Configure Cisco Active/Standby Failover

This is very simple to configure but in production environment, secure a maintenance window, take configuration back and verify the patching before hand. Following steps involved:

1. Setup failover interface on Primary ASA

Execute the following commands to mark the port 0/3 as failover lan unit primary. This is the interface between Primary & Secondary Firewall pair that carries all the information necessary to recover at Secondary unit in case of failure inducing session table etc.

enable
 config t
 interface gigabitEthernet 0/3
 description LAN Failover Interface
 no shutdown

2. Assign the failover ip-address on Primary ASA using LANFAIL

failover lan unit primary
 failover lan interface LANFAIL gi0/3
 failover link LANFAIL gigabitethernet 0/3
 failover interfaces ip LANFAIL 172.31.1.1 255.255.255.0 standby 172.31.1.2

3. Assign the External ip-address on Primary ASA

config t
 interface gigabitEthernet 0/0
 ip address 10.141.144.228 255.255.255.248 standby 10.141.144.229
 exit

4. Assign the Internal ip-address on Primary ASA

interface gigabitEthernet 0/1
ip address 192.168.1.2 255.255.255.0 standby 192.168.1.3
exit
failover
monitor-interface MGT
monitor-interface DMZ

Secondary Firewall

==================

failover lan unit secondary
 failover lan interface LANFAIL gigabitethernet 0/3
 failover link LANFAIL gigabitethernet 0/3
 failover interface ip LANFAIL 172.31.1.1 255.255.255.0 standby 172.31.1.2
 failover
 interface gigabitEthernet 0/3
 no shutdown

Don’t forget to workout the back-out plan in case. It is always good to write in before hand.

BACKOUT

  1. on Primary firewall:
enable
 config t
 interface gigabitEthernet 0/3
 shutdown
 !
 no failover interfaces ip LANFAIL 172.31.1.1 255.255.255.0 standby 172.31.1.2
 no failover link LANFAIL gigabitethernet 0/3
 no failover lan interface LANFAIL gigabitethernet 0/3
 no failover lan unit primary
 !
 interface gigabitEthernet 0/0
 no ip address 10.141.144.228 255.255.255.248 standby 10.141.144.229
 ip address 10.141.144.228 255.255.255.248
 !
 interface gigabitEthernet 0/1
 no ip address 192.168.1.2 255.255.255.0 standby 192.168.1.3
 ip address 192.168.1.2 255.255.255.0
 !
 no failover
 no monitor-interface MGT
 no monitor-interface DMZ

Secondary Firewall

 no failover interfaces ip LANFAIL 172.31.1.1 255.255.255.0 standby 172.31.1.2
 no failover link LANFAIL gigabitethernet 0/3
 no failover lan interface LANFAIL gigabitethernet 0/3
 no failover lan unit secondary

interface gigabitEthernet 0/3
 shutdown
 no failover
Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s