Hi @ReneMolenaar @lagapidis if i want put 2 firewalls in HA i must also use 2 identical License or is ok only one license for both identical firewalls? Thank you
Hello Valerio
For failover, ASA devices don’t need to have the same license on each unit. However there are limitations as to what licenses should exist on both devices. Take a look at this CIsco documentation that details the licensing limitations for ASAs and failover:
In addition, the software version used in each ASA has some limitations. Both ASAs must have the same major (first number) and minor (second number) software version. So HA can be deployed on two ASAs with version numbers 8.4.1(11) and 8.4.3, but not on two ASAs with version numbers 8.4.1 and 8.6. This information can also be seen in the Cisco document shared above.
I hope this has been helpful!
Laz
When you did
ASA1(config-if)# ip address 192.168.1.254 255.255.255.0 standby 192.168.1.253
What is the 192.168.1.253 IP? I get you are assigning the outside and inside interface, but confused about the 192.168.1.253?
Hello Hong
When creating an active/standby setup with Cisco ASAs, you don’t configure any addresses on the standby device. Indeed, the only thing you configure is the failover configuration, and the failover interface, which is the link between the two devices. In this lesson, the failover interface is the E0/3 interface on both devices.
Once that is done, the configuration will be replicated and sent to ASA2. Now we come to your question. When you issue the following command on ASA1:
ASA1(config-if)# ip address 192.168.1.254 255.255.255.0 standby 192.168.1.253
you are essentially telling the ASA2 what the IP address of its corresponding interface will be. When the configuration is replicated, you will see that the E0/0 interface of ASA2 will obtain the 192.168.1.253 IP address. It will also adopt the same subnet mask as that configured on ASA1.
Similarly, for the E0/1 interface, you will see that the 192.168.2.253 address is used for the ASA2.
Take a look at this Cisco ASA command reference for more information:
I hope this has been helpful!
Laz
Hi,
We currently have 2x Cisco FPR-1120 with ASA image version 9.20 installed. Both are currently configured as Active/Standby stateful failover. When we issue the command no failover active to trigger a failover, we notice around 800ms. of packet loss while running a continuous ping (Linux fping command) between two hosts.
Is this normal or is there a way to make the failover much faster?
Thanks!
Hello Erik
The failover time you’re experiencing is quite normal for an ASA Active/Stafailover setup. The ASA failover process involves several steps such as checking the health of the units, transferring the stateful information, and switching the active role, which can take some time.
However, you can adjust some of the failover criteria to attempt to get a faster failover time. For example, you can adjust the failover poll time (the time ASA waits before declaring the other unit as failed) using the failover polltime command. Keep in mind that setting this value too low can cause unnecessary failover. You can also use BFD to help improve failover times, but BFD is only supported on firepower 9300 and 4100.
You should be careful when adjusting these parameters as they can cause unexpected results. For more information about these configs, take a look at the following Cisco documentation:
Remember, the goal of failover is not to provide zero downtime, but to provide a backup in case the primary system fails. If you need a higher level of availability, consider using an Active/Active arrangement.
I hope this has been helpful!
Laz