cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
601
Views
0
Helpful
2
Replies

ASA Hardware failover...

arjunsawant
Level 1
Level 1

Dear,

I have one query that in ASA Active-standby scenario, how users find out the active path (On which criteria).

If possible pls send me config example.

And also if active fw fail how it identify the standby fw path.and after active up how it revert to active.

1 Accepted Solution

Accepted Solutions

Hi,

when we are configuring active-standby failover in ASA. there will be one primary ip address for active firewall and there will be one secondary ip address for standby firewall.

always primary ip address will be the gateway for the users and seconday ip will be standby.

if you want to make secondary firewall to be active , then that is also possible.In this scenario primary ip address will be in standby firewall and secondary ip will be moved to primary firewall.

there will be one back to back cross cable needs to be connect between these two firewalls to make sure the failover.

always the secondary firewall will send the keep alive messages to the primary firewall to check the availability via this cross cable.if primary firewall is not responding properly, then secondary firewall becomes active automatically.

please find the url for more info.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

Regards

Karuppu

View solution in original post

2 Replies 2

Hi,

when we are configuring active-standby failover in ASA. there will be one primary ip address for active firewall and there will be one secondary ip address for standby firewall.

always primary ip address will be the gateway for the users and seconday ip will be standby.

if you want to make secondary firewall to be active , then that is also possible.In this scenario primary ip address will be in standby firewall and secondary ip will be moved to primary firewall.

there will be one back to back cross cable needs to be connect between these two firewalls to make sure the failover.

always the secondary firewall will send the keep alive messages to the primary firewall to check the availability via this cross cable.if primary firewall is not responding properly, then secondary firewall becomes active automatically.

please find the url for more info.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

Regards

Karuppu

Karuppu is correct.  No matter which unit is active, the newly active unit will assume the active IP for layer 3 and mac address for layer 2. The primary units IP and mac are called as the active IP and mac.

So the users won't even know that the units failed over.

Here are some sample configs.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_examples.html

-KS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: