09-01-2008 02:01 AM - edited 03-11-2019 06:38 AM
Hi all, I have 2 cisco asa's, what are the minimum commands that I can set up lan based stateful failover between my 2 devices.
cheers
Carl
09-01-2008 02:13 AM
hi Carl
have a look at the following link it is very useful for ur case
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml#Reg
good luck
if helpful Rate
09-01-2008 03:32 AM
hi there
I have seen a video on this topic, it says no setup is needed on the secondary unit except an ip and https access.
Can anyone add to this, I just need the minimum commands required to setup stateful failover via my management interface, and what commands I can see who is active, and how to do a manual failover ?
09-01-2008 03:51 AM
Note that you must configure the failover key command on the secondary firewall so that it can receive
the configuration from the primary firewall .
failover
failover lan unit secondary
failover lan interface faillink [interface]
failover key [urkey]
failover interface ip faillink [ip] standby [ip]
use
show failover to see the failover status
if u wanna manully make the secondary firewall as the active one do the following command
failover active
good luck
please, if helpful Rate
09-01-2008 04:53 AM
are you sure I need to enable all this on the secondary device?
do i need to type all that in on the secondary firewall? and what is the failover command on its own used for at the top of the below config
"failover
failover lan unit secondary
failover lan interface faillink [interface]
failover key [urkey]
failover interface ip faillink [ip] standby [ip]"
09-01-2008 04:55 AM
only this thats it
ant other config like ACLs nating and so on will be transfered automaticly
09-02-2008 03:10 AM
so do I make the ip address on the interface exactly the same as the primary box, then when I define as secondary is automatically uses the standby address? and how do I make it a stateful failover using the same interface ?
09-04-2008 08:29 AM
Hi all, can anyone help with this?
Also do I have to have a secondary ip address for all interfaces? even if im using the management port for my dedicated link?
Thanks
09-04-2008 08:42 AM
with the management, you will need to manage both devices seperately so yes you need to have a standby IP address for your management interface as well. you synch STBY IP's from the Active ASA. If you dont want to failover an interface, then no need for a STBY IP as long as Monitored is not setup on the interface.
09-04-2008 09:40 AM
I dont understand what you are saying here? do you mean if I want to have all interfaces monitored, then put a standby ip on all of them? if I use a dedicated management interface for my failover, can I just have the standby ip address on that?
and when I configure my secondary box, do I put the config for the interfaces exactly the same as the primary one? i.e interface ip ad standby ip addresses exactly the same on each box?
09-04-2008 11:33 AM
LAN-Based Active/Standby Failover Configuration is well documented in the following link including detailed step/step instruction. see http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#lanbas
02-03-2009 03:44 AM
Hi There
I have read the document, however, I have a question, do I need to add standby ip addresses for all my interfaces ? I want to me able to manage the secondary one from any interface using the secondary ip address.
please can you let me know
thanks for the help
Carl
02-03-2009 04:26 AM
I suppose it is in router mode,
so YES you have to have a standby IP for each interface!
Regards,
vlad
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: