Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
20080
Views
5
Helpful
5
Replies

How to trigger failover in a multi context ASA firewall environment?

Go to solution
aimarchitect
Level 1
Level 1

‎11-22-2011 11:58 AM - edited ‎03-11-2019 02:54 PM

Hi,

What is the most common way to configure failover triggers on two ASA running in multiple context mode? 

It seems that there is any easy approach in which the standby takes over only if it loses connection with the primary on the configured "failover lan interface".  

What kind of other options are there?  What about configuring failover if either the trunking uplink (to WAN) or trunking downlink (to LAN) interfaces on the primary go down?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mirober2
Cisco Employee
Cisco Employee
In response to aimarchitect

‎11-23-2011 05:01 AM

Hi Greg,

You just need to enable interface monitoring for your sub-interfaces in the context where they are allocated. The ASA will then failover if the e0/0 link goes down or if the devices can't send/receive interface monitoring packets on any of the enabled subinterfaces. For example:

firewall001# changeto context MAIN
firewall001/MAIN# conf t
firewall001/MAIN(config)# monitor-interface inside

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/m.html#wp2123112

-Mike

View solution in original post

0 Helpful
5 Replies 5

Go to solution
aimarchitect
Level 1
Level 1
In response to mirober2

‎11-22-2011 01:55 PM

Mike,

Thanks for the info. 

Say I want to configure the standby to take over if the either the e0/0 trunk uplink to the WAN or the e0/1 trunk downlink to the LAN get disconnected (accidentally unplugged) on the primary...

I would confugrure that in the system context, right?  If so, what would I add to the current primary system configuration to make that happen?

ASA Version 8.2(2)

hostname firewall001

interface Ethernet0/0

description Uplink to WAN

interface Ethernet0/0.14

description DMZ

vlan 14

interface Ethernet0/0.104

description Outside-104

vlan 104

interface Ethernet0/0.200

description Outside-200

vlan 200

interface Ethernet0/1

description Downlink to LAN

interface Ethernet0/1.23

description MGMT-23

vlan 23

interface Ethernet0/1.24

description  MGMT-24

vlan 24

interface Ethernet0/1.500

description Client1-Inside

vlan 500

interface Ethernet0/2

shutdown

interface Ethernet0/3

description LAN/STATE Failover Interface

interface Management0/0

shutdown

failover

failover lan unit primary

failover lan interface ASA-Failover Ethernet0/3

failover link ASA-Failover Ethernet0/3

failover interface ip ASA-Failover 10.0.1.1 255.255.255.252 standby 10.0.1.2

no asdm history enable

arp timeout 14400

console timeout 0

admin-context MAIN

context MAIN

  allocate-interface Ethernet0/0.14

  allocate-interface Ethernet0/0.200

  allocate-interface Ethernet0/1.23-Ethernet0/1.24

  allocate-interface Management0/0

  config-url disk0:/MAIN.cfg

context CLIENT1

  allocate-interface Ethernet0/0.104

  allocate-interface Ethernet0/1.500

  config-url disk0:/CLIENT1.cfg

prompt hostname context

Go to solution
mirober2
Cisco Employee
Cisco Employee
In response to aimarchitect

‎11-23-2011 05:01 AM

Hi Greg,

You just need to enable interface monitoring for your sub-interfaces in the context where they are allocated. The ASA will then failover if the e0/0 link goes down or if the devices can't send/receive interface monitoring packets on any of the enabled subinterfaces. For example:

firewall001# changeto context MAIN
firewall001/MAIN# conf t
firewall001/MAIN(config)# monitor-interface inside

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/m.html#wp2123112

-Mike

0 Helpful

Go to solution
aimarchitect
Level 1
Level 1
In response to mirober2

‎11-23-2011 02:15 PM

Thanks Mike,

I see now that monitoring is configured within the context.  Failover from primary to standby in one context doesn't affect another context, right?

0 Helpful

Go to solution
mirober2
Cisco Employee
Cisco Employee
In response to aimarchitect

‎11-24-2011 04:58 AM

Hi Greg,

It depends if you are using Active/Standby failover or Active/Active failover. With Active/Standby, all contexts are Active on the same unit at the same time and a failover event affects the entire unit. With Active/Active, you can assign your contexts to failover groups and a failover event may only affect one group and not the other. With Active/Active, one group is Active on one unit and the other group is Active on the second unit.

-Mike

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card