cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4943
Views
5
Helpful
15
Replies

ASA lan-based stateful failover question

cisco24x7
Level 6
Level 6

I have a pair of ASA 5510 with security plus license. I am going to setup site-2-site VPN on them in Active/Stanby configuration STATEFUL failover. I WILL NOT BE USING ANY 802.1Q. I will be running ASA 8.2.1 code.

The ASA5510 comes with 5 interfaces. I have a requirements to have outside, inside, dmz1 and dmz2. However, upon reading this document, I think it stated that I need to have two NICs, one for the failover interface and one for the state interface. If that is the case, that will leave me with only three interfaces.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#ACT

Is it possible to combine both the state and failover interface into a single physical interface? I remembered I had done it once three years with Pix firewall and even though does not recommend it, it can be done.

Can it be done on ASA with LAN-based failover with combining both failover and state

into a single interface? If so how?

Thanks in advance.

1 Accepted Solution

Accepted Solutions

below is what i have on my ASA for stateful/failover with same code as you. just change interface to match yours...Polltime you can change to match yours..

failover

failover lan unit primary

failover lan interface LAN-Failover TenGigabitEthernet7/0

failover polltime unit 1 holdtime 3

failover polltime interface 1 holdtime 5

failover link LAN-Failover TenGigabitEthernet7/0

failover interface ip LAN-Failover 10.1.1.1 255.255.255.0 standby 10.1.1.2

View solution in original post

15 Replies 15

francisco_1
Level 7
Level 7

yes you can have state and failover on the same interface. You can keep it seperate if you have high volume of stateful data synchronize between your ASAs not to affect failover.

OK. Do you have the link that provide a sample configuration for this?

You are sending me the same html link I put in the original thread. Where in there that it shows how to share both the failover and the state link?

in the url under LAN-Based Active/Standby Failover Configuration, option 5 shows how to enable statful failover on the failover link.

Would you mind pasted the configuration in here? I am not seeing it. All I am seeing is TWO interfaces, one of state, the other one for link:

interface Ethernet0

nameif outside

security-level 0

ip address 172.16.1.1 255.255.0.0 standby 172.16.1.2

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2

!

!--- Configure "no shutdown" in the stateful failover interface

!--- of both Primary and secondary PIX.

interface Ethernet2

nameif state

description STATE Failover Interface

interface ethernet3

nameif failover

description LAN Failover Interface

!

Step1, First enable failover

hostname(config)#failover lan enable

hostname(config)#failover lan unit primary

hostname(config)#failover lan interface failover Ethernet3

hostname(config)#failover interface ip failover 10.1.0.1

255.255.255.0 standby 10.1.0.2

hostname(config)#interface Ethernet3

hostname(config-if)#no shutdown

Step2,

In order to enable stateful failover, configure the stateful failover link.

hostname(config)#failover link state Ethernet3

hostname(config)#failover interface ip state 10.0.0.1 255.0.0.0

standby 10.0.0.2

Note: If the stateful failover link uses the failover link or a data interface, you only need to supply the if_name argument.

How do you do this:

hostname(config)#failover lan enable

rdhllasa0n(config)# failover lan ?

configure mode commands/options:

interface Configure the interface and vlan to be used for failover

communication

unit Configure the unit as primary or secondary

rdhllasa0n(config)# failover lan

There is no "failover lan enable" option.

i think that comand depends on version! i got it from the url for version 7.2(1. what version are you using?

I stated in the original thread that I use version 8.2.1

below is what i have on my ASA for stateful/failover with same code as you. just change interface to match yours...Polltime you can change to match yours..

failover

failover lan unit primary

failover lan interface LAN-Failover TenGigabitEthernet7/0

failover polltime unit 1 holdtime 3

failover polltime interface 1 holdtime 5

failover link LAN-Failover TenGigabitEthernet7/0

failover interface ip LAN-Failover 10.1.1.1 255.255.255.0 standby 10.1.1.2

on the secondary ...

change failover lan unit primary to failover lan unit secondary

that's all you should need to get failover/state going on your ASA...

Thank you. That works.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: