cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1135
Views
0
Helpful
3
Replies

ASA Active/Standby failover config

mvhurley9
Level 1
Level 1

Hi,

I am having trouble getting the config right for failover on a pair of ASA 5505 with a plus license. I have a Cisco Press book but I think the examples are for 5510 and up. I could not find what I needed on the web site either.

Can someone provide a 5505 config example or point me at a good doc that really deals with the 5505.

Thanks,

Michael Hurley

3 Replies 3

Marwan ALshawi
VIP Alumni
VIP Alumni

first

The ASA 5505 series adaptive security appliance does not support Stateful Failover or Active/Active failover

so go to the active standby section directly

and this link will give all the details and config required

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1058096

good luck

please, if helpful rate

anthony.king
Level 1
Level 1

Here is a config that worked for me. You can change the vlan number to something else and I don't think you need to 'no shut' it but I do anyway. Just change the ***** to your own key and make sure the subnet doesn't overlap with something you are already using and it should work.

!!! Primary unit

failover

failover lan unit primary

failover lan interface fo-int Vlan20

failover key *****

failover interface ip fo-int 172.31.254.1 255.255.255.0 standby 172.31.254.2

int vlan20

no shut

!!! Secondary unit

failover

failover lan unit secondary

failover lan interface fo-int Vlan20

failover key *****

failover interface ip fo-int 172.31.254.1 255.255.255.0 standby 172.31.254.2

int vlan20

no shut

Anthony,

Thanks, your suggestion worked for me....but when I do a sh fail I get Unknown (Waiting) status as indicated in the output below. The 2 units seem to be communicating OK and changes made on the primary are copied to the secondary.

I found a Cisco doc that suggested I apply portfast on the switch ports the ASAs are connected on but that did not change anything.

Any ideas?

Thanks,

Michael

FROM SECONDARY

test1# sh fail

Failover On

Failover unit Secondary

Failover LAN Interface: fail_int Vlan15 (up)

Unit Poll frequency 10 seconds, holdtime 30 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 3 of 250 maximum

Version: Ours 7.2(3), Mate 7.2(3)

Last Failover at: 10:28:10 UTC Aug 12 2008

This host: Secondary - Standby Ready

Active time: 0 (sec)

slot 0: ASA5505 hw/sw rev (1.0/7.2(3)) status (Up Sys)

Interface outside (172.30.148.30): Normal (Waiting)

Interface inside (10.0.135.41): Normal (Waiting)

slot 1: empty

Other host: Primary - Active

Active time: 14387 (sec)

slot 0: ASA5505 hw/sw rev (1.0/7.2(3)) status (Up Sys)

Interface outside (172.30.148.29): Unknown (Waiting)

Interface inside (10.0.135.40): Unknown (Waiting)

slot 1: empty

test1#

FROM PRIMARY

test1# sh fail

Failover On

Failover unit Primary

Failover LAN Interface: fail_int Vlan15 (up)

Unit Poll frequency 10 seconds, holdtime 30 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 3 of 250 maximum

Version: Ours 7.2(3), Mate 7.2(3)

Last Failover at: 10:56:38 UTC Aug 12 2008

This host: Primary - Active

Active time: 14687 (sec)

slot 0: ASA5505 hw/sw rev (1.0/7.2(3)) status (Up Sys)

Interface outside (172.30.148.29): Normal (Waiting)

Interface inside (10.0.135.40): Normal (Waiting)

slot 1: empty

Other host: Secondary - Standby Ready

Active time: 0 (sec)

slot 0: ASA5505 hw/sw rev (1.0/7.2(3)) status (Up Sys)

Interface outside (172.30.148.30): Normal (Waiting)

Interface inside (10.0.135.41): Normal (Waiting)

slot 1: empty

test1#

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: