA-1(config)# failover interface ?
configure mode commands/options:
  ip  Configure the IP address and mask after this keyword
!
ASA-1(config)# failover interface ip ?
configure mode commands/options:
Current available interface(s):
  Fail-Over  Name of interface GigabitEthernet0/0
!
ASA-1(config)# failover interface ip Fail-Over ?
configure mode commands/options:
  Hostname or A.B.C.D                     Specify the IP address
  Hostname/<0-128> or X:X:X:X::X/<0-128>  Specify the IPv6 prefix
!
ASA-1(config)# failover interface ip Fail-Over 192.168.0.1 255.255.255.0 ?
configure mode commands/options:
  standby  Configure the standby IP address after this keyword
!
failover interface ip Fail-Over 192.168.0.1 255.255.255.0 standby 192.168.0.2
!
ASA-1(config)# failover 
failover  Enable/disable failover feature
!
ASA-1(config)# interface gigabitEthernet 0/0
ASA-1(config-if)# no shutdown
!
ASA-1(config)# .
        No Active mate detected

Configuration: ASA-Secondary

ciscoasa(config)# failover lan unit secondary 
ciscoasa(config)# failover lan interface Fail-Over Gi0/0
INFO: Non-failover interface config is cleared on GigabitEthernet0/0 and its sub-interfaces
ciscoasa(config)# failover link Fail-Over Gi0/0
ciscoasa(config)# failover interface ip FO 192.168.0.1 255.255.255.0 standby 192.168.0.2
ciscoasa(config)# interface gi0/0
ciscoasa(config)# failover 
ciscoasa(config)# .

        Detected an Active mate
Beginning configuration replication from mate.
WARNING: Disabling auto import may affect Smart Licensing
Creating trustpoint "_SmartCallHome_ServerCA" and installing certificate...

Trustpoint CA certificate accepted.

WARNING: Trustpoint _SmartCallHome_ServerCA is already authenticated.
End configuration replication from mate.

Verification:

ASA-1# show failover 
Failover On 
Failover unit Primary
Failover LAN Interface: Fail-Over GigabitEthernet0/0 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 0 of 61 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.7(1), Mate 9.7(1)
Serial Number: Ours 9APBRLWL1CL, Mate 9AUTVN4XK9E
Last Failover at: 01:13:15 UTC Jan 14 2019
        This host: Primary - Active 
                Active time: 623 (sec)
                slot 0: empty
        Other host: Secondary - Standby Ready 
                Active time: 0 (sec)

Stateful Failover Logical Update Statistics
        Link : Fail-Over GigabitEthernet0/0 (up)

Cisco ASA – Configure Active Standby Failover

Topology

Configuration: ASA-Primary

Configuration: ASA-Secondary

Verification:

Topic discussion at CLI Warriors - Forum

Latest Forum Posts

GN3 Question, how to add port on a device

Cisco ASA - Save multiple contexts at the same time

Cisco ASA - Configure Active Standby Failover

Don't miss

Configure VTP Server and Clients on Cisco switches

Basic EIGRP Configuration | Cisco Router

How to install GNS3 on Ubuntu & Linux Mint

How to configure DHCP on a Cisco router

Cisco ARP

Follow us on Instagram @cliwarriors