Cisco ASA 5510 (2x) Active / Standy failover

Few weeks ago Installed 2 Cisco ASA 5510 devices. For a ISP & Active/Standby failover. In an earlier post I wrote about the ISP failover. now i’m going to write about the Active/Standby failover.
For the Active/Standby failover you need 2 Cisco ASA’s in my example I use 2 times a Cisco ASA 5510.
What do you have to do. First of all you need to configure your cisco asa as normal as you usually do. But you need to make some exceptions on the interfaces. In this case I  wanted a solution that i could make a failover on internal & external interfaces.
You start at the interfaces.

Outside interface Ciscoasa(config)#interface Ethernet 0/0
 Ciscoasa(config)#description inferface to <access device> internet-connection
 Ciscoasa(config)#nameif outside
 Ciscoasa(config)#security-level 0
 Ciscoasa(config)#ip address < ip add.><Subnetmask> standby <follow ip add>
Inside interface
 Ciscoasa(config)#interface Ethernet 0/1
 Ciscoasa(config)#description inferface to local area network (LAN)
 Ciscoasa(config)#nameif inside
 Ciscoasa(config)#security-level 100
 Ciscoasa(config)#ip address < ip add.><Subnetmask> standby <follow LAN ip add>

You have to clear first the Management interface. You can do this via:

 Ciscoasa(config)#clear configure interface m0/0
 Ciscoasa(config)#int Man 0/0
 Ciscoasa(config)#no shut

Now you will need to configure the Failover You start first with

 failover lan interface failover Management0/0
 failover interface ip failover standby
 failover key myf@1l0v3rk3y
 failover lan unit primary

Now you have to start the failover:

 failover link failover Management0/0

Save your configuration. ( write mem )
Next you have to configure you secondary Cisco ASA for the failover. ( standy device )

Enter enable mode
ciscoasa> en
Open the failover link and issue a “no shut” command.
ciscoasa# conf t
ciscoasa(config)# interface m0/0
ciscoasa(config-if)# no shut
ciscoasa(config-if)# exit
Turn on LAN interface for failover.
ciscoasa(config)# failover lan interface failover m0/0
INFO: Non-failover interface config is cleared on Management0/0 and its sub-interfaces
Give it an IP address (YES: that’s the same as the primary firewall there WON’T be a conflict).
ciscoasa(config)# failover interface ip failover standby
Give it the same key you used above (In step 6).
ciscoasa(config)# failover lan key myf@1l0v3rk3y
Set it as the secondary (standby firewall).
ciscoasa(config)# failover lan unit secondary
Turn on failover.
ciscoasa(config)# failover
You should see……
Detected an Active mate
Beginning configuration replication from mate.

8 thoughts on “Cisco ASA 5510 (2x) Active / Standy failover”

    1. There you asking me something. I don’t dare to say. But if you are using sub interfaces I would set also a standby IP address incase you need one. If you don’t know sure test it if you need one or not.
      When you need one I would like to know it’s a good way to learn incase someone else need to know it. and than I can add it as extra information to this post.

      1. Ok, thank you for the response. I will start without a standby addresses on subinterfaces and let you know how it behaves.

      2. Hi,
        I was adviced by a Cisco Pro, that subinterfaces also require standby addresses.
        I found a mistake in your description. When you set the key on the secondary device, you type “failover lan key ..”, I think it should be “failover key …” (without the word “lan”).

        1. Thanks for replying. good to know for in the future if I have to configure a standby address on a sub-interface.
          I will adjust the text soon.
          Regards, Fred

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.