ASA - Active/Standby Failover

23 August 2019 13:41

Goal
Enable active/standby failover on single context ASA

Additional Info
Configuring related interfaces and failover configuration

Explanation

Interface Config

! Configuring ASA physical interfaces to inside and outside

!
interface GigabitEthernet1/1
description *** To XPMDCCTPSW03 ***
nameif inside
security-level 100
ip address 172.29.156.46 255.255.255.240 standby 172.29.156.45
!
interface GigabitEthernet1/2
description *** To XPMDCCTPSW05 ***
nameif outside
security-level 0
ip address 172.29.156.65 255.255.255.240 standby 172.29.156.66

! Shutting down unused interface (Interface GigabitEthernet1/3 – 6)

interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
no nameif
no security-level
no ip address

How to Note Page 1

 no ip address

! Configuring Interface GigabitEthernet1/7 as State interface for failover

interface GigabitEthernet1/7
description STATE Failover Interface

! Configuring Interface GigabitEthernet1/8 as LAN interface for failover

interface GigabitEthernet1/8
description LAN Failover Interface

! Configuring Interface Management1/1 as management interface

interface Management1/1
description *** MGT ***
management-only
nameif MGMT
security-level 75
ip address 10.1.4.119 255.255.255.128

Failover Config

! Enable failover

Failover

! Designate this unit as the primary unit

failover lan unit primary

! Specify the interface GigabitEthernet1/8 to be used as the failover link

failover lan interface failover GigabitEthernet1/8

! Change the unit poll and hold times

failover polltime unit msec 500 holdtime 2

Notes:
• The polltime range is between 1 and 15 seconds or between 200 and 999 milliseconds.
• The holdtime range is between 1 and 45 seconds or between 800 and 999 milliseconds.
• If a unit does not hear hello packet on the failover communication interface for one polling
period, additional testing occurs through the remaining interfaces. If there is still no response
from the peer unit during the hold time, the unit is considered failed and, if the failed unit is
the active unit, the standby unit takes over as the active unit.

! Enable HTTP state replication

failover replication http

Notes:
To allow HTTP connections to be included in the state information replication, you need to enable
HTTP replication. Because HTTP connections are typically short-lived, and because HTTP clients
typically retry failed connection attempts, HTTP connections are not automatically included in the
replicated state information.

How to Note Page 2

! Specify the interface GigabitEthernet1/7 to be used as the state link

failover link state GigabitEthernet1/7

! Assign the active and standby IP addresses to the failover link

failover interface ip failover 11.11.11.1 255.255.255.252 standby 11.11.11.2

! Assign the active and standby IP addresses to the state link

failover interface ip state 11.11.11.5 255.255.255.252 standby 11.11.11.6

! Enable or disable health monitoring for an interface

monitor-interface inside
monitor-interface outside
no monitor-interface MGMT

Used at

Referenced Used

How to Note Page 3