Few weeks ago Installed 2 Cisco ASA 5510 devices. For a ISP & Active/Standby failover. In an earlier post I wrote about the ISP failover. now i’m going to write about the Active/Standby failover.
For the Active/Standby failover you need 2 Cisco ASA’s in my example I use 2 times a Cisco ASA 5510.
What do you have to do. First of all you need to configure your cisco asa as normal as you usually do. But you need to make some exceptions on the interfaces. In this case I wanted a solution that i could make a failover on internal & external interfaces.
You start at the interfaces.
Outside interface Ciscoasa(config)#interface Ethernet 0/0 Ciscoasa(config)#description inferface to <access device> internet-connection Ciscoasa(config)#nameif outside Ciscoasa(config)#security-level 0 Ciscoasa(config)#ip address < ip add.><Subnetmask> standby <follow ip add> Inside interface Ciscoasa(config)#interface Ethernet 0/1 Ciscoasa(config)#description inferface to local area network (LAN) Ciscoasa(config)#nameif inside Ciscoasa(config)#security-level 100 Ciscoasa(config)#ip address < ip add.><Subnetmask> standby <follow LAN ip add>
You have to clear first the Management interface. You can do this via:
Ciscoasa(config)#clear configure interface m0/0 Ciscoasa(config)#int Man 0/0 Ciscoasa(config)#no shut
Now you will need to configure the Failover You start first with
failover lan interface failover Management0/0 failover interface ip failover 172.16.254.254 255.255.255.0 standby 172.16.254.253 failover key myf@1l0v3rk3y failover lan unit primary failover
Now you have to start the failover:
failover link failover Management0/0
Save your configuration. ( write mem )
Next you have to configure you secondary Cisco ASA for the failover. ( standy device )
Enter enable mode ciscoasa> ciscoasa> en Password: ciscoasa#
ciscoasa# ciscoasa# conf t ciscoasa(config)# interface m0/0 ciscoasa(config-if)# no shut ciscoasa(config-if)# exit ciscoasa(config)#
ciscoasa(config)# ciscoasa(config)# failover lan interface failover m0/0 INFO: Non-failover interface config is cleared on Management0/0 and its sub-interfaces ciscoasa(config)#
ciscoasa(config)# ciscoasa(config)# failover interface ip failover 172.16.254.254 255.255.255.0 standby 172.16.254.250 ciscoasa(config)#
ciscoasa(config)# ciscoasa(config)# failover lan key myf@1l0v3rk3y ciscoasa(config)#
ciscoasa(config)# ciscoasa(config)# failover lan unit secondary ciscoasa(config)#
ciscoasa(config)# ciscoasa(config)# failover ciscoasa(config)#
Nice Article
Heres some more information that might be helpfull,
Cisco Active Standby Failover
Pete
PeteNetLive
hi
i read this weblog and learn more information
Perfect howto ! … just configured the failover on a 5520 set, i can feel the heartbeat … thx m8
Is it also required to set a standby IP for subinterfaces? They’re not monitored by default.
There you asking me something. I don’t dare to say. But if you are using sub interfaces I would set also a standby IP address incase you need one. If you don’t know sure test it if you need one or not.
When you need one I would like to know it’s a good way to learn incase someone else need to know it. and than I can add it as extra information to this post.
Ok, thank you for the response. I will start without a standby addresses on subinterfaces and let you know how it behaves.
Hi,
I was adviced by a Cisco Pro, that subinterfaces also require standby addresses.
I found a mistake in your description. When you set the key on the secondary device, you type “failover lan key ..”, I think it should be “failover key …” (without the word “lan”).
Regards
Thanks for replying. good to know for in the future if I have to configure a standby address on a sub-interface.
I will adjust the text soon.
Regards, Fred