ASA Active/Standby failover config

Unanswered Question
Aug 11th, 2008
User Badges:

Hi,


I am having trouble getting the config right for failover on a pair of ASA 5505 with a plus license. I have a Cisco Press book but I think the examples are for 5510 and up. I could not find what I needed on the web site either.

Can someone provide a 5505 config example or point me at a good doc that really deals with the 5505.


Thanks,


Michael Hurley


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Mon, 08/11/2008 - 17:04
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

first

The ASA 5505 series adaptive security appliance does not support Stateful Failover or Active/Active failover


so go to the active standby section directly

and this link will give all the details and config required

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1058096


good luck


please, if helpful rate

anthony.king Mon, 08/11/2008 - 17:19
User Badges:

Here is a config that worked for me. You can change the vlan number to something else and I don't think you need to 'no shut' it but I do anyway. Just change the ***** to your own key and make sure the subnet doesn't overlap with something you are already using and it should work.



!!! Primary unit

failover

failover lan unit primary

failover lan interface fo-int Vlan20

failover key *****

failover interface ip fo-int 172.31.254.1 255.255.255.0 standby 172.31.254.2

int vlan20

no shut


!!! Secondary unit

failover

failover lan unit secondary

failover lan interface fo-int Vlan20

failover key *****

failover interface ip fo-int 172.31.254.1 255.255.255.0 standby 172.31.254.2

int vlan20

no shut


mvhurley9 Tue, 08/12/2008 - 14:16
User Badges:

Anthony,


Thanks, your suggestion worked for me....but when I do a sh fail I get Unknown (Waiting) status as indicated in the output below. The 2 units seem to be communicating OK and changes made on the primary are copied to the secondary.


I found a Cisco doc that suggested I apply portfast on the switch ports the ASAs are connected on but that did not change anything.


Any ideas?


Thanks,


Michael




FROM SECONDARY

test1# sh fail

Failover On

Failover unit Secondary

Failover LAN Interface: fail_int Vlan15 (up)

Unit Poll frequency 10 seconds, holdtime 30 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 3 of 250 maximum

Version: Ours 7.2(3), Mate 7.2(3)

Last Failover at: 10:28:10 UTC Aug 12 2008

This host: Secondary - Standby Ready

Active time: 0 (sec)

slot 0: ASA5505 hw/sw rev (1.0/7.2(3)) status (Up Sys)

Interface outside (172.30.148.30): Normal (Waiting)

Interface inside (10.0.135.41): Normal (Waiting)

slot 1: empty

Other host: Primary - Active

Active time: 14387 (sec)

slot 0: ASA5505 hw/sw rev (1.0/7.2(3)) status (Up Sys)

Interface outside (172.30.148.29): Unknown (Waiting)

Interface inside (10.0.135.40): Unknown (Waiting)

slot 1: empty

test1#


FROM PRIMARY

test1# sh fail

Failover On

Failover unit Primary

Failover LAN Interface: fail_int Vlan15 (up)

Unit Poll frequency 10 seconds, holdtime 30 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 3 of 250 maximum

Version: Ours 7.2(3), Mate 7.2(3)

Last Failover at: 10:56:38 UTC Aug 12 2008

This host: Primary - Active

Active time: 14687 (sec)

slot 0: ASA5505 hw/sw rev (1.0/7.2(3)) status (Up Sys)

Interface outside (172.30.148.29): Normal (Waiting)

Interface inside (10.0.135.40): Normal (Waiting)

slot 1: empty

Other host: Secondary - Standby Ready

Active time: 0 (sec)

slot 0: ASA5505 hw/sw rev (1.0/7.2(3)) status (Up Sys)

Interface outside (172.30.148.30): Normal (Waiting)

Interface inside (10.0.135.41): Normal (Waiting)

slot 1: empty

test1#


Actions

This Discussion