Re: ASA5550 Active/Active or Active/Standby

network_team · ‎08-06-2008

Hi what is best practise for confirguring asa5550 failover. Please can i have some advise as at the moment we have pix525 with failover stateful which works well for us. But i have been reading and active/active seems attractive, but not sure. As this is something different. Please can you also post a configuratin of the recommended solution

dhananjoy chowdhury · ‎08-06-2008

Hi,

Active/Active failover is only available to ASA/PIX firewall in multiple context mode.

Now if you configure FW in context mode features like VPN, Dynamic routing protocols, Multicast, etc. are not supported.

So, before migrating to Active/Active failover, you should check your requirements.

dhananjoy chowdhury · ‎08-06-2008

Here is an example of configuring Active / Active failover

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml#unsupport

Hope this Helps.

network_team · ‎08-06-2008

Hi Thanks...

Can you send me a sample config for Active/Standby for asa5550. I dont want to loose functionality within the unit. What is the best active/stanby setup? is it stateful and how do i configure it. I have configured the pimary unit, but im confused on the setup for failover and what configuration is needed for the secondary ?

Cheer lev

dhananjoy chowdhury · ‎08-06-2008

With Active/Standby, go with Statefull Failover, because it will have the connection state table in the standby FW, whenever the active FW fails.

Here is the example:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#Netdia

JORGE RODRIGUEZ · ‎08-06-2008

In addition to Dhananjoy info.

Read this link for Stateful failover configuration detail information and implementation options. pease read the whole part (configuring failover) almost cover every question you may have.

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/failover.html#wp1051759

You would want to have stateful enable and take advantage of feature,you may use the same regular LAN base port for statefull,go over the stateful link above.

Last but not least , take a tour in this link for interactive ASA active/standby config training even though is a agraphical presentation it will help you alot.

Interactive- Pick Active/Standby Failover for ASA 5500

http://www.cisco.com/web/learning/le31/le29/configuring_asa_pix_security_appliances.html

Rgds

Jorge

Jorge Rodriguez

network_team · ‎08-07-2008

Thanks this is excellent...

Just one more question When primary pix goes down and secondary is now active. Can you make changes to secondary and will it replicate up to primary ? when sync starts

network_team · ‎08-07-2008

Hi I have configure primary asa with a full config. what configurations apart from the failover information do i configure. Do i configure the same ip address on the interfaces as the primary

dhananjoy chowdhury · ‎08-07-2008

This is all is reqd on the Secondary box. Check the cables are connected.

failover lan unit secondary

failover lan interface failover Ethernet3

failover lan enable

failover key ******

failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2

failover

network_team · ‎08-08-2008

Excellent Thanks this now works, but i have one concern. I get a 1 milisecond time out when i failover occurs. I feel this will affect connectivity for users. Should i be concerned

I have configured the following:

interface GigabitEthernet1/3

description LAN/STATE Failover Interface

speed 1000

duplex full

failover

failover lan unit Primary

failover lan interface Fail GigabitEthernet1/3

failover replication http

failover link Fail GigabitEthernet1/3

failover interface ip Fail 221.0.0.1 255.255.255.252 standby 221.0.0.2

failover

failover lan unit secondary

failover lan interface Fail GigabitEthernet1/3

failover replication http

failover link Fail GigabitEthernet1/3

failover interface ip Fail 221.0.0.1 255.255.255.252 standby 221.0.0.2