Configuring Cisco ASA Active/Standby Failover

Identical Cisco ASA firewalls (same hardware, model, interfaces and RAM etc) can be configured for failover, thus allowing for uninterrupted network connectivity. The Cisco ASA supports 2 failover configurations Active/Active (both appliances pass traffic) and Active/Standby (only the active appliance passes traffic, whilst the other appliance is waiting for failure/failover to occur).

The ASA appliances are connected to each other through a dedicated failover link, this can be any spare interface not currently used. Stateful failover can also be configured; this replicates the firewall state information to the standby appliance.

Failover Link – the 2 appliances communicate with each other over a failover link. The failover link can be any spare interface on the ASA.

The following information is communicated over the Failover Link

  • Unit state
  • Power status
  • Hello messages (keep-alive)
  • Network Link status
  • MAC address exchanges
  • Configuration replication and synchronisation

Stateful Failover Link – Is optional if state information is required to be synchronised between appliances

  • Can used dedicated interface for state or share the Failover Link interface
  • You could share a regular data interface but NOT recommended
  • All information sent over the failover/stateful failover links is sent in clear text, to encrypt this information use a failover key (recommended) – VPN pre-shared keys etc would be transmitted over this link, so secure the communication.

The purpose of this blog post is to document the steps to configure the Cisco ASA firewalls in Active/Standby Failover mode. The Cisco ASAv virtual appliance version 9.5(2) was used in this configuration, refer to the previous post on how to configure ASAv in GNS3.


Active/Standby Failover Configuration Example



Step 1 – Configure interfaces

! Configure the INSIDE and OUTSIDE interfaces with the Active and Standby IP address

interface GigabitEthernet0/0
nameif INSIDE
security-level 100
ip address 192.168.250.1 255.255.255.0 standby 192.168.250.2
interface GigabitEthernet0/1
nameif OUTSIDE
security-level 0
ip address 1.1.1.1 255.255.255.0 standby 1.1.1.2

! Un-shutdown the interface used to be configured for failover

interface GigabitEthernet0/2
no shutdown

Step 2 – Configure failover interface called “FAILOVER” on Gig0/2
failover lan interface FAILOVER GigabitEthernet0/2


Step 3 – Configure IP address on the Failover Interface
failover interface ip FAILOVER 172.16.0.1 255.255.255.252 standby 172.16.0.2


Step 4 – Configure a Failover Key (to ensure traffic is encrypted when sent between devices)
failover key cisco1234


Step 5 – Configure the Firewall as either Primary OR Secondary (NOT BOTH)
failover lan unit primary
failover lan unit secondary


Step 6 – Enable Failover on the Firewall
failover


Step 7 – Configure Stateful Failover Interface

! Configure Stateful Failover (notice we are sharing the same interface for both Failover and Stateful Failover)
failover link FAILOVER GigabitEthernet0/2

Use the same commands on both appliances, but ensure to specify “failover lan unit primary” only on the preferred Primary/Active appliance and specify “failover lan unit secondary” on the preferred Secondary/Standby appliance.

Verification Commands


Using the command “show failover” will display information on the failover state of the local appliance, such as whether Failover is turned on, Failover Priority, Failover Interface, Timers, State (local), State of other host etc


If Stateful Failover is configured it will show Statistics


The command “show failover history” will tell you what events occurred and when



Additional Useful Commands

Use the command “prompt hostname priority state” to display on the console the Priority and State of the firewall you are connect to


Entering the command “failover standby config-lock” will stop configuration of the cluster from the standby appliance.


To manually failover to the secondary appliance you can use the command “no failover active” from the current Active firewall or if on the Secondary firewall use the command “failover active”. In the screenshot below, notice after the Active firewall was configure not to be active the prompt changed from “act” to “stby” to confirm this appliance is now the Standby firewall.


Full Configuration

Primary Firewall

interface GigabitEthernet0/0
nameif INSIDE
security-level 100
ip address 192.168.250.1 255.255.255.0 standby 192.168.250.2

interface GigabitEthernet0/1
nameif OUTSIDE
security-level 0
ip address 1.1.1.1 255.255.255.0 standby 1.1.1.2

interface GigabitEthernet0/2
no shutdown

failover lan interface FAILOVER GigabitEthernet0/2
failover interface ip FAILOVER 172.16.0.1 255.255.255.252 standby 172.16.0.2
failover key cisco1234
failover lan unit primary
failover
failover link FAILOVER GigabitEthernet0/2

Secondary Firewall

interface GigabitEthernet0/0
nameif INSIDE
security-level 100
ip address 192.168.250.1 255.255.255.0 standby 192.168.250.2

interface GigabitEthernet0/1
nameif OUTSIDE
security-level 0
ip address 1.1.1.1 255.255.255.0 standby 1.1.1.2

interface GigabitEthernet0/2
no shutdown

failover lan interface FAILOVER GigabitEthernet0/2
failover interface ip FAILOVER 172.16.0.1 255.255.255.252 standby 172.16.0.2
failover key cisco1234
failover lan unit secondary
failover
failover link FAILOVER GigabitEthernet0/2

 

 

 


 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s