Search This Blog

Thursday, July 18, 2013

Cisco ASA Failover setup

Here is a setup for Cisco ASA failover (active/standby)

Network Topology:


VLAN22 = OUTSIDE
VLAN21 = Management
VLAN20 = INSIDE



Primary unit interface configuration:

interface Ethernet0/0
 nameif INSIDE
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/1
 nameif OUTSIDE
 security-level 0
 ip address 10.0.0.1 255.255.255.224
!
interface Ethernet0/3
 description LAN Failover Interface
!
interface Management0/0
 management-only
 nameif MGMT
 security-level 0
 ip address 172.16.99.1 255.255.255.0
!

Secondary unit interface configuration:

interface Ethernet0/0
 nameif INSIDE
 security-level 100
 ip address 192.168.10.2 255.255.255.0
!
interface Ethernet0/1
 nameif OUTSIDE
 security-level 0
 ip address 10.0.0.2 255.255.255.224
!
interface Ethernet0/3
 description LAN Failover Interface
!
interface Management0/0
 management-only
 nameif MGMT
 security-level 0
 ip address 172.16.99.2 255.255.255.0
!

Now let’s configure the failover on the primary unit:

failover
failover lan unit primary
failover lan interface FAILOVER Ethernet0/3
failover key *****
failover replication http
failover link OUTSIDE
failover interface ip FAILOVER 10.100.0.1 255.255.255.0 standby 10.100.0.2

An explanation regarding the configuration:
Line 1: enable failover
Line 2: set the unit role in the failover setup
Line 3: set the failover interface between the units
Line 4: set secret key (optional)
Line 5: replicate HTTP sessions between the units (optional)
Line 6: set the sync interface between the units
Line 7: assign active/standby IP addresses for the failover link

Now configure failover on secondary unit:

failover
failover lan unit secondary
failover lan interface FAILOVER Ethernet0/3
failover key *****
failover replication http
failover link OUTSIDE
failover interface ip FAILOVER 10.100.0.1 255.255.255.0 standby 10.100.0.2

And add tracking on INSIDE and OUTSIDE interfaces, which in case of failure will switch the failover unit:

interface Ethernet0/0
 ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2
!
interface Ethernet0/1
  ip address 82.166.44.101 255.255.255.224 standby 82.166.44.102
!



In order to switch between the active unit use the command:

failover active







Posted by at
Labels: ,

3 comments:

  1. Anna SchaferMarch 12, 2019 at 8:51 AM

    מתכוונים לבנות בית ? { קבלן בנייה } הכנסו לאתר תתרשמו ולא תטעו האוס בנייה וייזמות היא הכתובת לבניית הבית החדש שלכם

    ReplyDelete
  2. VMware backupDecember 9, 2019 at 10:48 AM

    Thanks for the config!

    ReplyDelete
  3. Seo LeenaDecember 1, 2021 at 7:26 PM

    Further to this a CCNA certified IT professional would know how to build LAN (local area network) and WAN (wide-area network) from scratch, this means actually designing and then building the networks. For local area networks they will also have the knowledge of Ethernet technologies in theory and in practise. CCNA Classes in Pune

    ReplyDelete

Subscribe to: Post Comments (Atom)