Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA Hardware failover...

Dear,

I have one query that in ASA Active-standby scenario, how users find out the active path (On which criteria).

If possible pls send me config example.

And also if active fw fail how it identify the standby fw path.and after active up how it revert to active.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA Hardware failover...

Hi,

when we are configuring active-standby failover in ASA. there will be one primary ip address for active firewall and there will be one secondary ip address for standby firewall.

always primary ip address will be the gateway for the users and seconday ip will be standby.

if you want to make secondary firewall to be active , then that is also possible.In this scenario primary ip address will be in standby firewall and secondary ip will be moved to primary firewall.

there will be one back to back cross cable needs to be connect between these two firewalls to make sure the failover.

always the secondary firewall will send the keep alive messages to the primary firewall to check the availability via this cross cable.if primary firewall is not responding properly, then secondary firewall becomes active automatically.

please find the url for more info.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

Regards

Karuppu

2 REPLIES

Re: ASA Hardware failover...

Hi,

when we are configuring active-standby failover in ASA. there will be one primary ip address for active firewall and there will be one secondary ip address for standby firewall.

always primary ip address will be the gateway for the users and seconday ip will be standby.

if you want to make secondary firewall to be active , then that is also possible.In this scenario primary ip address will be in standby firewall and secondary ip will be moved to primary firewall.

there will be one back to back cross cable needs to be connect between these two firewalls to make sure the failover.

always the secondary firewall will send the keep alive messages to the primary firewall to check the availability via this cross cable.if primary firewall is not responding properly, then secondary firewall becomes active automatically.

please find the url for more info.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

Regards

Karuppu

Cisco Employee

Re: ASA Hardware failover...

Karuppu is correct.  No matter which unit is active, the newly active unit will assume the active IP for layer 3 and mac address for layer 2. The primary units IP and mac are called as the active IP and mac.

So the users won't even know that the units failed over.

Here are some sample configs.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_examples.html

-KS

452
Views
0
Helpful
2
Replies
CreatePlease to create content