Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3024
Views
5
Helpful
3
Replies

Integrating a secondary failover unit ASA 5510

Go to solution
aimarchitect
Level 1
Level 1

‎11-21-2011 03:38 PM - edited ‎03-11-2019 02:53 PM

Hello,

I have a single production 5510 with 2 contexts.  Now I want to integrate the secondary failover unit. My question is: How much configuration needs to be done on the secondary firewall?  How much of the configuration will be sync'd from the primary to the secondary when the secondary is connected?

For example, do I need to add the following on the secondary or will it be sync'd from the primary?

admin-context NAME

context NAME

  allocate-interface Ethernet0/0.14

  allocate-interface Ethernet0/0.200

  allocate-interface Ethernet0/1.23-Ethernet0/1.24

  allocate-interface Management0/0

  config-url disk0:/NAME.cfg

!           

context CONTEXT1

  allocate-interface Ethernet0/0.104

  allocate-interface Ethernet0/1.500

  config-url disk0:/CONTEXT1.cfg

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
anksachd
Level 1
Level 1
In response to aimarchitect

‎11-22-2011 12:26 PM

Hi Greg,

Before I physically connect the standby firewall I should run the: "failover" command on the primary firewall, right?

You can introduce the secondary (standby) device in the network ; however enable the "failover" command on the primary firewall first.

The following line: "failover interface ip ASA-Failover 10.0.1.1 255.255.255.252 standby 10.0.1.2" is configured the same on both primary and secondary firewall, right?

Yes , absoultely correct

Hope this helps !

Regards

Ankur

View solution in original post

0 Helpful
3 Replies 3

Go to solution
anksachd
Level 1
Level 1

‎11-21-2011 09:02 PM

Hi Greg,

As a first step , ensure that the secondary unit is configured in multiple mode and all physical interfaces are unshut  following which you need to just configure the below commands in the system execution space and nothing else.

failover lan unit secondary

failover lan interface FO Ethernet3-> considering that this is the interface you are using for failover link

failover key *****

failover interface ip FO 10.1.1.1 255.255.255.0 standby 10.1.1.2

failover--> enter this command at last

Please go through the below link and navigate to "Secondary Unit Configuration" section under the heading LAN-Based Active/Active Failover Configuration

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml

After you enable failover, the active unit sends the configuration in running memory to the standby unit and the complete configuration of the primary (including the one which you have mentioned) gets replicated to secondary unit

Regards

Ankur

Go to solution
aimarchitect
Level 1
Level 1
In response to anksachd

‎11-22-2011 11:06 AM

Thanks Ankur,

Good information.  I have a few more questions. 

Before I physically connect the standby firewall I should run the: "failover" command on the primary firewall, right?

The following line: "failover interface ip ASA-Failover 10.0.1.1 255.255.255.252 standby 10.0.1.2" is configured the same on both primary and secondary firewall, right?

0 Helpful

Go to solution
anksachd
Level 1
Level 1
In response to aimarchitect

‎11-22-2011 12:26 PM

Hi Greg,

Before I physically connect the standby firewall I should run the: "failover" command on the primary firewall, right?

You can introduce the secondary (standby) device in the network ; however enable the "failover" command on the primary firewall first.

The following line: "failover interface ip ASA-Failover 10.0.1.1 255.255.255.252 standby 10.0.1.2" is configured the same on both primary and secondary firewall, right?

Yes , absoultely correct

Hope this helps !

Regards

Ankur

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card