09-06-2010 07:24 PM - edited 03-11-2019 11:35 AM
Hello All,
When I am configuring a Active/Standby multiple context firewall, is it enough only to configure the interface only on the primary device (specific context) so that it will get replicated on to the secondary firewall (specific context) or do we also configure it on the secondary box (specific context)?
Thanks
Solved! Go to Solution.
09-06-2010 08:11 PM
Hey,
Yeah!! So if i am understanding it right, right now under the interface you have something like "ip address 10.1.1.1 255.255.255.0". So if you want to give it a standby IP address say 10.1.1.2, you just need to change it to "ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2".
Regards,
Prapanch
09-06-2010 07:59 PM
Hey,
Yes its enough to configure interfaces only on the primary device and it should get copied to the secondary automatically. The pre-requisites for that are:
1) "failover lan unit primary" on primary device and "failover lan unit secondary" on secondary device.
2) configure failover LAN interface on both the devices. (the commands will be the same on both the devices for this)
3) enable failover on the primary firewall first and then the secondary firewall.
Let me know if this helps!
Regards,
Prapanch
09-06-2010 08:02 PM
Hi Prapanch,
Thanks for the reply. The interfaces are already configured but there is no standby IP for the admin context in the primary context and hence I cannot ssh to the secondary context. So i can just add the "standby IP Address" command on the primary device and it should get replicated to the secondary box.
Thanks again
09-06-2010 08:11 PM
Hey,
Yeah!! So if i am understanding it right, right now under the interface you have something like "ip address 10.1.1.1 255.255.255.0". So if you want to give it a standby IP address say 10.1.1.2, you just need to change it to "ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2".
Regards,
Prapanch
09-07-2010 06:24 AM
You mentioned you were using multiple context firewalls in which case you can only configure Active/Active failover, the main failover configuration is done in the system execution space, preempt is used so that once a failover condition is cleared that unit takes over again as the active firewall for the failover group (Therefore on your secondary unit there would be no preempt):
failover
failover lan unit primary
failover lan interface LAN_Failover GigabitEthernet3/3
failover link STATE_Failover GigabitEthernet4/3
failover interface ip LAN_Failover 10.1.1.1 255.255.255.252 standby 10.1.1.2
failover interface ip STATE_Failover 10.1.1.3 255.255.255.252 standby 10.1.1.4
failover group 1
preempt 15
failover group 2
secondary
preempt 15
Also within the system execution space, within each context you add which failover group the context should join, If you wish your firewalls to act like Active/Standby then make all contexts join the same failover group:
admin-context admin
context admin
allocate-interface Management0/0
config-url disk0:/admin.cfg
join-failover-group 1
Then configure failover within the context including the monitoring of interfaces, for example:
interface Management0/0
description Entire ASA 5580 Appliance Management
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.240 standby 192.168.1.2
management-only
monitor-interface management
I just thought you may be interested.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide