ASA 5510 and AIP-SSM-10 active standby

rockyrain · ‎11-19-2013

hi everyone,

currently running on single ASA with IPS. how to deploy to active standby. but i know the license and hardware must same. im worried about implementation. can i simply add like below sample config? if single context, can run without state link? this will work?????

(Active)

failover

failover lan unit primary

failover lan interface failover Ethernet3

failover lan enable

failover key ABC123

failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2

(Standby)

failover

failover lan unit secondary

failover lan interface failover Ethernet3

failover lan enable

failover key ABC123

failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2

thanks

Eddy Duran · ‎11-20-2013

Hello Mohamed,

It is not necesary to run failover with a State Link, but this will cause the connections and other data not to be synchronized.

For what I understand the standby unit does not have an IPS, the failover implementation will not work, if the units are running any version bellow 8.2, license and hardware must be the same.

After 8.3, the hardware needs to be the same.

Let me know if you have any doubt or question.

-Eddy Duran

jumora · ‎11-20-2013

Eddy is completly right, here is documentation:

Documentation regarding failover requirements prior to 8.3:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#req

Prerequisites for Active/Standby Failover 8.3 or above

http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/ha_active_standby.html#wp1046838

Value our effort and rate the assistance!

rockyrain · ‎11-20-2013

Hi Eddy Duran, its mean if i using state link for my failover on ASA, all config that change on primary will automatically move to secondary? Its may change the config on IPS too????

Marius Gunnerud · ‎11-20-2013

You can run Active/Standby using those commands. It is not necessary to have stateful failover....but then I would have to ask why you would want such a setup? just curious.

If you don't want the state of connection to failover then you can proceed with the configuration you posted.

Just to add to what Eddy has already mentioned... IPS modules do not have failover capabilities so it will have to be configured manually at both ends each time there is a configuration change.

As for 8.3 not needing the same license and ASA version. The ASA major version (8.3) must be the same, but the minor version can differ. The license doesn't have to be the same either. Cisco added this capability so that upgrading the ASA version or license would be done in stages while still having an active failover. So you upgrade the ASA version on day 1 and then on the second day you upgrade the second ASA.

--

Please rate all helpful posts

--
Please remember to select a correct answer and rate helpful posts

rockyrain · ‎11-20-2013

Now my ASA running 8.2. Can i using ASDM to upgrade the operating system to 8.4? Need to move using some process like 8.2 to 8.3 and continue to 8.4???

jumora · ‎11-20-2013

Upgrading from 8.2 directly to 8.4 is not supported for zero-downtime upgrades for failover pair; you must first upgrade to 8.3.

If the unit that is going to be upgraded is standalone then you can follow the next upgrade path:

Here is the upgrade path migration:
     
8.2(1)----------8.4(6)-------------------->9.1(2.8) or 9.1(3) or later

For obvious reasons if your on 8.2.X you can upgrade to 8.4(X), the above is just an example.

The above iformation was taken from the next link:

http://www.cisco.com/en/US/docs/security/asa/asa91/release/notes/asarn91.html#wp732442

Also read the next link before upgrading and consider that if you are not fixing a bug or need a feature you should not upgrade.

ASA 8.3 Upgrade - What You Need to Know

https://supportforums.cisco.com/docs/DOC-12690

Value our effort and rate the assistance!