ASA5550 Active/Active or Active/Standby

Unanswered Question
Aug 6th, 2008
User Badges:

Hi what is best practise for confirguring asa5550 failover. Please can i have some advise as at the moment we have pix525 with failover stateful which works well for us. But i have been reading and active/active seems attractive, but not sure. As this is something different. Please can you also post a configuratin of the recommended solution

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dhananjoy chowdhury Wed, 08/06/2008 - 12:41
User Badges:
  • Silver, 250 points or more

Hi,

Active/Active failover is only available to ASA/PIX firewall in multiple context mode.


Now if you configure FW in context mode features like VPN, Dynamic routing protocols, Multicast, etc. are not supported.


So, before migrating to Active/Active failover, you should check your requirements.

network_team Wed, 08/06/2008 - 12:47
User Badges:

Hi Thanks...


Can you send me a sample config for Active/Standby for asa5550. I dont want to loose functionality within the unit. What is the best active/stanby setup? is it stateful and how do i configure it. I have configured the pimary unit, but im confused on the setup for failover and what configuration is needed for the secondary ?


Cheer lev

JORGE RODRIGUEZ Wed, 08/06/2008 - 14:04
User Badges:
  • Green, 3000 points or more

In addition to Dhananjoy info.


Read this link for Stateful failover configuration detail information and implementation options. pease read the whole part (configuring failover) almost cover every question you may have.

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/failover.html#wp1051759


You would want to have stateful enable and take advantage of feature,you may use the same regular LAN base port for statefull,go over the stateful link above.


Last but not least , take a tour in this link for interactive ASA active/standby config training even though is a agraphical presentation it will help you alot.


Interactive- Pick Active/Standby Failover for ASA 5500

http://www.cisco.com/web/learning/le31/le29/configuring_asa_pix_security_appliances.html



Rgds

Jorge


network_team Thu, 08/07/2008 - 03:30
User Badges:

Thanks this is excellent...


Just one more question When primary pix goes down and secondary is now active. Can you make changes to secondary and will it replicate up to primary ? when sync starts

network_team Thu, 08/07/2008 - 05:20
User Badges:

Hi I have configure primary asa with a full config. what configurations apart from the failover information do i configure. Do i configure the same ip address on the interfaces as the primary


dhananjoy chowdhury Thu, 08/07/2008 - 05:27
User Badges:
  • Silver, 250 points or more

This is all is reqd on the Secondary box. Check the cables are connected.


failover lan unit secondary

failover lan interface failover Ethernet3

failover lan enable

failover key ******

failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2

failover

network_team Fri, 08/08/2008 - 01:22
User Badges:

Excellent Thanks this now works, but i have one concern. I get a 1 milisecond time out when i failover occurs. I feel this will affect connectivity for users. Should i be concerned



I have configured the following:


interface GigabitEthernet1/3

description LAN/STATE Failover Interface

speed 1000

duplex full


failover

failover lan unit Primary

failover lan interface Fail GigabitEthernet1/3

failover replication http

failover link Fail GigabitEthernet1/3

failover interface ip Fail 221.0.0.1 255.255.255.252 standby 221.0.0.2


failover

failover lan unit secondary

failover lan interface Fail GigabitEthernet1/3

failover replication http

failover link Fail GigabitEthernet1/3

failover interface ip Fail 221.0.0.1 255.255.255.252 standby 221.0.0.2

Actions

This Discussion