I will explain in this article how to configure failover with a cisco ASA.
The product used in this article is an ASA5520-BUN-K9. ASA 5520 has a failover license included.
ASA 5520 has 4 Gigabit interfaces and 1 management interface. The management interface is a fastethernet interface.
Instead of using one of the Gigabit interface to create the failover, we will use the management interface.
The primary unit:
failover lan unit primary
we configured this unit as primary
failover lan interface FAILOVERINT Management0/0
we specified the Management0/0 interface to be used as the failover interface
failover interface ip FAILOVERINT 192.168.1.1 255.255.255.252 standby 192.168.1.2
we assigned active and standby ip address to the failover link
failover link FAILOVERINT Management0/0
Specifies the interface to be used as stateful failover link. If you added this command the Management0/0 interface cannot be use for anything else than failover
failover polltime unit 1 holdtime 5
failover polltime interface 1 holdtime 5
These 2 commands are used to specify the holdtime. If one interface goes down on the primary ASA, the secondary ASA will be the primary. The state of active/standby failover is not active until the interface that was down goes up again. The holdtime that the ASA failover status will know that the interface is up again. So the state of the failover will be heathy again and ready in case a second failure. You must configure this holdtime as low as possible, especially as in our case, we have dedicated physical interface for the failover.
failover
enable the failover
interface Management0/0
description this interface is used for failover
no shut
On the interface that was dedicated for the failover, we must not configure anything except making this interface up
The secondary unit:
failover lan unit secondary
we configured this unit as secondary
failover lan interface FAILOVERINT Management0/0
we specified the Management0/0 interface to be used as the failover interface
failover interface IP FAILOVERINT 192.168.1.1 255.255.255.252 STANDBY 192.168.1.2
we assigned active and standby ip address to the failover link
failover
we enabled failover
interface Management0/0
description this interface is used for failover
no shut
we brought up the the interface Management0/0 that will be used in failover.
I hope this article was helpful, and my explanation was clear.
https://www.security-architecture.com
The product used in this article is an ASA5520-BUN-K9. ASA 5520 has a failover license included.
ASA 5520 has 4 Gigabit interfaces and 1 management interface. The management interface is a fastethernet interface.
Instead of using one of the Gigabit interface to create the failover, we will use the management interface.
The primary unit:
failover lan unit primary
we configured this unit as primary
failover lan interface FAILOVERINT Management0/0
we specified the Management0/0 interface to be used as the failover interface
failover interface ip FAILOVERINT 192.168.1.1 255.255.255.252 standby 192.168.1.2
we assigned active and standby ip address to the failover link
failover link FAILOVERINT Management0/0
Specifies the interface to be used as stateful failover link. If you added this command the Management0/0 interface cannot be use for anything else than failover
failover polltime unit 1 holdtime 5
failover polltime interface 1 holdtime 5
These 2 commands are used to specify the holdtime. If one interface goes down on the primary ASA, the secondary ASA will be the primary. The state of active/standby failover is not active until the interface that was down goes up again. The holdtime that the ASA failover status will know that the interface is up again. So the state of the failover will be heathy again and ready in case a second failure. You must configure this holdtime as low as possible, especially as in our case, we have dedicated physical interface for the failover.
failover
enable the failover
interface Management0/0
description this interface is used for failover
no shut
On the interface that was dedicated for the failover, we must not configure anything except making this interface up
The secondary unit:
failover lan unit secondary
we configured this unit as secondary
failover lan interface FAILOVERINT Management0/0
we specified the Management0/0 interface to be used as the failover interface
failover interface IP FAILOVERINT 192.168.1.1 255.255.255.252 STANDBY 192.168.1.2
we assigned active and standby ip address to the failover link
failover
we enabled failover
interface Management0/0
description this interface is used for failover
no shut
we brought up the the interface Management0/0 that will be used in failover.
I hope this article was helpful, and my explanation was clear.
https://www.security-architecture.com
No comments:
Post a Comment