Tuesday, January 24, 2012

Cisco ASA 5505 Failover

ASA 5505 with Security Plus license support LAN-Based failover (Active/Standby)

you need

- two  ASA 5505 with Security Plus license

- one crossover cable

 

In our configuration we use

- ethernet 0/5 for failover link

- ethernet 0/1 for internal lan

- ethernet 0/3 for outside internet

 

configure primary ASA

 

ciscoasa# conf t

ciscoasa(config)# hostname ASA5505-1

ASA5505-1(config)# interface vlan 221

ASA5505-1(config-if)# description LAN Failover

ASA5505-1(config-if)# no shutdown 

 

ASA5505-1(config)# failover 

ASA5505-1(config)# failover lan unit primary 

ASA5505-1(config)# failover lan interface failover Vlan221

ASA5505-1(config)# failover interface ip failover 10.221.10.1 255.255.255.0 standby 10.221.10.2

 

SA5505-1(config)# int Vlan 80

ASA5505-1(config-if)# ip address 10.80.10.1 255.255.255.0 standby 10.80.10.2

ASA5505-1(config-if)# nameif TDMZ

ASA5505-1(config-if)# no shutdown 

 

ASA5505-1(config)# int vlan 99

ASA5505-1(config-if)# ip address 10.10.20.253 255.255.255.0 standby 10.10.20.254

ASA5505-1(config-if)# nameif Outside

ASA5505-1(config-if)# security-level 100

ASA5505-1(config-if)# no shutdown 

 

ASA5505-1(config)# interface ethernet 0/3

ASA5505-1(config-if)# switchport access vlan 99

ASA5505-1(config-if)# description Outside

ASA5505-1(config-if)# no shutdown 

 

ASA5505-1(config-if)# interface ethernet 0/1   

ASA5505-1(config-if)# description TDMZ      

ASA5505-1(config-if)# switchport access vlan 80

ASA5505-1(config-if)# no shutdown 

 

ASA5505-1(config-if)# interface ethernet 0/5   

ASA5505-1(config-if)# description Failover     

ASA5505-1(config-if)# switchport access vlan 221

ASA5505-1(config-if)# no shutdown 

ASA5505-1# write memory

 

 

configure secoundary ASA

 

ciscoasa(config)# hostname ASA5505-2

ASA5505-2(config)# int vlan 221

ASA5505-2(config-if)# description LAN Failover

ASA5505-2(config-if)# no shutdown 

 

ASA5505-2(config-if)# failover 

ASA5505-2(config)# failover lan unit secondary 

ASA5505-2(config)# failover lan interface failover Vlan221

ASA5505-2(config)# failover interface ip failover 10.221.10.1 255.255.255.0 standby 10.221.10.2

 

ASA5505-2(config)# interface ethernet 0/5

ASA5505-2(config-if)# description Failover

ASA5505-2(config-if)# switchport access vlan 221

ASA5505-2(config-if)# no shutdown 

ASA5505-2(config-if)# write memory

 

 

after failover up secondary ASA get config from primary and rename hostname to ASA5505-1

check failover 

 

ASA5505-1# show failover

Failover On

Failover unit Primary

Failover LAN Interface: failover Vlan221 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 3 of 23 maximum

Version: Ours 8.4(3), Mate 8.4(3)

Last Failover at: 18:52:25 UTC Jan 24 2012

        This host: Primary - Active

                Active time: 1022 (sec)

                slot 0: ASA5505 hw/sw rev (1.0/8.4(3)) status (Up Sys)

                  Interface TDMZ (10.80.10.1): Normal (Monitored)

                  Interface Outside (10.10.20.253): Normal (Monitored)

                slot 1: empty

        Other host: Secondary - Standby Ready

                Active time: 0 (sec)

                slot 0: ASA5505 hw/sw rev (1.0/8.4(3)) status (Up Sys)

                  Interface TDMZ (10.80.10.2): Normal (Monitored)

                  Interface Outside (10.10.20.254): Normal (Monitored)

                slot 1: empty

Posted by at
Labels:

2 comments:

kincycln said...

Thanks for the post!! It saved a lot of time on LAN based failover on 5505 series

January 25, 2012 at 2:40 PM
Fletcher said...

This post was so easy to follow, much better than what Cisco provides. Thank you!

November 25, 2014 at 11:55 AM

Post a Comment

Subscribe to: Post Comments (Atom)