Cisco ASA Firewall Active / Standby Failover

Hi Rene,

Can you explain what you happen if someone where to upgrade the image for an ASA while it is in active/standby state? If the active were upgraded successfully would it simply replicate the upgrade to Standby? What happens if the Standby instead?

Regards
Z

Hi Zahan,

It is no problem but there’s a couple of steps to take. You want to make sure that at least one ASA is up and running so that your traffic is not interrupted. Here’s how you would do it:

1. Copy the new ASA image to the active ASA flash memory.
2. Copy the new ASA image to the standby ASA flash memory.
3. Use the boot system command to configure both ASAs to boot the new image.
4. Save the configuration.
5. Reboot the standby ASA with the failover reload-standby command.
6. Once the standby ASA has rebooted, use the show failover command to check if the standby ASA is ready.
7. The show failover command will now show a mismatch.
8. Force active ASA to failover to standby ASA with the no failover active
9. Now reload the old actice ASA.
10. Use show failover to check if you have an active/standby pair.

This will upgrade both ASAs without downtime.

Rene

Rene

In your diagram above could R2 be the Comcast modem?
Comcast - outside Switch - ASA01 and ASA02 then inside switch

Am I exposing my switch to internet attack by connecting it to the comcast modem before the ASA or should I put a router between the switch and Comcast modem.

Thanks

Donald,
With just a couple of precautions you shouldn’t have a problem:

1. Create a dedicated, isolated VLAN just for this purpose and add the three ports (modem, ASA #1, ASA #2) to this vlan
2. Try to avoid having an SVI in this dedicated VLAN
3. If the switch has management capabilities, lock down the sources of management to networks you trust

Rene

The router in your diagram for my home network represents my Cisco 2821 connected to Comcast modem. What are the special security concerns with the switch connecting the 2 ASA’s on the outside interface with a switch between the comcast modem and the 2 ASA firewalls

It seems not only securing the router I now have to worry about the switch.

Donald,
The answer I gave you is based on a real in-production network that I manage. Provider Equipment - Outside Switch - ASA HA Pair - Inside Switch.

So again, special security concerns are …

1. Create a dedicated, isolated VLAN just for this purpose and add the three ports (modem, ASA #1, ASA #2) to this vlan
2. Try to avoid having an SVI in this dedicated VLAN
3. If the switch has management capabilities, lock down the sources of management to networks you trust

Hi Rene !

I have a question my primary and secondary ASA 5525 has 9.1(7) image and have uploaded new image 9.4(2) to flash on both.
The boot order i sat, my question then when i reload the seocndary there is a diffrent in images does it effect the active standy.
beacuase then i have 9.1(7) on primary and 9.4(2) on secondary. If it does not then it is just for me to make the primary sendary and reload.

/Oskar

Hi Oskar,

Having a different images on the primary and secondary ASA is not a good idea. I would make sure you the same image on both.

Rene

Hi Rene,
I’m new to your service and Just want to say I like what I seen so far.

I have 2 questions regarding ASA placement and setups

Question 1 on the diagram on this page whats the subnet used for the 2 routers, I notice you have 3 subnets on the set up. 1 for inside and one for the outside, Plus the HA subnet to connect the 2 ASA’s. But just wondering whats the other one for the 2 routers? (assuming can be any but just want to make sure if its another subnet?).

Question 2

Do you have any Lessons Using 2 ASA’s and Also* 2 Routers for Redundancy on the outside?. is seems that for a complete full redundancy setup, a set up needs to have 2 L3 switches on the inside | 2 ASA’s | then 2 Routers on the outside also connecting to 2 different ISP’s. plus also the L2 switches connecting the ASA’s on both sides correct?

Assuming the latter would be more of a setup on a bigger Network?. just trying to find out regarding other scenarios and whats the most used scenarios in real networks since I will start working on the field soon. as you can tell I don’t have much practice on real life networks.

Thanks Rene

Art

Hi Rene,

Checking further on the diagram looks like I got the answer to my Question 1, The interface of router 2 has an ip of the 192.168.2.0/24 (.1) subnet and the inside R1 has an IP address of the subnet 192.168.1.0/24 (.2) subnet

Hi Art,

Glad to hear you like it!

On the inside I’m using 192.168.1.0/24, R1 is on 192.168.1.1. On the outside we have 192.168.2.0/24 with R2 using 192.168.2.2.

In labs/examples I try to stick to using the number of the router/switch as the IP address.

This example explains how failover works on the ASA but for full redundancy, you’ll need to add some extra components yes. The two switches are still single point of failures, so is R2 on the outside.

The switch on the outside could be replaced with two switches, perhaps in a stack:

https://networklessons.com/switching/cisco-stackwise/

You could then use two routers on the outside, connected to two different ISPs.

If you want to learn a bit more about different ASA designs, you might like Cisco’s Validated Designs. Here’s an example:

Rene

Hi Rene,

I had a quick question i haven’t started this lab yet however i can see ASA 2 its outside interface doesn’t have an ip, in a active/standby situation when the active fails does the outside ip on asa1 get replicated to asa 2 outside ip, for e.g asa1 e01 .254 ip will get replicated to asa 2s e01 interface?

Sorry just abit confusing for a first timer doing this lab.

Thanks.

Hello Sina

When configuring the ASAs in active/standby mode, ASA1 is configured fully with IP addresses on all interfaces. When ASA 2 is configured, you only configure the commands that allow it to function as the standby device. This means that no outside or inside interfaces are configured and no IP addresses are configured on these interfaces.

In the configuration of the ASA1 however, you can see the following commands implemented on interface Ethernet 0/1:

ASA1(config)# interface Ethernet 0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 192.168.2.254 255.255.255.0 standby 192.168.2.253

The command standby 192.168.2.253 in essence configures the IP address of the standby device.

So, if a failover does occur where ASA1 is no longer functioning, ASA2 will assume the active role. This means that ASA2 will adopt the IP addresses and MAC addresses of the interfaces of the failed unit will begin to pass traffic. If ASA1 comes back online, ASA2 will remain active and ASA1 will assume the standby IP addresses. In essence, they swap IP and MAC addresses whenever there is a failover.

Because network devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere on the network, and hosts know nothing of the failover.

In the verification section, some output of the show failover command on ASA1 shows the following:

     Last Failover at: 12:23:34 UTC Dec 19 2014
	This host: Primary - Active 
		Active time: 1664 (sec)
		slot 0: ASA5510 hw/sw rev (2.0/9.1(5)) status (Up Sys)
		  Interface INSIDE (192.168.1.254): Normal (Monitored)
		  Interface OUTSIDE (192.168.2.254): Normal (Monitored)
		slot 1: empty
	Other host: Secondary - Standby Ready 
		Active time: 31 (sec)
		slot 0: ASA5510 hw/sw rev (1.1/9.1(5)) status (Up Sys)
		  Interface INSIDE (192.168.1.253): Normal (Monitored)
		  Interface OUTSIDE (192.168.2.253): Normal (Monitored)
		slot 1: empty

If ASA1 fails and comes back up, ASA 2 will take the active role and ASA 1 will take the standby role and the output would be reversed like so:

     Last Failover at: 12:23:34 UTC Dec 19 2014
	This host: Secondary - Standby Ready 
		Active time: 31 (sec)
		slot 0: ASA5510 hw/sw rev (1.1/9.1(5)) status (Up Sys)
		  Interface INSIDE (192.168.1.253): Normal (Monitored)
		  Interface OUTSIDE (192.168.2.253): Normal (Monitored)
		slot 1: empty
	Other host: Primary - Active 
		Active time: 1664 (sec)
		slot 0: ASA5510 hw/sw rev (2.0/9.1(5)) status (Up Sys)
		  Interface INSIDE (192.168.1.254): Normal (Monitored)
		  Interface OUTSIDE (192.168.2.254): Normal (Monitored)
		slot 1: empty

The IP addresses would be swapped.

I hope this has been helpul for you!

Laz

Hi,

In this topology do we need a failover ip addres for outside interface ?

ASA1(config)# interface Ethernet 0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 192.168.2.254 255.255.255.0 standby 192.168.2.253

Is the below ok ?

ASA1(config)# interface Ethernet 0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 192.168.2.254 255.255.255.0 

Thanks

Hi Sims,

Here’s a link to a similar answer to the same question:

https://forum.networklessons.com/t/cisco-asa-firewall-active-standby-failover/177/3?u=renemolenaar

Rene

19 posts were merged into an existing topic: Cisco ASA Firewall Active / Standby Failover

Hello Rene,
Thanks for your article,
How I can reload both firewalls (Active & Standby) from the CLI, I know how to do it through reload system in ASDM.
Thanks in advance.

Hi Wisam,

You can do failover reload-standby to reload the standby ASA, then a regular reload to reload the active one.

Rene

I’m having an issue with my asa fail over. The router had the route route (route outside 0.0.0.0 0.0.0.0 x.x.x.x 1 when i removed it and added route outside 0.0.0.0 0.0.0.0 x.x.x.x 1 track 1 the connection fails. I’m not sure what I’m doing wrong. Can i get some assistance please.

Hello Ebenezer

The only difference in the two cases is the track 1 keywords at the end. What do you have configured as your tracking parameters for track 1? Take a look at those parameters and see if they are the issue.

Let us know your results!

I hope this has been helpful.

Laz