Need help on ASA Active/Stanby Ethernet Cable modle - documnet confusing..!

m-abooali · ‎06-14-2012

Hi,

I had a similar discussion/thread going on but I got answers and now I have a different question on a same issue. I am trying to configure Active/Standby, Ethet Cable modele , No switch in between two ASAs.

attached is what I have gathered from teh Cisco documnet on this method but its some how confusng in which teh config sample says "PIX" as hostname!?

ALso I was wondering if someone could please help me with a sample configuration CLI with so I cna see how it is done using private IP addresses as lisyted in teh documet attached.

Regards,

Masood

Jennifer Halim · ‎06-15-2012

Yes, you can either use crossover cable or connect the failover port to the switch as long as they are in the same subnet.

Hostname is PIX as the ASA configuration is legacy from PIX, so it continues to use PIX as the hostname. Hostname is configurable so you can just change it to something else you like.

Here is a sample configuration for Active/Standby failover for your reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

Hope that helps.

nkarthikeyan · ‎06-27-2012

Its simple... You can have the Pix/ASA connected directly for active/standby...

In the ASA primary i.e. which you decide as primary ..... You have to confgure the required configurations and keep it ready....

For an example in primary ASA the below commands is must for active standby to work.

interface GigabitEthernet0/3

description LAN/STATE Failover Interface

speed [100/1000]

duplex full

no shut

!

failover

failover lan unit primary

failover lan interface failover GigabitEthernet0/3

failover link failover GigabitEthernet0/3

failover interface ip failover 192.168.0.1 255.255.255.252 standby 192.168.0.2

!

In secondary ASA you can have the below commands alone configured.... after configuration of the primary ASA connect the primary ASA gig 0/3 to Sec ASA gig 0/3.... dats it all the configurations will get replicated to the standby asa and failover will start working....

failover lan interface failover GigabitEthernet0/3

failover interface ip failover 192.168.0.1 255.255.255.252 standby 192.168.0.2

failover link failover GigabitEthernet0/3

failover lan unit secondary

failover

m-abooali · ‎06-27-2012

Thank you so much Karthikeyan Natarajan.

in this configuration, 192.168.1.2 and .1 will be applied under the actual physical interfaces gi 0/3 on the primary and the secondary ASAs?

I guess, I am trying to see if those interfaces gi 0/3 on both devices need IPs or just these same IPs are used as Interface IP and as failover IP?

Please advise,

Regards,

Masood

nkarthikeyan · ‎06-27-2012

Both the devices it should be the same IP's on the interface.... one will be the primary and other one will be the secondary......

Once failover starts working..... if you check the configuration both the firewalls will have the same configs replicated from active to standby..... in the sh runn there will be only one diff..... failover unit shows primary for active and secondary for the standby.....

active firewall uses the 1st ip (primary) and 2nd ip will be used by the standby.....

Please make sure both firewalls have the similar connectivity to the downstream and upstream... both should have the same count inetrafces configured in normal scenario....