Sysadmin > CiscoFirewall > ASAConfigExamples > AsaTmplFailover
Changes | Index | Search
Tags(edit)

Templates for failover configurations

steps for failover setup

both 

interface GigabitEthernet0/3
 no shutdown
 description LAN/STATE Failover Interface

primary 

no failover
failover lan unit primary
failover lan interface failover-link GigabitEthernet0/3
failover polltime unit msec 300 holdtime 1
failover key 3EdUhI6zHnJi7O
failover replication http
failover link failover-link GigabitEthernet0/3
failover interface ip failover-link 192.168.4.1 255.255.255.252 standby 192.168.4.2

and now the second hardware as secondary: 

no failover
failover lan unit secondary
failover lan interface failover-link GigabitEthernet0/3
failover polltime unit msec 300 holdtime 1
failover key 3EdUhI6zHnJi7O
failover replication http
failover link failover-link GigabitEthernet0/3
failover interface ip failover-link 192.168.4.1 255.255.255.252 standby 192.168.4.2

both (activate failover) 

failover
Output 
#
        State check detected an Active mate
Beginning configuration replication from mate.

WARNING: This command will take effect after the running-config is saved and the system has been rebooted. Command accepted.

WARNING: Failover Detected - Please remember to reboot both devices in the failover set. This can be done with zero downtime by rebooting one at a time.

INFO: Interface MTU should be increased to avoid fragmenting
      jumbo frames during transmit

End configuration replication from mate.

and now on primary 

interface Management0/0
nameif management
security-level 100
ip address 134.34.20.126 255.255.252.0 standby 134.34.20.127

check the failover setup 

# sh failover state

               State          Last Failure Reason      Date/Time
This host  -   Primary
               Active         None
Other host -   Secondary
               Standby Ready  None

====Configuration State===
        Sync Done
====Communication State===
        Mac set

Template for different failover setups

One interface 

failover
failover lan unit primary
failover lan interface failover-link TenGigabitEthernet5/1
failover polltime unit 1 holdtime 3
failover key AgyHj96zHn8iYO
failover replication http
failover link failover-link TenGigabitEthernet5/1
failover interface ip failover-link 192.168.8.1 255.255.255.252 standby 192.168.8.2

seperated failover lan and state 

failover
failover lan unit primary
failover lan interface failover Ethernet3
failover lan enable
failover key ******
failover link state Ethernet2
failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2
failover interface ip state 10.0.0.1 255.0.0.0 standby 10.0.0.2

seperated state and redundant failover lan (redundant interface). You need a switch/hub between all four physical interfaces! 

interface redundant 1
member-interface gigabitethernet 0/0
member-interface gigabitethernet 0/1
show interface redundant1 detail

failover
failover lan unit primary
failover lan interface failover redundant1
failover lan enable
failover key ******
failover link state Ethernet2
failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2
failover interface ip state 10.0.0.1 255.0.0.0 standby 10.0.0.2

seperated state and redundant failover lan (etherchannel) 

...

Failover test

In a failover test we disconnected

  1. failover state (10GE)
  2. first failover lan etherchannel (1GE)
  3. second failover lan etherchannel (1GE not any failover link anymore)

The ASAs keep their active/standby-state as long as the other interfaces can still communicate
Edit | Attach | More topic actions
Copyright © Creative Commons License