11-19-2013 08:55 PM - edited 03-11-2019 08:07 PM
hi everyone,
currently running on single ASA with IPS. how to deploy to active standby. but i know the license and hardware must same. im worried about implementation. can i simply add like below sample config? if single context, can run without state link? this will work?????
(Active)
failover
failover lan unit primary
failover lan interface failover Ethernet3
failover lan enable
failover key ABC123
failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2
(Standby)
failover
failover lan unit secondary
failover lan interface failover Ethernet3
failover lan enable
failover key ABC123
failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2
thanks
11-20-2013 06:01 AM
Hello Mohamed,
It is not necesary to run failover with a State Link, but this will cause the connections and other data not to be synchronized.
For what I understand the standby unit does not have an IPS, the failover implementation will not work, if the units are running any version bellow 8.2, license and hardware must be the same.
After 8.3, the hardware needs to be the same.
Let me know if you have any doubt or question.
-Eddy Duran
11-20-2013 06:41 AM
Eddy is completly right, here is documentation:
Documentation regarding failover requirements prior to 8.3:
Prerequisites for Active/Standby Failover 8.3 or above
11-20-2013 07:31 AM
Hi Eddy Duran, its mean if i using state link for my failover on ASA, all config that change on primary will automatically move to secondary? Its may change the config on IPS too????
11-20-2013 06:50 AM
You can run Active/Standby using those commands. It is not necessary to have stateful failover....but then I would have to ask why you would want such a setup? just curious.
If you don't want the state of connection to failover then you can proceed with the configuration you posted.
Just to add to what Eddy has already mentioned... IPS modules do not have failover capabilities so it will have to be configured manually at both ends each time there is a configuration change.
As for 8.3 not needing the same license and ASA version. The ASA major version (8.3) must be the same, but the minor version can differ. The license doesn't have to be the same either. Cisco added this capability so that upgrading the ASA version or license would be done in stages while still having an active failover. So you upgrade the ASA version on day 1 and then on the second day you upgrade the second ASA.
--
Please rate all helpful posts
11-20-2013 07:34 AM
Now my ASA running 8.2. Can i using ASDM to upgrade the operating system to 8.4? Need to move using some process like 8.2 to 8.3 and continue to 8.4???
11-20-2013 09:17 AM
Upgrading from 8.2 directly to 8.4 is not supported for zero-downtime upgrades for failover pair; you must first upgrade to 8.3.
If the unit that is going to be upgraded is standalone then you can follow the next upgrade path:
Here is the upgrade path migration: 8.2(1)----------8.4(6)-------------------->9.1(2.8) or 9.1(3) or later
For obvious reasons if your on 8.2.X you can upgrade to 8.4(X), the above is just an example.
The above iformation was taken from the next link:
http://www.cisco.com/en/US/docs/security/asa/asa91/release/notes/asarn91.html#wp732442
Also read the next link before upgrading and consider that if you are not fixing a bug or need a feature you should not upgrade.
https://supportforums.cisco.com/docs/DOC-12690
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide