Return to site
Return to site

Asa Active Standby Configuration

broken image


  1. In Active/Standby configuration, virtually all of the configuration from the active unit is replicated to the secondary unit through a failover cable. This article focuses on how to configure an Active/Standby Failover in ASA Security Appliance.
  2. ASA (config)# During active/standby failover, the active ASA receives all traffic flows and filters all network traffic while the secondary ASA is in the Ready mode. Therefore you should dimension each ASA device in such a way so that to be able to handle all traffic. ASA failover works in 2 modes: Stateful Failover and Regular Failover.
  3. When configuring the Cisco ASA for High Availability, the failover command is used to configure the devices. A few terms before we begin: Active and Standby vs Primary and Secondary. In the ASA world, the Primary and Secondary do not change however any one of the Primary or Secondary can be the Active or the Standby. That is, if the Primary ASA is the Active ASA and it fails, the Secondary.

If you have a planned maintenance and you know you will hit your Failover LAN between two ASA's in an Active/Standby configuration. If is very useful to temporary disable the Failover mechanism so the Standby firewall stays Standby and you don't end up in a situation where you have two Active firewalls.

Below is an example output of the show failover output of an ASA 5520: (only relevant information is shown in this output)

Now login to the Standby firewall and disable failover very easily via the no failover command in configuration mode:

What you could try doing is remove the failover configuration from the standby unit, make a copy of the Active ASA config (copy paste into notepad) and then copy the configuration to the standby unit approx. 10 lines at a time and see where the configuration is failing to be accepted. Just remember to add the failover commands last.

You can see on the output it adds NoFailover to the CLI prompt.

We're back on the Active unit and you can see the Secondary in Disabled where it was previously Standby Ready:

If your maintenance is finished, you should enable the failover mechanism again on the Standby node:

Now you're done, check you Active/Standby status again, this should be the same as the first show failover command in this post.

It's time for a topology change!

The other topology was not suited to running the VPNs over it, so I created a new one. We don't have any of the fun stuff like IPS, ACS, ISE, Wifi, or even the ability to run a GUI. It is just going to be CLI only.

I have just done the basic IP addressing so far. The ASAs all get an IP address of .254 for the respective subnet. The routers get an IP, which matches their loopback interface, so Local-1 gets the address 10.1.1.1 on its Gi0/0 interface, and DMVPN-Hub1 has the address 10.1.4.4, and so on.

I have not quite worked out the routing protocols yet; I'll mull it over this weekend. For the moment we will get the ASAs up, mainly the Multicontext Failover ASA and the Transparent ASA.

Asa Active Standby Config

Transparent ASA

I have already covered transparent ASA's here, so here is just the config

Asa Active Standby Configuration Dhcp

Moving swiftly on…

Multi-context Active/Standby ASAs

I haven't looked at Active/Standby ASAs in Multi-context mode before, but let's start with the failover stuff, then work out the rest.

Now we just copy this, with a minor edit to the second ASA:

Setting up failover first makes life a little easier.

The primary ASA will then restart, and the secondary will take over:

This does not mean that the secondary will have its mode changed, though:

Let's switch the secondary to multiple-context mode and then failover should work again:

We still need to reenable failover, though (notice that in the second line failover says 'off'):

Do you have enough crashes, slow internet connections and applications that have more resources after 5 minutes? SpeedUpMyPC is a new system utility that helps you get the most out of your computer without being a Windows expert. Find all the serial numbers we have in our database for: pc speed up. Even more serial numbers might be present in our database for this title. New serials are added on daily bases to cover new releases of the this application. Search next days to see new results. Driverscanner 2018 سيريال. السلام عليكم اشارككم اليوم سيريال SpeedUpMyPC 2018 الدي اعتبره افضل برنامج في تسريع الجهاز لا اطيل عليكم SP-SJQE5-WXX8C-9TN2R-U4JLW-9W5CM-ERNJP صوره من داخل البرنامج رابط. Uniblue SpeedUpMyPC 2017 Full adalah software terbaik yang telah memenangkan penghargaan sebagai software yang dapat mengoptimalkan kinerja komputer anda dengan sangat mudah,cepat, dan hasil yang maksimal. Software ini mempunyai berbagai macam fitur luar biasa yang akan memaksimalkan kerja komputer anda tanpa anda harus menjadi seorang yang ahli dalam bidang.

We need to do this on the mate as well:

All in all, it is probably quicker to set up the mode then set up the failover. Nevertheless, we got there in the end. Let's crack on and build the multi-context part. We will need to use sub-interfaces and trunk the switch.

We will have to make a slight change to the main interface to account for the sub-interfaces, by way of setting the VLAN information:.

Active Standby Mode

Let's make sure the interfaces are up:

Now a little testing:

Asa Active Active Failover Configuration Example

Next, we need to set up ISP-1, and add the VLANs to the intermediate switch, and then test from the ASA:

Cisco asa active standby failover

This is pretty much the very basics done. I won't be overly permissive with the ASA access-lists this time around. Instead, we will be making use of the default deny, and being very strict by allowing just the source and destination IP addresses and relevant ports.

Asa Active Standby

All the IGPs (when I figure out what I will be using and where) will be using authentication, but at least I am in good stead to get started learning the different VPNs.

We will start by getting Local-1 connected to RTD-ASA, which in turn will be connected to CA-Flex, which connects to DMVPN-Hub2. This will use OSPF to propagate the routes and join RTD-ASA and DMVPN-Hub2 by way of secured OSPF. Once this is done, we'll set up an IPSec VPN between the ASA and DMVPN-Hub1.

But that won't be until next week because I am taking the kids and wife away for the weekend.

Cisco Asa Active Standby Configuration Sync

Have a good weekend.





broken image
PreviousNext
Cookie Use
We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
Accept all
Settings
Decline All
Cookie Settings
Necessary Cookies
These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
Analytics Cookies
These cookies help us better understand how visitors interact with our website and help us discover errors.
Preferences Cookies
These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
Save