ASA lan-based stateful failover question

Answered Question
Oct 21st, 2009

I have a pair of ASA 5510 with security plus license. I am going to setup site-2-site VPN on them in Active/Stanby configuration STATEFUL failover. I WILL NOT BE USING ANY 802.1Q. I will be running ASA 8.2.1 code.

The ASA5510 comes with 5 interfaces. I have a requirements to have outside, inside, dmz1 and dmz2. However, upon reading this document, I think it stated that I need to have two NICs, one for the failover interface and one for the state interface. If that is the case, that will leave me with only three interfaces.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#ACT

Is it possible to combine both the state and failover interface into a single physical interface? I remembered I had done it once three years with Pix firewall and even though does not recommend it, it can be done.

Can it be done on ASA with LAN-based failover with combining both failover and state

into a single interface? If so how?

Thanks in advance.

Correct Answer by francisco_1 about 7 years 4 months ago

below is what i have on my ASA for stateful/failover with same code as you. just change interface to match yours...Polltime you can change to match yours..

failover

failover lan unit primary

failover lan interface LAN-Failover TenGigabitEthernet7/0

failover polltime unit 1 holdtime 3

failover polltime interface 1 holdtime 5

failover link LAN-Failover TenGigabitEthernet7/0

failover interface ip LAN-Failover 10.1.1.1 255.255.255.0 standby 10.1.1.2

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
francisco_1 Wed, 10/21/2009 - 03:16

yes you can have state and failover on the same interface. You can keep it seperate if you have high volume of stateful data synchronize between your ASAs not to affect failover.

cisco24x7 Wed, 10/21/2009 - 03:51

OK. Do you have the link that provide a sample configuration for this?

cisco24x7 Wed, 10/21/2009 - 03:56

You are sending me the same html link I put in the original thread. Where in there that it shows how to share both the failover and the state link?

francisco_1 Wed, 10/21/2009 - 04:09

in the url under LAN-Based Active/Standby Failover Configuration, option 5 shows how to enable statful failover on the failover link.

cisco24x7 Wed, 10/21/2009 - 04:20

Would you mind pasted the configuration in here? I am not seeing it. All I am seeing is TWO interfaces, one of state, the other one for link:

interface Ethernet0

nameif outside

security-level 0

ip address 172.16.1.1 255.255.0.0 standby 172.16.1.2

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2

!

!--- Configure "no shutdown" in the stateful failover interface

!--- of both Primary and secondary PIX.

interface Ethernet2

nameif state

description STATE Failover Interface

interface ethernet3

nameif failover

description LAN Failover Interface

!

francisco_1 Wed, 10/21/2009 - 05:12

Step1, First enable failover

hostname(config)#failover lan enable

hostname(config)#failover lan unit primary

hostname(config)#failover lan interface failover Ethernet3

hostname(config)#failover interface ip failover 10.1.0.1

255.255.255.0 standby 10.1.0.2

hostname(config)#interface Ethernet3

hostname(config-if)#no shutdown

Step2,

In order to enable stateful failover, configure the stateful failover link.

hostname(config)#failover link state Ethernet3

hostname(config)#failover interface ip state 10.0.0.1 255.0.0.0

standby 10.0.0.2

Note: If the stateful failover link uses the failover link or a data interface, you only need to supply the if_name argument.

cisco24x7 Wed, 10/21/2009 - 06:22

How do you do this:

hostname(config)#failover lan enable

rdhllasa0n(config)# failover lan ?

configure mode commands/options:

interface Configure the interface and vlan to be used for failover

communication

unit Configure the unit as primary or secondary

rdhllasa0n(config)# failover lan

There is no "failover lan enable" option.

francisco_1 Wed, 10/21/2009 - 06:30

i think that comand depends on version! i got it from the url for version 7.2(1. what version are you using?

Correct Answer
francisco_1 Wed, 10/21/2009 - 06:34

below is what i have on my ASA for stateful/failover with same code as you. just change interface to match yours...Polltime you can change to match yours..

failover

failover lan unit primary

failover lan interface LAN-Failover TenGigabitEthernet7/0

failover polltime unit 1 holdtime 3

failover polltime interface 1 holdtime 5

failover link LAN-Failover TenGigabitEthernet7/0

failover interface ip LAN-Failover 10.1.1.1 255.255.255.0 standby 10.1.1.2

francisco_1 Wed, 10/21/2009 - 06:35

on the secondary ...

change failover lan unit primary to failover lan unit secondary

francisco_1 Wed, 10/21/2009 - 06:39

that's all you should need to get failover/state going on your ASA...

Actions

This Discussion