ASA Active/Standby Single mode setup
ASA Active/Standby Single mode setup
HLD diagram for reference :
FW1 simple config :
config t
!
hostname FW1
!
interface Ethernet0
nameif management
security-level 0
ip address 192.168.1.65 255.255.255.0
no shutdown
!
interface Ethernet1
channel-group 1 mode active
no nameif
no security-level
no ip address
no shutdown
!
interface Ethernet2
channel-group 1 mode active
no nameif
no security-level
no ip address
no shutdown
!
interface Ethernet3
channel-group 1 mode active
no nameif
no security-level
no ip address
no shutdown
!
interface Port-channel1
no nameif
no security-level
no ip address
no shutdown
!
interface Port-channel1.200
vlan 200
nameif dmz
security-level 0
ip address 10.10.20.254 255.255.255.0
no shutdown
!
interface Port-channel1.300
vlan 300
nameif inside
security-level 100
ip address 10.10.30.254 255.255.255.0
no shutdown
!
interface Port-channel1.400
vlan 400
nameif outside
security-level 0
ip address 10.10.40.254 255.255.255.0
no shutdown
!
mtu dmz 1500
mtu inside 1500
mtu outside 1500
mtu management 1500
http server enable
http 192.168.1.0 255.255.255.0 management
management-access management
username cisco password 3USUcOPFUiMCO4Jk encrypted
!
ASA ACTIVE / Standby
=======================
FW1#
config t
interface Ethernet4
no shutdown
failover lan unit primary
failover lan interface FAILOVER Ethernet4
failover link FAILOVER Ethernet4
failover interface ip FAILOVER 40.40.40.1 255.255.255.0 standby 40.40.40.2
failover
interface Port-channel1.300
ip address 20.20.20.254 255.255.255.0 standby 20.20.20.253
interface Port-channel1.400
ip address 192.168.1.65 255.255.255.0 standby 192.168.1.66
FW2 ( Standby)
==============
failover lan unit secondary
failover lan interface FAILOVER Ethernet4
failover link FAILOVER Ethernet4
failover interface ip FAILOVER 40.40.40.1 255.255.255.0 standby 40.40.40.2
failover
interface Ethernet4
no shutdown
MONITORING INTERFACE
====================
monitor-interface inside
monitor-interface outside
monitor-interface management
TESTING FAILOVER
================
FW1/pri/act(config)# no failover active
FW1/pri/act(config)# Waiting for the earlier webvpn instance to terminate…
Previous instance shut down. Starting a new one.
Switching to Standby
FW1/pri/stby(config)#
FW1/pri/stby(config)#
FW1/pri/stby(config)# fail
FW1/pri/stby(config)# failover ac
FW1/pri/stby(config)# show mon
FW1/pri/stby(config)# show monitor-interface
This host: Primary – Standby Ready
Interface management (192.168.1.66): Normal (Monitored)
Interface inside (20.20.20.253): Normal (Monitored)
Interface outside (10.10.40.253): Normal (Monitored)
Other host: Secondary – Active
Interface management (192.168.1.65): Normal (Monitored)
Interface inside (20.20.20.254): Normal (Monitored)
Interface outside (10.10.40.254): Normal (Monitored)
FW1/pri/stby(config)# failover active
Waiting for the earlier webvpn instance to terminate…
Previous instance shut down. Starting a new one.
Switching to Active
FW1/pri/act# show monitor-interface
This host: Primary – Active
Interface management (192.168.1.65): Normal (Monitored)
Interface inside (20.20.20.254): Normal (Monitored)
Interface outside (10.10.40.254): Normal (Monitored)
Other host: Secondary – Standby Ready
Interface management (192.168.1.66): Normal (Monitored)
Interface inside (20.20.20.253): Normal (Monitored)
Interface outside (10.10.40.253): Normal (Monitored)
Updated :
Tuning Fail over Timers :
500msec and 2sc hold timer
failover polltime unit msec 500 holdtime 2
failover polltime interface msec 500 holdtime 5
After tuning the timers only 1 ping lost
Monitoring the interface :
You need to mentioned monitor interface IP to monitor, example :
interface Port-channel1.300
vlan 300
nameif inside
security-level 100
ip address 10.10.30.254 255.255.255.0 standby 10.10.30.253
no shutdown
!
interface Port-channel1.400
vlan 400
nameif outside
security-level 0
ip address 10.10.40.254 255.255.255.0 standby 10.10.40.253
Good Luck ! Happy Reading !!