Adding/Configuring a Failover Cisco ASA

These are few notes basically outlining procedures on how to add/configure a Cisco ASA Firewall Failover. There are multiple ways to accomplish this. What I am writing here relates to, Cisco ASA 5520 being used for webvpn, running 8.2(4).

  • Lets say you have two interfaces configured on your Cisco ASA 5520
  • IP of gi0/0 = 192.168.1.1/24
  • IP of gi0/1 = 192.168.2.1/24
  • So on the main Cisco ASA 5520 firewall just enter the following commands:
  • Now next step would be to actually setup the Primary ASA 5520 firewall to failover if there is an issue with it. Use the following commands:
    failover
    failover lan unit primary (Telling the firewall that this is the primary unit)
    failover lan interface failover interface-name
    failover link failover interface-name(This is for stateful failover)
    failover interface ip failover ip-address subnet-mask standby standby-ip
    example:
    failover interface ip failover 1.1.1.1 255.255.255.252 standby 1.1.1.2
  • In the example commands above “bold failover” is just the name I assigned to the dedicated interface for Cisco ASA’s failover
  • I highly recommend using a dedicated interface for the failover instead of using one of the data interfaces
  • Make sure you do a write memory after you are done configuring it. Now its time to configure the Cisco ASA 5520 that is going to be the stanby or secondary unit
  • Only thing I do on the secondary units is the following:
    failover
    failover lan unit secondary (Telling the firewall that this is the secondary unit)
    failover lan interface failover interface-name
    failover link failover interface-name(This is for stateful failover)
    failover interface ip failover ip-address subnet-mask standby standby-ip
    example:
    failover interface ip failover 1.1.1.1 255.255.255.252 standby 1.1.1.2
    write standby (This will start copying the configuration as well as all the certificates to the standby unit)
  • Now once done Cisco ASA secondary unit will show you if you are consoled into it that it has dedicated the primary unit and it will start to replicate the configuration
  • Once this was done what I had was an Active/Standby Stateful failover on the two Cisco ASA 5520 Firewalls

IMPORTANT:Please use these notes as a reference point, always test everything in the lab before you put it in production, never do anything that you can not undo, always have a backup/back out plan

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

WordPress SEO