ASA Active/Standby failover config

Unanswered Question
Aug 11th, 2008

Hi,

I am having trouble getting the config right for failover on a pair of ASA 5505 with a plus license. I have a Cisco Press book but I think the examples are for 5510 and up. I could not find what I needed on the web site either.

Can someone provide a 5505 config example or point me at a good doc that really deals with the 5505.

Thanks,

Michael Hurley

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
anthony.king Mon, 08/11/2008 - 17:19

Here is a config that worked for me. You can change the vlan number to something else and I don't think you need to 'no shut' it but I do anyway. Just change the ***** to your own key and make sure the subnet doesn't overlap with something you are already using and it should work.

!!! Primary unit

failover

failover lan unit primary

failover lan interface fo-int Vlan20

failover key *****

failover interface ip fo-int 172.31.254.1 255.255.255.0 standby 172.31.254.2

int vlan20

no shut

!!! Secondary unit

failover

failover lan unit secondary

failover lan interface fo-int Vlan20

failover key *****

failover interface ip fo-int 172.31.254.1 255.255.255.0 standby 172.31.254.2

int vlan20

no shut

mvhurley9 Tue, 08/12/2008 - 14:16

Anthony,

Thanks, your suggestion worked for me....but when I do a sh fail I get Unknown (Waiting) status as indicated in the output below. The 2 units seem to be communicating OK and changes made on the primary are copied to the secondary.

I found a Cisco doc that suggested I apply portfast on the switch ports the ASAs are connected on but that did not change anything.

Any ideas?

Thanks,

Michael

FROM SECONDARY

test1# sh fail

Failover On

Failover unit Secondary

Failover LAN Interface: fail_int Vlan15 (up)

Unit Poll frequency 10 seconds, holdtime 30 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 3 of 250 maximum

Version: Ours 7.2(3), Mate 7.2(3)

Last Failover at: 10:28:10 UTC Aug 12 2008

This host: Secondary - Standby Ready

Active time: 0 (sec)

slot 0: ASA5505 hw/sw rev (1.0/7.2(3)) status (Up Sys)

Interface outside (172.30.148.30): Normal (Waiting)

Interface inside (10.0.135.41): Normal (Waiting)

slot 1: empty

Other host: Primary - Active

Active time: 14387 (sec)

slot 0: ASA5505 hw/sw rev (1.0/7.2(3)) status (Up Sys)

Interface outside (172.30.148.29): Unknown (Waiting)

Interface inside (10.0.135.40): Unknown (Waiting)

slot 1: empty

test1#

FROM PRIMARY

test1# sh fail

Failover On

Failover unit Primary

Failover LAN Interface: fail_int Vlan15 (up)

Unit Poll frequency 10 seconds, holdtime 30 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 3 of 250 maximum

Version: Ours 7.2(3), Mate 7.2(3)

Last Failover at: 10:56:38 UTC Aug 12 2008

This host: Primary - Active

Active time: 14687 (sec)

slot 0: ASA5505 hw/sw rev (1.0/7.2(3)) status (Up Sys)

Interface outside (172.30.148.29): Normal (Waiting)

Interface inside (10.0.135.40): Normal (Waiting)

slot 1: empty

Other host: Secondary - Standby Ready

Active time: 0 (sec)

slot 0: ASA5505 hw/sw rev (1.0/7.2(3)) status (Up Sys)

Interface outside (172.30.148.30): Normal (Waiting)

Interface inside (10.0.135.41): Normal (Waiting)

slot 1: empty

test1#

Actions

This Discussion