Cisco ASA Firewall Active / Standby Failover

The Cisco ASA firewall is often an important device in the network. We use it for (remote access) VPNs, NAT/PAT, filtering and more. Since it’s such an important device it’s a good idea to have a second ASA in case the first one fails.

The ASA supports active/standby failover which means one ASA becomes the active device, it handles everything while the backup ASA is the standby device. It doesn’t do anything unless the active ASA fails.

The failover mechanism is stateful which means that the active ASA sends all stateful connection information state to the standby ASA. This includes TCP/UDP states, NAT translation tables, ARP table, VPN information and more.

When the active ASA fails, the standby ASA will take over and since it has all connection information, your users won’t notice anything…

There are a number of requirements if you want to use failover:

  • Platform has to be the same: for example 2x ASA 5510 or 2x ASA 5520.
  • Hardware must be the same: same number and type of interfaces. Flash memory and RAM has to be the same.
  • Same operating mode: routed or transparent mode and single or multiple context mode.
  • License has to be the same..number of VPN peers, encryption supported, etc.
  • Correct license. Some of the “lower” models require the Security Plus license for failover (the ASA 5510 is an example).

In this lesson we’ll take a look how to configure active/standby failover. Here’s the topology I will use:

ASA1 ASA2 Active Standby Failover

We have two ASA firewalls…ASA1 and ASA2. ASA1 will be the active firewall and ASA2 will be in standby mode. Their Ethernet 0/0 interfaces are connected to the “INSIDE” security zone while the Ethernet 0/1 interfaces are connected to the “OUTSIDE” security zone. The Ethernet 0/3 interface in the middle will be used to synchronize connection information for failover. R1 and R2 are only used so we can generate some traffic.

Configuration

We will start with the failover interface on ASA1. Make sure it’s not shut:

ASA1(config)# interface Ethernet 0/3
ASA1(config-if)# no shutdown

And then we configure this ASA to be the active (primary) device:

ASA1(config)# failover lan unit primary

Now we will configure Ethernet 0/3 to be the failover interface:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 651 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

567 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Forum Replies

  1. Rene

    the set up is like this -
    2 stacked 3850’s which are connected to ASA’s running active/standby . I have attached 2 inside interfaces via eigrp and 2 outside interfaces connected by " route outside ****** "
    is there any need for the standby firewall to have physical connections to the switch stack ? if so will they need IP’s assigned to them ?

    Also when the standby ASA takes over there are no routes in the routing table ?

    also I have configured the inside interface on the active ASA with the standby IP of the interface which its connected to on the switch s

    ... Continue reading in our forum

  2. If ASA1 fails , does ASA2 gets interfaces IP addresses too as we do not have interfaces IP assigned currently on ASA2? What is the role of secondary IP assigned on active ASA?

    Thanks!

  3. Hi Rene,

    I’d like to know ASA cluster and inter context communication. If I have a chance, please let me know for this configuration and technology, Because some of environment, cluster is okay.

  4. Hi Art,

    Glad to hear you like it!

    On the inside I’m using 192.168.1.0/24, R1 is on 192.168.1.1. On the outside we have 192.168.2.0/24 with R2 using 192.168.2.2.

    In labs/examples I try to stick to using the number of the router/switch as the IP address.

    This example explains how failover works on the ASA but for full redundancy, you’ll need to add some extra components yes. The two switches are still single point of failures, so is R2 on the outside.

    The switch on the outside could be replaced with two switches, perhaps in a stack:

    https://networklessons.com/swi

    ... Continue reading in our forum

  5. Hello Sina

    When configuring the ASAs in active/standby mode, ASA1 is configured fully with IP addresses on all interfaces. When ASA 2 is configured, you only configure the commands that allow it to function as the standby device. This means that no outside or inside interfaces are configured and no IP addresses are configured on these interfaces.

    In the configuration of the ASA1 however, you can see the following commands implemented on interface Ethernet 0/1:

    ASA1(config)# interface Ethernet 0/1
    ASA1(config-if)# nameif OUTSIDE
    ASA1(config-if)# ip address 192
    ... Continue reading in our forum

44 more replies! Ask a question or join the discussion by visiting our Community Forum