Cisco ASA Active/Standby Failover

NOTE: Use these instructions at your own risk!!! They were performed on a Dev environment and not production env.

Here are brief instructions on how to configure a LAN based Active/Standby failover for a Cisco ASA 5510 series. The interfaces are as follows:

Note: the IP addresses were picked at random and are just for example purposes only

int Ethernet0/0: 129.136.22.0/29 (For ASA1 .1 and ASA2 .2)

int Ethernet0/1: 77.127.246.0/25 (For ASA1 .1 and ASA2 .2)

int Ethernet0/2: 192.168.10.0/24 (For ASA1 .1 and ASA2 .2)

int Ethernet0/3 (Failover LAN interface)

On the primary unit run the following commands:

# conf t

(config)# conf interface Ethernet0/0

(config-if)# ip address 129.136.22.1 255.255.255.248 standby 129.136.22.2

(config-if)# Ctrl-Z

# conf t

(config)# conf interface Ethernet0/1

(config-if)# ip address 77.127.246.1 255.255.255.128 standby 77.127.246.2

(config-if)# Ctrl-Z

# conf t

(config)# conf interface Ethernet0/2

(config-if)# ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2

(config-if)# Ctrl-Z

# conf t

(config)# conf interface Ethernet0/3

(config-if)# description LAN Failover Interface

Before configuring anything else on the primary make sure to configure the above commands on the secondary first!!!

On the secondary unit:

# conf t

(config)# failover

(config)# failover lan unit secondary

(config)# failover lan interface FailoverLinkName Ethernet0/3

(config)# failover key ************

(config)# failover interface ip FailoverLinkName 1.1.1.1 2552.55.255.252 standby 1.1.1.2

Note: If you don’t want to monitor an interface for failure use the next command:

(config)# no monitor-interface InterfaceName

Now back over to the primary unit:

# conf t

(config)# failover

(config)# failover lan unit primary

(config)# failover lan interface FailoverLinkName Ethernet0/3

(config)# failover key ************

(config)# failover interface ip FailoverLinkName 1.1.1.1 2552.55.255.252 standby 1.1.1.2

Note: If you don’t want to monitor an interface for failure use the next command:

(config)# no monitor-interface InterfaceName

You should see a statement from the device saying something like syncing from primary or something like that.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s