6200networks.com

by Joe Harris, CCIE# 6200

Today is Thursday, August 28th, 2008

About the Author

Joe Harris, CCIE No. 6200 (R&S, Security & SP) is a Systems Engineer with Cisco Systems® specializing in Security. In addition to authoring Cisco Network Security Little Black Book, Joe has also been a technical reviewer for several Cisco Press publications and written articles, white papers, and presentations on various security technologies. He also assists various Certification Partners by beta testing their newest CCIE certification workbooks and has been recognized by Cisco as an SE Wall of Fame award winner.

See All Posts by This Author

ASA Failover Configuration

April 28th, 2008 • Related • Filed Under

I get a few questions here and there regarding how to configure failover on the ASA so I thought I would define a sample here that outlined the required stepst. The following are the steps required to enable failover on ASA (for IPSec RA/L2L and SSL VPN)

1. On active and standby units, designate one of the Gig ports as a “failover” interface. This should be separate from the “inside” and “outside” interfaces. Connect the failover interface on the active unit to the failover interface on the standby via crossover cable.

2. Next configure the failover interfaces; this configuration is the same on both active on standby units. You also need to define the IP addresses on the Inside and Outside interfaces of the active unit as well as configure the IP Addresses of the standby unit but note the IP address designation for the standby unit is actually configured on the active unit.3. Now that the interfaces are configured properly (& hopefully operational), we need to configure the actual failover commands that enable failover on the active and standby units.

4. Now to enable failover onthe ASA’s, which will perform a sync with the standby unit, we need to issue the ‘failover’ command. Once we do this if we had any tunnels built to the active untit those tunnels would be replicated to the standby unit.

5. Then finally you will need to verify the failover status using the ’show failover’ command.

There are also a couple of very good sample configuration documents explaining the specifics of each of the failover commands on CCO. These documents go a little deeper than I did here and I will include a link to each below.

Active/Standby Sample Configuration
Active/Active Sample Configuration

There Are 4 Responses So Far. »

Comment by fropert on 28 April 2008:

Hi Joe

I made ASA failover flash videos some months ago:

http://www.fcug.fr/files/asa-failover-active-standby.htm
http://www.rezalfr.org/francois.ropert/asa-failover-active-active.htm

Francois
Comment by Joe Harris on 28 April 2008:

Francois,

Excellent videos !!! Thanks for Sharing.

-Joe
Comment by Graeme on 29 April 2008:

hi Joe, I have found using a crossover direct connection on the failover interfaces can give unexpected results insome scaenarios e.g. active unit power failure. When the active ASA fails it can bring down the standby’s fo interface at the same time. The standby unit can get confused about what actually failed. I always connect the failover interfaces to a switch to try and keep any fault domain isolated, in fact I think it is recommended somewhere in the Cisco docs. Rgds, Graeme
Comment by Joe Harris on 29 April 2008:

Hi Graeme,

Thank you for catching that, you are correct…I typically recommend connecting the failover interfaces together via a switchport but in instances where that is not possible a crossover will have to do but yes you are on the money, unexpected results are possible with that method.

-Joe