ASA Active/Standby Single mode setup

ASA Active/Standby Single mode setup

HLD diagram for reference :

FW1 simple config :

config t
!
hostname FW1
!
interface Ethernet0
nameif management
security-level 0
ip address 192.168.1.65 255.255.255.0
no shutdown
!
interface Ethernet1
channel-group 1 mode active
no nameif
no security-level
no ip address
no shutdown
!
interface Ethernet2
channel-group 1 mode active
no nameif
no security-level
no ip address
no shutdown
!
interface Ethernet3
channel-group 1 mode active
no nameif
no security-level
no ip address
no shutdown
!
interface Port-channel1
no nameif
no security-level
no ip address
no shutdown
!
interface Port-channel1.200
vlan 200
nameif dmz
security-level 0
ip address 10.10.20.254 255.255.255.0
no shutdown
!
interface Port-channel1.300
vlan 300
nameif inside
security-level 100
ip address 10.10.30.254 255.255.255.0
no shutdown
!
interface Port-channel1.400
vlan 400
nameif outside
security-level 0
ip address 10.10.40.254 255.255.255.0
no shutdown
!
mtu dmz 1500
mtu inside 1500
mtu outside 1500
mtu management 1500

http server enable
http 192.168.1.0 255.255.255.0 management
management-access management
username cisco password 3USUcOPFUiMCO4Jk encrypted
!
ASA ACTIVE / Standby
=======================

FW1#

config t
interface Ethernet4
no shutdown

failover lan unit primary
failover lan interface FAILOVER Ethernet4

failover link FAILOVER Ethernet4

failover interface ip FAILOVER 40.40.40.1 255.255.255.0 standby 40.40.40.2

failover

interface Port-channel1.300
ip address 20.20.20.254 255.255.255.0 standby 20.20.20.253

interface Port-channel1.400
ip address 192.168.1.65 255.255.255.0 standby 192.168.1.66
FW2 ( Standby)
==============

failover lan unit secondary
failover lan interface FAILOVER Ethernet4
failover link FAILOVER Ethernet4
failover interface ip FAILOVER 40.40.40.1 255.255.255.0 standby 40.40.40.2
failover

interface Ethernet4
no shutdown
MONITORING INTERFACE
====================

monitor-interface inside
monitor-interface outside
monitor-interface management

TESTING FAILOVER
================

FW1/pri/act(config)# no failover active
FW1/pri/act(config)# Waiting for the earlier webvpn instance to terminate…
Previous instance shut down. Starting a new one.

Switching to Standby

FW1/pri/stby(config)#
FW1/pri/stby(config)#
FW1/pri/stby(config)# fail
FW1/pri/stby(config)# failover ac
FW1/pri/stby(config)# show mon
FW1/pri/stby(config)# show monitor-interface
This host: Primary – Standby Ready
Interface management (192.168.1.66): Normal (Monitored)
Interface inside (20.20.20.253): Normal (Monitored)
Interface outside (10.10.40.253): Normal (Monitored)
Other host: Secondary – Active
Interface management (192.168.1.65): Normal (Monitored)
Interface inside (20.20.20.254): Normal (Monitored)
Interface outside (10.10.40.254): Normal (Monitored)
FW1/pri/stby(config)# failover active
Waiting for the earlier webvpn instance to terminate…
Previous instance shut down. Starting a new one.

Switching to Active

FW1/pri/act# show monitor-interface
This host: Primary – Active
Interface management (192.168.1.65): Normal (Monitored)
Interface inside (20.20.20.254): Normal (Monitored)
Interface outside (10.10.40.254): Normal (Monitored)
Other host: Secondary – Standby Ready
Interface management (192.168.1.66): Normal (Monitored)
Interface inside (20.20.20.253): Normal (Monitored)
Interface outside (10.10.40.253): Normal (Monitored)

 

Updated :

Tuning Fail over Timers :

500msec and 2sc hold timer

failover polltime unit msec 500 holdtime 2
failover polltime interface msec 500 holdtime 5

enter image description here

After tuning the timers only 1 ping lost

Monitoring the interface :

You need to mentioned monitor interface IP to monitor, example :

interface Port-channel1.300
vlan 300
nameif inside
security-level 100
ip address 10.10.30.254 255.255.255.0 standby 10.10.30.253
no shutdown
!
interface Port-channel1.400
vlan 400
nameif outside
security-level 0
ip address 10.10.40.254 255.255.255.0 standby 10.10.40.253

Good Luck ! Happy Reading !!