We will be building a Active standby failover configuration with redundant Cisco ASA firewalls in this article.

Step1 – You need to make sure failover interfaces selected should in shutdown state. For ex- If you want to use Gi0/7 & Gi0/8 as failover interfaces, you need to shutdown these ports before starting the failover configuration.

Step2 – Configure below commands on primary firewall

failover

failover lan unit primary

failover lan interface statelink GigabitEthernet0/7

failover key *************  (This is optional step if you want to secure failover setup)

failover replication http  (By default http session not replicate, this command replicate http session)

failover link FailLink GigabitEthernet0/8  (If you want to use one interface for failover use Gi0/7 here as well)

failover interface ip statelink 1.1.1.1 255.255.255.252 standby 1.1.1.2

failover interface ip FailLink 1.1.1.5 255.255.255.252 standby 1.1.1.6

Step3 – Configure below commands on secondary firewall

failover

failover lan unit secondary

failover lan interface statelink GigabitEthernet0/7

failover key *************  (This is optional step if you want to secure failover setup)

failover replication http  (By default http session not replicate, this command replicate http session)

failover link FailLink GigabitEthernet0/8

failover interface ip statelink 1.1.1.1 255.255.255.252 standby 1.1.1.2

failover interface ip FailLink 1.1.1.5 255.255.255.252 standby 1.1.1.6

Step4 – Unshut the Gi0/7 & Gi0/8 interfaces on primary firewall

Step5 – Unshut the Gi0/7 & Gi0/8 interfaces on Secondary firewall

Step6 – Once you unshut interfaces on secondayr firewall, you will receive console messages below which shows failover configuration is working

  • Failover LAN becomes OK
  • State change detected an active mate
  • Beginning configuration replication from mate

Step7 – You can verify failover configuration with below commands

  • show failover (This should show one firewall as active and second one as Standby Ready)

Added Resources –

Force failover from active to standby – no failover active

Force failover from standby firewall – failover active

Disabling failover on firewall – no failover

Troubleshooting failover – debug failover (debug fover)

 

I hope his article will help in building & troubleshooting Cisco ASA failover configurations.

Please comment if you want to suggest to add/edit anything in this article?

 

5 2 votes
Article Rating
How to configure failover configuration on Cisco ASA
Tagged on:                         
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x

Discover more from NetworkSecurityGuru

Subscribe now to keep reading and get access to the full archive.

Continue reading