Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA Active/Standby

Couple questions. About to implement this scenario with two ASA5520s. I plan to have these two connected to two 4506s running as core switches. My question is do the ASAs need a dedicated link to each other for their communication or can they communicate active/standby info with each other through their links to the dual 4506s? The 4506s will be running EIGRP with default routes to the ASAs. The 4 devices will be connected with a /29 subnet. Please see the attachment. The ASAs do not have sub interfaces. They are connected to the 4506s on the same vlan, vlan 2. Will i need a direct link between the two ASAs? Thanks. I just want to make sure i understand this right.

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: ASA Active/Standby

Your existing IP config will need to be updated to include standby IP addresses for the pair. In an active/standby scenario, the active ASA will manage the primary interface IPs and will use the failover link for replication and keepalives. In a failure scenario, the secondary ASA will take over control of the primary interface IPs. This will allow you to point your default route to the same IP irrespective of what ASA is active at that time. Below is a sample failover config.

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 11.11.11.11 255.255.255.0 standby 11.11.11.12

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.10.10.11 255.255.255.0 standby 10.10.10.12

!

interface GigabitEthernet0/2

description LAN/STATE Failover Interface

failover

failover lan unit primary

failover lan interface Failover GigabitEthernet0/2

failover key *****

failover link Failover GigabitEthernet0/2

failover interface ip Failover 10.1.1.1 255.255.255.252 standby 10.1.1.2

Cisco Employee

Re: ASA Active/Standby

This not secondary address but, standby address.

The rolls are primary and secondary but the states are active and standby.

Which ever unit is active it will assume the active mac in layer 2 and the active IP for layer 3. This active mac and active IP is always the primary unit's except the failover interface. These will continue to use their own IP and mac.

When we failover we always send gratuitous arp so, the adjacent devices can update the arp and mac-address table.

So, even for the outside interface you should have a standby IP otherwise monitoring interfaces will not be possible. Failover will still work.

14 REPLIES

Re: ASA Active/Standby

You will need to dedicate an interface on each ASA for failover. These interfaces can either connect back to your core switches on an isolated VLAN or can be connected directly with a crossover cable. Please refer to the following doc for failover requirements and configuration on the ASA platform.

New Member

Re: ASA Active/Standby

so i would keep my current IP config but add 1 more interface per ASA and connect them to a layer 2 vlan on the dual cores? Also i have a question about my default routes on the dual 4506s. As i mentioned i'm running EIGRP on the 4506s. Since i'll have two 4506s and 2 ASAs what will my default route point to?

Re: ASA Active/Standby

Your existing IP config will need to be updated to include standby IP addresses for the pair. In an active/standby scenario, the active ASA will manage the primary interface IPs and will use the failover link for replication and keepalives. In a failure scenario, the secondary ASA will take over control of the primary interface IPs. This will allow you to point your default route to the same IP irrespective of what ASA is active at that time. Below is a sample failover config.

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 11.11.11.11 255.255.255.0 standby 11.11.11.12

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.10.10.11 255.255.255.0 standby 10.10.10.12

!

interface GigabitEthernet0/2

description LAN/STATE Failover Interface

failover

failover lan unit primary

failover lan interface Failover GigabitEthernet0/2

failover key *****

failover link Failover GigabitEthernet0/2

failover interface ip Failover 10.1.1.1 255.255.255.252 standby 10.1.1.2

New Member

Re: ASA Active/Standby

Nice, you answered my question. Any issues running this on a production ASA or should i wait until a maintenance window?

New Member

Re: ASA Active/Standby

One last question....I see you have a Standby IP on the OUTSIDE interface...is this needed? I have a public IP on my ASAs OUTSIDE interface, would i need a second public IP for the second ASA OUTSIDE int?

Re: ASA Active/Standby

You will want both the inside and outside interfaces configured with a secondary address. This address must be from the same subnet as the active IP address.

New Member

Re: ASA Active/Standby

I've read through some documentation and see where Cisco recommends adding the secondary IP address for all data interfaces. I am trying to understand how certain things like S2S and remote access VPNs will work now. We have several remote ASAs that use the primary public IP for S2S and clients that are configured to use the primary public IP. Could you explain this a little more? Thank you so much for your help

Cisco Employee

Re: ASA Active/Standby

This not secondary address but, standby address.

The rolls are primary and secondary but the states are active and standby.

Which ever unit is active it will assume the active mac in layer 2 and the active IP for layer 3. This active mac and active IP is always the primary unit's except the failover interface. These will continue to use their own IP and mac.

When we failover we always send gratuitous arp so, the adjacent devices can update the arp and mac-address table.

So, even for the outside interface you should have a standby IP otherwise monitoring interfaces will not be possible. Failover will still work.

New Member

Re: ASA Active/Standby

Ok. So which ever device is active will assume the role of the active MAC and IP address (All interfaces except failover). So if the active ASA failed, the standby ASA would take over using the active Mac and IP of the Active ASA?

Re: ASA Active/Standby

Correct

New Member

Re: ASA Active/Standby

i need to bring this topic back up. Since each ASA will be connected to 2 4506s on the LAN side, i assume i will have an SVI on each 4506 for int vlan 2? Then i'll just include vlan 2 in the trunk between the two 4506s? Thanks!

4506_1

vlan 2

name 4506_ASA

!

interface vlan 2

ip address 10.10.2.2 255.255.255.0

!

4506_2

vlan 2

name 4506_ASA

!

interface vlan 2

ip address 10.10.2.3 255.255.255.0

Then trunk vlan 2 between the 4506s

Re: ASA Active/Standby

You got it. VLAN 2 will be defined on both switches. You may also look into using HSRP on the core 4506s in order to provide for further resiliency. As for the dedicated failover link, you can either configure it in a similar fashion as above using a dedicated VLAN or you can use an xover connection between the two chassis.

New Member

Re: ASA Active/Standby

for failover, i'm using a dedicated layer 2 vlan. I am already running HSRP on a few DC vlans, everything else is P2P links with EIGRP. I wouldn't run HSRP on the vlan 2 SVIs would i? Seems like it would conflict with my ASA failover on the LAN side.

295
Views
0
Helpful
14
Replies