Tag Archives: cisco network security

cisco asa active standby failover configuration example

By | February 23, 2020

Cisco active standby failover feature provides the stateful failover , means if one firewall fails then traffic will be move on secondary firewall and users will not face any blimp in connectivity. For detailed overview on ASA active standby can read the below article.

ASA Failover Active/Standby (Failover and stateful link on different interfaces)

In below topology , we are using a single link for both failover link and stateful link. both firewalls are directly connected using a single linkon port Gi0/2. We can also connect both ASA firewalls through a layer 2 switch. but this switch should not have other connections as well as we should configure the VLANs on it. This is not compulsory but it is recommended by cisco due to security purpose.

We are having many things which should be in mind before configure the Active / Standby failover and after configure the failover. but we can’t cover all those things with this example. so we have already created a seprate articale for it.

ASA active standby topology

ASA1

Conf t

failover lan unit primary

failover lan interface FAIL_OVER GigabitEthernet0/2

failover link FAIL_OVER GigabitEthernet0/2

failover interface ip FAIL_OVER 10.10.10.1 255.255.255.252 standby 10.10.10.2

failover

int g0/2

no shut

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 30.30.30.254 255.255.255.248 standby 30.30.30.253

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 20.20.20.254 255.255.255.0 standby 20.20.20.253

wr

OPTIONAL

monitor-interface INSIDE
monitor-interface OUTSIDE

NOTE: The ASA requires something that can trigger the failover mechanism. By default all physical interfaces are monitored and used for trigger the failover as well as hardware and software failure is also triggers the failover. we can also define the monitoring of interfaces if we don’t want to monitor all the interfaces

ASA2

Conf t

failover lan unit secondary

failover lan interface FAIL_OVER GigabitEthernet0/2