Cisco ASA - Active / Passive

If you need to set up a pair of ASA 55XX for Active / Passive, here is the base configuration needed to get this up and running. Please keep in mind that both ASA’s need to be running identical code and below is the minimal amount of configuration needed, there are many more configuration options available.


The commands below are to be entered into the Primary ASA:


#failover (This is the last command you should enter, this turns on the failover)


#failover lan unit primary


#failover lan interface failover GigabitEthernet1/1


#failover replication http (This is optional as HTTP sessions don’t get replicated to the stand-by device)


#failover mac address GigabitEthernet0/0 c471.fe43.f830 f866.f24d.0d4a (The first mac address is the primary and the second is the passive ASA)


#failover mac address GigabitEthernet0/1 c471.fe43.f831 f866.f24d.0d4b


#failover mac address GigabitEthernet0/2 c471.fe43.f832 f866.f24d.0d4c


#failover mac address GigabitEthernet0/3 c471.fe43.f833 f866.f24d.0d4d


#failover mac address GigabitEthernet1/0 c471.fe43.fd34 588d.096c.b2d0


#failover link failover GigabitEthernet1/1


#failover interface ip failover 172.16.169.1 255.255.255.252 standby 172.16.169.2




The commands below are to be entered into the Passive ASA:


#failover (This is the last command you should enter, this turns on the failover)


#failover lan unit secondary


#failover lan interface failover GigabitEthernet1/1


#failover interface ip failover 172.16.169.1 255.255.255.252 standby 172.16.169.2 (The IP are correct, they have to match what is on the Primary device)