Sunday, April 24, 2011

Cisco ASA - Active / Passive

If you need to set up a pair of ASA 55XX for Active / Passive, here is the base configuration needed to get this up and running. Please keep in mind that both ASA’s need to be running identical code and below is the minimal amount of configuration needed, there are many more configuration options available.


The commands below are to be entered into the Primary ASA:


#failover (This is the last command you should enter, this turns on the failover)


#failover lan unit primary


#failover lan interface failover GigabitEthernet1/1


#failover replication http (This is optional as HTTP sessions don’t get replicated to the stand-by device)


#failover mac address GigabitEthernet0/0 c471.fe43.f830 f866.f24d.0d4a (The first mac address is the primary and the second is the passive ASA)


#failover mac address GigabitEthernet0/1 c471.fe43.f831 f866.f24d.0d4b


#failover mac address GigabitEthernet0/2 c471.fe43.f832 f866.f24d.0d4c


#failover mac address GigabitEthernet0/3 c471.fe43.f833 f866.f24d.0d4d


#failover mac address GigabitEthernet1/0 c471.fe43.fd34 588d.096c.b2d0


#failover link failover GigabitEthernet1/1


#failover interface ip failover 172.16.169.1 255.255.255.252 standby 172.16.169.2




The commands below are to be entered into the Passive ASA:


#failover (This is the last command you should enter, this turns on the failover)


#failover lan unit secondary


#failover lan interface failover GigabitEthernet1/1


#failover interface ip failover 172.16.169.1 255.255.255.252 standby 172.16.169.2 (The IP are correct, they have to match what is on the Primary device)





5 comments:

  1. Hi Adrian,

    the "failover mac address" is a bit unclear to me.

    Can you show the real MAC's of the interfaces (sh interface gi..) of both ASA's ?

    Best Regards,
    Bj

    ReplyDelete
  2. Hey BJ,

    I appreciate you posting a question! I don't have access to those ASA's anymore as that was a contract job a little while back but the answer to your question is this.

    The mac-address's used are the physical interface mac's of the active ASA (BIA). When you sync the (2) ASA's the passive ASA will inherit the mac's of the Active ASA. Should a failover occur, all hosts continue to send to the same mac address.

    HTHs a little!

    ReplyDelete
  3. Hi Adrian,

    as I understand

    "failover mac address GigabitEthernet0/0 c471.fe43.f830 f866.f24d.0d4a"

    c471.fe43.f830 - BIA gi0/0 of Active ASA
    f866.f24d.0d4a - BIA gi0/0 of Standby ASA

    ?

    Best Regards
    Bj

    ReplyDelete
  4. Good questions!


    In active / passive failover, the active device uses the primary unit’s mac addresses. In the event of a failover, the secondary device becomes active and takes over the primary units mac address’s whereas the active device (Now standby) takes over the standby (Now Primary) mac addresses. When the standby becomes active, it sends out a gratuitous ARP on the network .

    ReplyDelete
  5. Hi Adrian, so the above question ask by BJ is correct?

    as I understand

    "failover mac address GigabitEthernet0/0 c471.fe43.f830 f866.f24d.0d4a"

    c471.fe43.f830 - BIA gi0/0 of Active ASA
    f866.f24d.0d4a - BIA gi0/0 of Standby ASA


    Regards,
    min

    ReplyDelete