User have a pair of 5525-X's that are needed to be configured for Active/Passive fail-over running 9.1(2). It's same as 8.x code so this is more as a reference. One thing that I did do different though is I configured the failover and stateful links to be a LAN to LAN IPsec tunnel. It encrypts all traffic (failover and state replication) between the two firewalls. You can never have enough security right? I also included a screenshot for you ASDM users.
User would like to do few clarification on ASA active/standby fail-over, involving CSC SSM module.Current status there is production firewall running in ASA8.3.1, along with CSC module 6.3 Purchase another identical unit of firewall, so these will do in Active/Standby fail-over mode.
Question 1 The new purchase ASA unit CSC module license was not activated and installed yet (customer misplace the PAK paper license). my question is it possible to set up the fail-over in the condition of one CSC SSM in operation mode, whilst another CSC status down because no license install on it?
Question 2 New firewall will the standby unit, beside configure on the fail-over, do we need to load Any-connect image to the new firewall as well?
Question 3 Can user just update the ASA version of the production firewall from 8.3.1 to 8.4.2? Would this cause any syntax error?
On the primary firewall-
failover lan unit primary
failover lan interface FAILOVER-INTF GigabitEthernet0/6
failover link STATEFUL-FAILOVER-INTF GigabitEthernet0/7
failover interface ip FAILOVER-INTF 169.254.254.1 255.255.255.252 standby 169.254.254.2
failover interface ip STATEFUL-FAILOVER-INTF 169.254.254.254 255.255.255.252 standby 169.254.254.253