Cisco ASA Firewall Active / Standby Failover

This topic is to discuss the following lesson:

1 Like

Hi

Why do I need to assign a standby IP to inside and outside interfaces ? And will the secondary ASA copy all of the running config from the primary ASA once fail over is enabled ? as on my secondary ASA i have different interface configuration due to me having stacked switches ?

Hi Aaron,

You can make failover work without the standby IP address, the only issue is that you will be unable to monitor the interface of the second ASA.

The standby ASA will synchronize its configuration with the active ASA and it won’t do anything until your active ASA fails.

Rene

hi

When i configure the primary asa to monitor inside interface the secondry asa says failed
when I un monitor the inside interface it shows as standby state

any ideas ??

Hi Aaron,

Are there any differences between the two ASAs? Model, interfaces, image?

Rene

hi

no both the exact same models ,the error only comes when I configure the active asa to monitor the inside and outside interfaces

as soon as I remove the command the asa assume active / stand by roles with no issues

This host: Primary - Active
Other host: Secondary - Standby Ready - before interface monitoring

This host: Primary - Active
Other host: Secondary - Failed - after interface monitoring

Hi Aaron,

If you post the (relevant) portions of your configuration in a forum topic then I can take a look if you want. Which exact error do you get?

Rene

Rene

the set up is like this -
2 stacked 3850’s which are connected to ASA’s running active/standby . I have attached 2 inside interfaces via eigrp and 2 outside interfaces connected by " route outside ****** "
is there any need for the standby firewall to have physical connections to the switch stack ? if so will they need IP’s assigned to them ?

Also when the standby ASA takes over there are no routes in the routing table ?

also I have configured the inside interface on the active ASA with the standby IP of the interface which its connected to on the switch stack

failover lan unit primary / secondry
failover lan interface GigabitEthernet 0/6
failover link FAILOVER GigabitEthernet 0/6
failover interface ip FAILOVER 126.x x x 255.255.255.252 standby 126.x x x 
failover

monitor interface inside

ERROR before and after interface monitoring - 
This host: Primary – Active
 Other host: Secondary – Standby Ready – before interface monitoring

This host: Primary – Active
 Other host: Secondary – Failed – after interface monitoring

Thanks Rene , appreciate your time

Hi Aaron,

The interfaces of both your ASAs should be connected to the same segment. For example, the INSIDE interface of ASA1 and ASA2 has to be in the same VLAN and the same thing applies to the OUTSIDE interface.

You don’t have to configure an IP address on ASA2 but you do have to configure the standby IP address on ASA1:

ASA1#
interface Ethernet0/0
nameif INSIDE
security-level 100
ip address 192.168.1.254 255.255.255.0 standby 192.168.1.253

When the standby ASA takes over, it will still have any routes (static and learned)

Rene

 

Really Nice explanation !

If ASA1 fails , does ASA2 gets interfaces IP addresses too as we do not have interfaces IP assigned currently on ASA2? What is the role of secondary IP assigned on active ASA?

Thanks!

Hi Mohan,

When ASA1 fails, ASA2 will take over and will use the IP addresses and MAC addresses of the failed unit. Traffic will continue with interruptions.

The standby IP address is used for monitoring and management. Without an IP, how will you access the standby ASA if you want to upgrade its ASA image or something? The standby ASA will also be unable to query the active ASA on the interfaces since it doesn’t have an IP address.

Rene

Hi,
can you explain active -active failover in multi context ?

Thanks

1 Like

Hi Sims,

I will, I’ll cover this in another lesson.

Rene

Hi Rene,

What will be Gateway ip of R1 & R2 ?? Is there running VRRP to INSIDE/OUTSIDE ?? Little bit confused

Hi Mohammad,

With the active/standby failover setup, we don’t use VRRP. R1 and R2 will use the IP addresses that are used on ASA1. When ASA1 fails, ASA2 will take over and will use the MAC/IP addresses of ASA1.

Rene

Hi Rene,

I’d like to know ASA cluster and inter context communication. If I have a chance, please let me know for this configuration and technology, Because some of environment, cluster is okay.

Hi Rene,

Please explain to us for asa multi context and inter communication for two context. How to go context 1 network to another context. How many method we can use for it communication.
Thanks for you kind supports.

Regards,

Hi Mark,

Multiple Context for the ASA is a good topic, I’ll add this to my list. Once it’s done, I’ll let you know.

Rene