Adding redundancy into your network can improve business uptime. Two Cisco ASA firewalls in high availability mode are highly recommended in a production scenario. If the primary ASA fails, the backup ASA will instantly take over without any downtime.
Active Cisco ASA Configuration
When setting up the cisco ASA active/standby configuration, always start with the active unit. First assign ip addresses to inside and outside interface on primary unit. Then we want to designate the primary unit and specify the interface:
- site1asa(config)# interface g0/0
- site1asa(config-if)# ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
- site1asa(config)# interface g0/1
- site1asa(config-if)# ip address 192.168.2.1 255.255.255.0 standby 192.168.2.2
Activate failover on primary
- site1asa(config)# failover lan unit primary
- site1asa(config)# failover lan interface folink gigabitethernet0/6
The failover link cannot be used for anything else except for the state link. You are able to use the management interface as the failover link but if doing so you must save the configuration and reload the device after the change is made. If the firepower module is being used you cannot use the management interface as the failover link.
Next we want to assign the active and standby interfaces to the failover link:
- site1asa(config)# failover interface ip folink 192.168.10.1 255.255.255.0 standby 192.168.10.2
After setting this part up you want to make sure that interface is not down:
- site1asa(config)# interface gigabitethernet0/6
- site1asa(config-if)# no shutdown
If you choose to use a separate link for the statelink which is the link that will pass information to the other asa so if one of the asa’s goes down the other asa will have the connection information to help keep connections and users sessions alive. Configure Statelink on another unused subnet with and enable failover with the following commands:
- site1asa(config)# failover link statefull gigabitethernet0/5
- site1asa(config)# failover interface ip statefull 192.168.9.1 255.255.255.0 standby 192.168.9.2
- site1asa(config)# interface gigabitethernet0/5
- site1asa(config-if)# no shutdown
To better secure the traffic going between the failover and statefull links, we will setup an ipsec lan-to-lan tunnel over the failover link which is the preferred method from cisco. make sure to make up your own secure pre-shared-key vs using cisco in the document.
- site1asa(config)# failover ipsec pre-shared-key cisco
- site1asa(config)# failover
Standby Cisco ASA Configuration
Now that we have the active Cisco ASA configured we want to configure the same statefull and failover settings on the standby node.
- site1asa(config)# failover lan unit secondary
- site1asa(config)# failover lan interface failover GigabitEthernet0/6
- site1asa(config)# failover link statefull GigabitEthernet0/5
- site1asa(config)# failover interface ip failover 192.168.10.1 255.255.255.0 standby 192.168.10.2
- site1asa(config)# failover interface ip statefull 192.168.9.1 255.255.255.0 standby 192.168.9.2
- site1asa(config)# failover ipsec pre-shared-key cisco
- site1asa(config)# failover
Now if you run into any issues where your failover fails, reboot the secondary asa.
Quick Failover Tips
If looking to monitor and look over the failover configuration here are a couple things to remember:
- You can check the status of the failover by issuing the command show failover
- only make configuration changes on the active unit so that the standby will always get the updated config
- to troubleshoot or work on a particular device you can issue the command failover active on the standby host. The standby will then take over the active role.
- If you have any interfaces in a failed state, check that you have the correct interface configurations and that the interfaces are in up/up status.
- There are some additional failover configuration settings you can apply that may not be necessary but you can read more about the here
When failover is in a normal functioning status you will notice your configuration should look similar to this when running Show failover command
