cisco asa active standby failover configuration example
Cisco active standby failover feature provides the stateful failover , means if one firewall fails then traffic will be move on secondary firewall and users will not face any blimp in connectivity. For detailed overview on ASA active standby can read the below article.
ASA Failover Active/Standby (Failover and stateful link on different interfaces)
In below topology , we are using a single link for both failover link and stateful link. both firewalls are directly connected using a single linkon port Gi0/2. We can also connect both ASA firewalls through a layer 2 switch. but this switch should not have other connections as well as we should configure the VLANs on it. This is not compulsory but it is recommended by cisco due to security purpose.
We are having many things which should be in mind before configure the Active / Standby failover and after configure the failover. but we can’t cover all those things with this example. so we have already created a seprate articale for it.
ASA active standby topology
ASA1
Conf t
failover lan unit primary
failover lan interface FAIL_OVER GigabitEthernet0/2
failover link FAIL_OVER GigabitEthernet0/2
failover interface ip FAIL_OVER 10.10.10.1 255.255.255.252 standby 10.10.10.2
failover
int g0/2
no shut
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 30.30.30.254 255.255.255.248 standby 30.30.30.253
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 20.20.20.254 255.255.255.0 standby 20.20.20.253
wr
OPTIONAL
monitor-interface INSIDE
monitor-interface OUTSIDE
NOTE: The ASA requires something that can trigger the failover mechanism. By default all physical interfaces are monitored and used for trigger the failover as well as hardware and software failure is also triggers the failover. we can also define the monitoring of interfaces if we don’t want to monitor all the interfaces
ASA2
Conf t
failover lan unit secondary
failover lan interface FAIL_OVER GigabitEthernet0/2