×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Active/Standby And failover link configuration mode

Answered Question
Jul 20th, 2013
User Badges:

Hi everyone,


When config failover  link of ASA  in Active Standby mode.


When we config failover int say gi0/1


config t

int gi0/1

failover lan int gi0/1


Need to confirm we do this from interface config mode  only or we can do this from global config also ????????


Whe we assign IP to this int we do that from global config mode ????



Regards


Mahesh


Message was edited by: mahesh parmar


Message was edited by: mahesh parmar

Correct Answer by Jouni Forss about 4 years 1 month ago

Hi,


Actually the ASA lets you insert a lot of command what ever mode you are under.


In the output you posted is a very important thing to notice


configure mode commands/options:

  WORD  Specify the interface name


As you can see, the output lists only one option and before that it mentions that this is a "configure mode" command


So even if you entered the command under the interface configuration mode, it would still be entered as a global/configure command mode.



Take the following thing for example


I want to check what configuration options I have with the command "failover"


So I enter the following to my ASA


ASA(config)# failover ?


configure mode commands/options:

  interface              Configure the IP address to be used for failover and/or

                              stateful update information

  interface-policy    Set the policy for failover due to interface failures

  key                       Configure the failover shared secret or key

  lan                       Specify the unit as primary or secondary or configure the

                               interface and vlan to be used for failover communication

  mac                      Specify the virtual mac address for a dynamic interface

  polltime                Configure failover poll interval

  timeout                 Specify the failover reconnect timeout value for

                               asymmetrically routed sessions

 


exec mode commands/options:

  active          Make this system to be the active unit of the failover pair

  exec            Execute command on the designated unit

  reload-standby  Force standby unit to reboot

  reset           Force a unit or failover group to an unfailed state


As you can see, the ASA tells us that there are different additional command parameters after the "failover" command that can be used. Some of them can be used either in Exec or Configuration mode.


- Jouni

Correct Answer by Jouni Forss about 4 years 1 month ago

Your Failover configuration on the original ASA5500 Series firewalls might look something like this


Primary Unit


failover

failover lan unit primary

failover lan interface failover Management0/0

failover key

failover replication http

failover link failover Management0/0

failover interface ip failover 10.10.10.1 255.255.255.0 standby 10.10.10.2


Secondary Unit


failover

failover lan unit secondary

failover lan interface failover Management0/0

failover key

failover replication http

failover link failover Management0/0

failover interface ip failover 10.10.10.1 255.255.255.0 standby 10.10.10.2


To my understanding the Management0/0 interface cant be used in Failover configuration in the new ASA5500-X series like it was typically used in the original ASA5500 Series (ASA5510 and forward)


- Jouni

Correct Answer by Jouni Forss about 4 years 1 month ago

Hi,


All Failover configurations related to the interfaces are done from global configuration mode.


To my understanding when you originally choose the Failover link interface and use the "failover" configuration commands to name it and give it an IP address, the ASA will actually remove all configurations from interface used as the Failover interface. It will only add a description to the interface automatically.


You will be doing all Failover configurations on the global configuration mode.


- Jouni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Jouni Forss Sat, 07/20/2013 - 09:45
User Badges:
  • Super Bronze, 10000 points or more

Hi,


All Failover configurations related to the interfaces are done from global configuration mode.


To my understanding when you originally choose the Failover link interface and use the "failover" configuration commands to name it and give it an IP address, the ASA will actually remove all configurations from interface used as the Failover interface. It will only add a description to the interface automatically.


You will be doing all Failover configurations on the global configuration mode.


- Jouni

Correct Answer
Jouni Forss Sat, 07/20/2013 - 09:48
User Badges:
  • Super Bronze, 10000 points or more

Your Failover configuration on the original ASA5500 Series firewalls might look something like this


Primary Unit


failover

failover lan unit primary

failover lan interface failover Management0/0

failover key

failover replication http

failover link failover Management0/0

failover interface ip failover 10.10.10.1 255.255.255.0 standby 10.10.10.2


Secondary Unit


failover

failover lan unit secondary

failover lan interface failover Management0/0

failover key

failover replication http

failover link failover Management0/0

failover interface ip failover 10.10.10.1 255.255.255.0 standby 10.10.10.2


To my understanding the Management0/0 interface cant be used in Failover configuration in the new ASA5500-X series like it was typically used in the original ASA5500 Series (ASA5510 and forward)


- Jouni

mahesh18 Sat, 07/20/2013 - 09:48
User Badges:

Hi Jouni,


I checked that failover config are also available under interface config also


ASA1(config-if)# failover lan  interface  ?


configure mode commands/options:

  WORD  Specify the interface name

ASA1(config-if)# failover lan  interface  fail1 ?


configure mode commands/options:

  WORD  Specify dynamic interface

 

ASA1(config-if)# failover lan  interface  fail1



Do you know  why they are also available under interface config also?


Regards


Mahesh


Message was edited by: mahesh parmar

Correct Answer
Jouni Forss Sat, 07/20/2013 - 09:55
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Actually the ASA lets you insert a lot of command what ever mode you are under.


In the output you posted is a very important thing to notice


configure mode commands/options:

  WORD  Specify the interface name


As you can see, the output lists only one option and before that it mentions that this is a "configure mode" command


So even if you entered the command under the interface configuration mode, it would still be entered as a global/configure command mode.



Take the following thing for example


I want to check what configuration options I have with the command "failover"


So I enter the following to my ASA


ASA(config)# failover ?


configure mode commands/options:

  interface              Configure the IP address to be used for failover and/or

                              stateful update information

  interface-policy    Set the policy for failover due to interface failures

  key                       Configure the failover shared secret or key

  lan                       Specify the unit as primary or secondary or configure the

                               interface and vlan to be used for failover communication

  mac                      Specify the virtual mac address for a dynamic interface

  polltime                Configure failover poll interval

  timeout                 Specify the failover reconnect timeout value for

                               asymmetrically routed sessions

 


exec mode commands/options:

  active          Make this system to be the active unit of the failover pair

  exec            Execute command on the designated unit

  reload-standby  Force standby unit to reboot

  reset           Force a unit or failover group to an unfailed state


As you can see, the ASA tells us that there are different additional command parameters after the "failover" command that can be used. Some of them can be used either in Exec or Configuration mode.


- Jouni

mahesh18 Sat, 07/20/2013 - 10:02
User Badges:

Hi Jouni,


Seems you can also add config under interface config mode as shown below by my test


ASA1(config)# int ethernet 0/7

ASA1(config-if)# fail

ASA1(config-if)# failover lan

ASA1(config-if)# failover lan ?


configure mode commands/options:

  interface  Configure the interface and vlan to be used for failover

             communication

  unit       Configure the unit as primary or secondary

ASA1(config-if)# failover lan  int

ASA1(config-if)# failover lan  interface  ?


configure mode commands/options:

  WORD  Specify the interface name

ASA1(config-if)# failover lan  interface  test1 ?


configure mode commands/options:

  WORD  Specify dynamic interface

 

ASA1(config-if)# failover lan  interface  test1 vlan19

INFO: Non-failover interface config is cleared on Vlan19 and its sub-interfaces

ASA1(config)# end

ASA1# sh run int eth

ASA1# sh run int ethernet 0/7

!

interface Ethernet0/7

shutdown

ASA1# sh run fail

ASA1# sh run failover

failover

failover lan interface test1 Vlan19



But as you said when we do sh run it shows that under global config and not under inetrface config.


Many thanks  for helping on this.


Best regards


MAhesh

Actions

This Discussion