The commands below are to be entered into the Primary ASA:
#failover (This is the last command you should enter, this turns on the failover)
#failover lan unit primary
#failover lan interface failover GigabitEthernet1/1
#failover replication http (This is optional as HTTP sessions don’t get replicated to the stand-by device)
#failover mac address GigabitEthernet0/0 c471.fe43.f830 f866.f24d.0d4a (The first mac address is the primary and the second is the passive ASA)
#failover mac address GigabitEthernet0/1 c471.fe43.f831 f866.f24d.0d4b
#failover mac address GigabitEthernet0/2 c471.fe43.f832 f866.f24d.0d4c
#failover mac address GigabitEthernet0/3 c471.fe43.f833 f866.f24d.0d4d
#failover mac address GigabitEthernet1/0 c471.fe43.fd34 588d.096c.b2d0
#failover link failover GigabitEthernet1/1
#failover interface ip failover 172.16.169.1 255.255.255.252 standby 172.16.169.2
The commands below are to be entered into the Passive ASA:
#failover (This is the last command you should enter, this turns on the failover)
#failover lan unit secondary
#failover lan interface failover GigabitEthernet1/1
#failover interface ip failover 172.16.169.1 255.255.255.252 standby 172.16.169.2 (The IP are correct, they have to match what is on the Primary device)
Hi Adrian,
ReplyDeletethe "failover mac address" is a bit unclear to me.
Can you show the real MAC's of the interfaces (sh interface gi..) of both ASA's ?
Best Regards,
Bj
Hey BJ,
ReplyDeleteI appreciate you posting a question! I don't have access to those ASA's anymore as that was a contract job a little while back but the answer to your question is this.
The mac-address's used are the physical interface mac's of the active ASA (BIA). When you sync the (2) ASA's the passive ASA will inherit the mac's of the Active ASA. Should a failover occur, all hosts continue to send to the same mac address.
HTHs a little!
Hi Adrian,
ReplyDeleteas I understand
"failover mac address GigabitEthernet0/0 c471.fe43.f830 f866.f24d.0d4a"
c471.fe43.f830 - BIA gi0/0 of Active ASA
f866.f24d.0d4a - BIA gi0/0 of Standby ASA
?
Best Regards
Bj
Good questions!
ReplyDeleteIn active / passive failover, the active device uses the primary unit’s mac addresses. In the event of a failover, the secondary device becomes active and takes over the primary units mac address’s whereas the active device (Now standby) takes over the standby (Now Primary) mac addresses. When the standby becomes active, it sends out a gratuitous ARP on the network .
Hi Adrian, so the above question ask by BJ is correct?
ReplyDeleteas I understand
"failover mac address GigabitEthernet0/0 c471.fe43.f830 f866.f24d.0d4a"
c471.fe43.f830 - BIA gi0/0 of Active ASA
f866.f24d.0d4a - BIA gi0/0 of Standby ASA
Regards,
min