×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA 5520: Configuring Active/Standby High Availability

Answered Question

Hi,


I am new to Cisco firewalls. We are moving from a different vendor to Cisco ASA 5520s.


I have two ASA 5520s running ASA 8.2(5). I am managing them with ASDM 6.4(5).


I am trying to setup Active/Standby using the High Availability Wizard. I have interfaces on each device setup with just an IP address and subnet mask. Primary is 10.1.70.1/24 and secondary is 10.1.70.2/24. The interfaces are connected to a switch and these interfaces are the only nodes on this switch. When I run the Wizard on the primary, configure for Active/Standby, enter the peer IP of 10.1.70.2 and I get an error message saying that the peer test failed, followed by an error saying ASDM is temporarily unable to connect to the firewall.


I tried this using a crossover cable to connect the interfaces directly with the same result.


Any ideas?


Thanks.


Dan

Correct Answer by Maykol Rojas about 5 years 9 months ago

The command Varun is right.


Since you want to know a little bit more about this stuff, here goes a bit. Every interface will have a secondary IP and a Primary IP where the Active/Standby pair will exchange hello packes. If the hellos are not heard from mate, the the unit is delcare failed.


In case the primary is the one that gets an interface down, it will failover to the other unit, if it is the standby that has the problem, the active unit will declare the other Unit "standby failed). You will know that everything is alright when you do a show failover and the standby pair shows "Standby Ready".


For configuring it, just put a secondary IP on every interface to be monitored (If by any chance you dont have an available secondary IP for one of the interfaces you can avoid monitoring the given interface using the command no "monitor-interface nameif" where the nameif is the name of the interface without the secondary IP.


Then put the commands for failover and stateful link, the stateful link will copy the connections table (among other things) to avoid downtime while passing from One unit to another, This link should have at least the same speed as the regular data interfaces.


You can configure the failover link and the stateful link in just one interface, by just using the same name for the link, remember that this link will have a totally sepparate subnet from the ones already used in firewall.


This is the configuration


failover lan unit primary

failover lan interface failover gig0/3

failover link failover gig0/3

failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2




failover lan unit secondary

failover lan interface failover gig0/3

failover link failover gig0/3

failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2


Make sure that you can ping each other secondary/primary IP and then put the command

failover first on the primary and then on the secondary.


That would fine.


Let me know if you have further doubts.


Link for reference

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml


Mike

Correct Answer by varrao about 5 years 9 months ago

Hi Dan,


To clear the configuration for failover you can use this command:


clear configure failover


this shoudl work for you.


Thanks,

Varun

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Maykol Rojas Wed, 11/02/2011 - 15:28
User Badges:
  • Cisco Employee,
  • Participante Destacado,

    Mejor Publicación, Diciembre del 2015

Hi Dan,


We may need to use some CLI here. When you put the IP addresses on the devices, are they reachable towards each other?


It is weird that it dies right after the ASA does the ping test. It would be better if you run this configuration via command line thou, it will give you more mechanisms in order to see what is happening.


Let me know.


Mike

Hi Mike,


Thanks for the reply. I am working on setting up failover using CLI. I've entered the config on the primary and that seemed successful. Before I move on to the secondary I'd like to start over with the failover config on the primary. I'm just learning this stuff and want to go over it a few times to really understand what I'm doing.


How to I completely clear the failover configuration on the primary?


Thanks.


Dan

Correct Answer
varrao Thu, 11/03/2011 - 10:08
User Badges:
  • Red, 2250 points or more

Hi Dan,


To clear the configuration for failover you can use this command:


clear configure failover


this shoudl work for you.


Thanks,

Varun

Correct Answer
Maykol Rojas Thu, 11/03/2011 - 11:00
User Badges:
  • Cisco Employee,
  • Participante Destacado,

    Mejor Publicación, Diciembre del 2015

The command Varun is right.


Since you want to know a little bit more about this stuff, here goes a bit. Every interface will have a secondary IP and a Primary IP where the Active/Standby pair will exchange hello packes. If the hellos are not heard from mate, the the unit is delcare failed.


In case the primary is the one that gets an interface down, it will failover to the other unit, if it is the standby that has the problem, the active unit will declare the other Unit "standby failed). You will know that everything is alright when you do a show failover and the standby pair shows "Standby Ready".


For configuring it, just put a secondary IP on every interface to be monitored (If by any chance you dont have an available secondary IP for one of the interfaces you can avoid monitoring the given interface using the command no "monitor-interface nameif" where the nameif is the name of the interface without the secondary IP.


Then put the commands for failover and stateful link, the stateful link will copy the connections table (among other things) to avoid downtime while passing from One unit to another, This link should have at least the same speed as the regular data interfaces.


You can configure the failover link and the stateful link in just one interface, by just using the same name for the link, remember that this link will have a totally sepparate subnet from the ones already used in firewall.


This is the configuration


failover lan unit primary

failover lan interface failover gig0/3

failover link failover gig0/3

failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2




failover lan unit secondary

failover lan interface failover gig0/3

failover link failover gig0/3

failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2


Make sure that you can ping each other secondary/primary IP and then put the command

failover first on the primary and then on the secondary.


That would fine.


Let me know if you have further doubts.


Link for reference

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml


Mike

Actions

This Discussion