ASA Failover is intended for improving high availability of the firewall solution. ASA
Failover technology uses 2 units in failover pair. We can configure Failover in two modes:
Failover technology uses 2 units in failover pair. We can configure Failover in two modes:
- Cisco Asa Active Standby Failover
- Asa Active Active Failover Configuration
- Asa Active Standby
- Cisco Asa Active Standby Configuration Sync
Cisco Asa Active Standby Failover
- When configuring the Cisco ASA for High Availability, the failover command is used to configure the devices. A few terms before we begin: Active and Standby vs Primary and Secondary. In the ASA world, the Primary and Secondary do not change however any one of the Primary or Secondary can be the Active or the Standby. That is, if the Primary ASA is the Active ASA and it fails, the Secondary.
- I’m considering a pair of ASA 5505 firewalls with the Security Plus upgrade in an active/standby configuration. Normally I’d be looking at something else but the 5505 is all that is needed.
- Currently, Cisco supports Active/Active as well as Active/Standby failover. This article contains a simple example of how to configure Active/Standby stateful high availability on a pair of Cisco ASAs, where one unit acts as the primary ASA and a standby unit becomes active once a failover has occurred.
Cisco ASA 9.x Active-Standby Configuration I had a remote site with two Cisco ASA 5525-X firewalls deployed as an Active-Standby failover pair. I've posted a blog a couple years back regarding this setup in a GNS3 environment but now I'm deploying it in the real world. ASA (config)# During active/standby failover, the active ASA receives all traffic flows and filters all network traffic while the secondary ASA is in the Ready mode. Therefore you should dimension each ASA device in such a way so that to be able to handle all traffic. ASA failover works in 2 modes: Stateful Failover and Regular Failover.
- Active Standby Failover
- Active Active Failover
ASA Failover rules:
- Maximum of 10 ms Round Trip Time between units
- Each logical interface must be in same L2 segment
- Each logical interface is IP addressed (active IP and standby IP)
- IP and MAC (virtual) is always maintained by the current active Unit
- When failover occurs, ASA standby assumes active IP and MAC and sends
- Gratuitous ARP on each interface to recalculate L2 subnets.
- Failover interface is required and intended for configuration replication and keep
alive unit pooling
- Statefull interface is optional and intended for live session replication between
units.
ASA Failover – Active Standby
Active Standby failover means that two units are working in active – standby configuration where active state is always present on one of the failover pair. The other one is standby. Standby has identical configuration as active and pools an active unit with keep alive packets. Based on defined timeout (5 seconds pooling interval and 3 times repeats, configurable) failover condition is checked. If failover condition is meet, standby unit becomes active and acquires active IP address and MAC, standby IP and MAC goes to standby Unit. Basic configuration of failover is presented below.
Primary Unit:
failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet0/6
failover link STATEFULL GigabitEthernet0/7
failover interface ip FAILOVER 192.168.1.1 255.255.255.252 standby 192.168.1.2
failover interface ip STATEFULL 192.168.2.1 255.255.255.252 standby 192.168.2.2
Secondary Unit:
![Asa Asa](/uploads/1/2/6/6/126649148/711103886.png)
Asa Active Active Failover Configuration
failover
failover lan unit secondary
failover lan interface FAILOVER GigabitEthernet0/6
failover link STATEFULL GigabitEthernet0/7
failover interface ip FAILOVER 192.168.1.1 255.255.255.252 standby 192.168.1.2
failover interface ip STATEFULL 192.168.2.1 255.255.255.252 standby 192.168.2.2
Asa Active Standby
TIP: to switch-on failover, use command failover on both units.
- The active unit is determined by these:
- If a unit boots and detects a peer already operative as active, it becomes the
standby unit. - If a unit boots and does not detect a peer, it becomes the active unit.
- If both units boot simultaneously, the primary unit becomes the active unit,
and the secondary unit becomes the standby unit.
Cisco Asa Active Standby Configuration Sync
Check other Cisco ASA posts from Grandmetric Design Corner.gvfd