Configuring Failover between two Cisco ASAs

I had to setup my first Active Passive Cisco ASA pair this past week, it turns out it’s a little simpler than the documentation first makes it appear. Here is what you’ll need:

  • Two ASAs with the licensing necessary to enable Failover
  • Two IPs on each subnet the pair will be connected to (including a new subnet on the failover link between the units, this should be a subnet not in use anywhere else on the network)
  • A Crossover cable.

Let’s make some assumptions, first let’s say our Private IP subnet is 192.168.1.x/24, our failover subnet is 172.16.1.x/24, and our wan subnet is 1.1.1.x/24, just so we know what IPs we’ll use. Let’s also assume that we’re using Interface 0/0 for the WAN, and Interface 0/1 for the LAN, and interface 0/3 for the failover.

  1. Bring your first unit online, and assign the first IP on each subnet to the proper interfaces.
  2. Bring your second unit online, and assign the second IP on each subnet to the proper interfaces
  3. Connect one of the interfaces on the first unit to that same interface on the other unit using the crossover cable, assign IPs on this interface from the new subnet you created for failover traffic.
  4. Verify that each unit can ping the other on each interface (wan to wan, failover to failover, lan to lan)
  5. Once you’ve verified that each unit can communicate with the other it’s time to start entering commands.

With those subnets in mind let’s assign IPs:

Primary:

  • Lan: 192.168.1.1
  • Failover 172.16.1.1
  • Wan 1.1.1.1

Secondary:

  • Lan: 192.168.1.2
  • Failover 172.16.1.2
  • Wan 1.1.1.2

So here are the commands that we’re going to enter on our primary unit:

  1. Interface Ethernet0/0
  2. ip address 1.1.1.1 255.255.255.0 standby 1.1.1.2
  3. Interface Ethernet0/1
  4. ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
  5. failover lan unit primary
  6. failover lan interface Failover ethernet0/3
  7. failover link Failover Ethernet0/3
  8. Failover interface ip Failover 172.16.1.1 255.255.255.0 standby 172.16.1.2
  9. failover

Here are the commands that we’re going to enter on our secondary unit:

  1. Interface Ethernet0/0
  2. ip address 1.1.1.1 255.255.255.0 standby 1.1.1.2
  3. Interface Ethernet0/1
  4. ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
  5. failover lan unit standby
  6. failover lan interface Failover ethernet0/3
  7. failover link Failover Ethernet0/3
  8. Failover interface ip Failover 172.16.1.1 255.255.255.0 standby 172.16.1.2
  9. failover

You can then run a “show failover” on each unit to see which is active, and which is standby, and whether or not failover is working. You also can continue to connect to either unit using either the primary or secondary IP, they will both display the same hostname since their configs are being replicated, but you can use the “show failover” to remind yourself which unit you are on. Finally you’ll only want to make ¬†and save changes from the primary unit, failover will take care of replicating them to the other unit.

Once you’ve verified that everything is working, run a “write mem” on each unit before you start testing.

Leave a Reply

Your email address will not be published. Required fields are marked *