The following is an example of Cisco ASA Active Standby Failover configuration
Here’s the network topology (click to zoom):
I have the IP addresses assigned on to the host machines and also on the interfaces of the router. Additionally I also have a static route configured on the router to forward traffic to the firewall:
On the firewalls I have nothing configured except for a no shutdown on the interfaces. Notice the hostname of on both the firewalls (there’s something interesting to notice with the hostname’s as we start configuring). The firewall with hostname CERTVIDEOS is the primary firewall and the one with CERTVIDEOS-SEC is the secondary firewall:
Failover can be configured in one of two ways:
First: Start with configuring failover on both the firewalls and then the rest of the configuration on the primary firewall. This would cause all configuration to be replicated as you configure.
Second: Complete the configuration on one firewall and then configure failover, causing all the previous configuration to be replicated between both firewalls.
Failover configuration on primary firewall:
CERTVIDEOS(config)# failover lan unit primary
CERTVIDEOS(config)# failover lan interface FOLINK GigabitEthernet1
CERTVIDEOS(config)# failover interface ip FOLINK 192.168.2.2 255.255.255.0 standby 192.168.2.3
CERTVIDEOS(config)# failover key certvideos.com
FOLINK is the name of the failover interface (GigabitEthernet 1). You can name it anything.
Failover configuration on secondary firewall:
CERTVIDEOS-SEC(config)# failover lan unit secondary
CERTVIDEOS-SEC(config)# failover lan interface FOLINK GigabitEthernet1
CERTVIDEOS-SEC(config)# failover interface ip FOLINK 192.168.2.2 255.255.255.0 standby 192.168.2.3
CERTVIDEOS-SEC(config)# failover key certvideos.com
The failover configuration on the secondary firewall is exactly same as that on the primary one.
Once the configuration on the secondary firewall is completed with the failover command, failover would be active on both the firewalls. This can be verified using the show failover command.
Notice the hostname change to CERTVIDEOS on the secondary firewall. This is because of configuration replication from the primary to secondary firewall. So, how do we differentiate the primary firewall from the secondary?
The command to do this is prompt hostname priority state. And the prompt changes as below to indicate the hostname, priority and state of the firewall.
Use the write memory command to save the configuration on the active firewall and the write standby command to replicate the configuration to the standby firewall.
The write standby command would cause the prompt to change on the standby firewall as well:
Now we can begin with the rest of the configuration including the interface configuration. Since failover is already configured, any configuration on the active firewall would automatically get replicated.
Lastly stateful failover can be configured on the active firewall as below:
CERTVIDEOS/pri/act(config)# failover link SFLINK GigabitEthernet2
CERTVIDEOS/pri/act(config)# failover interface ip SFLINK 192.168.3.2 255.255.255.0 standby 192.168.3.3
SFLINK is the name of the stateful failover interface (GigabitEthernet 2). You can name it anything.
Use write memory and write standby to save configuration’s and check stateful failover status using show failover
Use the command, failover replication http to replicate http connections as part of stateful failover.
Download running configuration of all devices