cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9319
Views
5
Helpful
7
Replies

ASA 5520: Configuring Active/Standby High Availability

dan
Level 1
Level 1

Hi,

I am new to Cisco firewalls. We are moving from a different vendor to Cisco ASA 5520s.

I have two ASA 5520s running ASA 8.2(5). I am managing them with ASDM 6.4(5).

I am trying to setup Active/Standby using the High Availability Wizard. I have interfaces on each device setup with just an IP address and subnet mask. Primary is 10.1.70.1/24 and secondary is 10.1.70.2/24. The interfaces are connected to a switch and these interfaces are the only nodes on this switch. When I run the Wizard on the primary, configure for Active/Standby, enter the peer IP of 10.1.70.2 and I get an error message saying that the peer test failed, followed by an error saying ASDM is temporarily unable to connect to the firewall.

I tried this using a crossover cable to connect the interfaces directly with the same result.

Any ideas?

Thanks.

Dan

2 Accepted Solutions

Accepted Solutions

Hi Dan,

To clear the configuration for failover you can use this command:

clear configure failover

this shoudl work for you.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

The command Varun is right.

Since you want to know a little bit more about this stuff, here goes a bit. Every interface will have a secondary IP and a Primary IP where the Active/Standby pair will exchange hello packes. If the hellos are not heard from mate, the the unit is delcare failed.

In case the primary is the one that gets an interface down, it will failover to the other unit, if it is the standby that has the problem, the active unit will declare the other Unit "standby failed). You will know that everything is alright when you do a show failover and the standby pair shows "Standby Ready".

For configuring it, just put a secondary IP on every interface to be monitored (If by any chance you dont have an available secondary IP for one of the interfaces you can avoid monitoring the given interface using the command no "monitor-interface nameif" where the nameif is the name of the interface without the secondary IP.

Then put the commands for failover and stateful link, the stateful link will copy the connections table (among other things) to avoid downtime while passing from One unit to another, This link should have at least the same speed as the regular data interfaces.

You can configure the failover link and the stateful link in just one interface, by just using the same name for the link, remember that this link will have a totally sepparate subnet from the ones already used in firewall.

This is the configuration

failover lan unit primary

failover lan interface failover gig0/3

failover link failover gig0/3

failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2

failover lan unit secondary

failover lan interface failover gig0/3

failover link failover gig0/3

failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2

Make sure that you can ping each other secondary/primary IP and then put the command

failover first on the primary and then on the secondary.

That would fine.

Let me know if you have further doubts.

Link for reference

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml

Mike

Mike

View solution in original post

7 Replies 7

Maykol Rojas
Cisco Employee
Cisco Employee

Hi Dan,

We may need to use some CLI here. When you put the IP addresses on the devices, are they reachable towards each other?

It is weird that it dies right after the ASA does the ping test. It would be better if you run this configuration via command line thou, it will give you more mechanisms in order to see what is happening.

Let me know.

Mike

Mike

Hi Mike,

Thanks for the reply. I am working on setting up failover using CLI. I've entered the config on the primary and that seemed successful. Before I move on to the secondary I'd like to start over with the failover config on the primary. I'm just learning this stuff and want to go over it a few times to really understand what I'm doing.

How to I completely clear the failover configuration on the primary?

Thanks.

Dan

Hi Dan,

To clear the configuration for failover you can use this command:

clear configure failover

this shoudl work for you.

Thanks,

Varun

Thanks,
Varun Rao

The command Varun is right.

Since you want to know a little bit more about this stuff, here goes a bit. Every interface will have a secondary IP and a Primary IP where the Active/Standby pair will exchange hello packes. If the hellos are not heard from mate, the the unit is delcare failed.

In case the primary is the one that gets an interface down, it will failover to the other unit, if it is the standby that has the problem, the active unit will declare the other Unit "standby failed). You will know that everything is alright when you do a show failover and the standby pair shows "Standby Ready".

For configuring it, just put a secondary IP on every interface to be monitored (If by any chance you dont have an available secondary IP for one of the interfaces you can avoid monitoring the given interface using the command no "monitor-interface nameif" where the nameif is the name of the interface without the secondary IP.

Then put the commands for failover and stateful link, the stateful link will copy the connections table (among other things) to avoid downtime while passing from One unit to another, This link should have at least the same speed as the regular data interfaces.

You can configure the failover link and the stateful link in just one interface, by just using the same name for the link, remember that this link will have a totally sepparate subnet from the ones already used in firewall.

This is the configuration

failover lan unit primary

failover lan interface failover gig0/3

failover link failover gig0/3

failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2

failover lan unit secondary

failover lan interface failover gig0/3

failover link failover gig0/3

failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2

Make sure that you can ping each other secondary/primary IP and then put the command

failover first on the primary and then on the secondary.

That would fine.

Let me know if you have further doubts.

Link for reference

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml

Mike

Mike

Thank you both for your quick and accurate replies!

I was able clear the previous failover config and re-config using Mike's outline.

I appreciate your help.

So, If I want to do Active/Active with Wizard, what IP do I use? I have two 5520's in Active/Standby. I connect to console of each and only 1 thing is different (see below) How do I give a different IP for the wizard? Do I remove failover?

Primary
failover lan unit primary

Secondary

failover lan unit secondary




Active-active only applies to multi-context configurations with ASAs. The wizard only accommodates the basic single context Active-Standby setup.

There are several examples online that go into detail on how to setup active-active. Here's a very good one:

https://www.petenetlive.com/KB/Article/0001114

..and the official Cisco configuration guide section:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/ha_active_active.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: