This blog will cover setting up 2 Cisco ASA firewall’s Active / Standby, so if one of the firewalls has a power issue or hardware failure, the standby firewall will wait a set amount of time before taking over from the failed device and resuming the traffic as if nothing happened. You can use stateful failover to resume IPsec sessions, NAT xlate, TCP, UDP, ARP etc. From version 8.4 routing information is also replicated.
The first thing you should know is you only need to set up 1 individual firewall, so my recommendation would be to get a firewall fully functional with all the configuration necessary, then the secondary firewall only needs a few commands before taking an entire copy of the primary firewall’s config, and becoming a standby firewall.
Before we begin lets take a look at the diagram, I used GNS3 but if you require to do this in real-life you would use crossover cables between the failover interfaces.This diagram depicts a single point of failure as the LAN switch but this is not the point of the blog, You would have more than one switch within your core design.
We will just use the basic config of the firewall, in my setup i have an IPsec tunnel between my ASA and R3, I used this to confirm that IPsec tunnel failover was working as expected.
You will need to decide beforehand which address space you will use for your failover interfaces, and your standby IP’s must be another useable IP within your primary IP subnet.
On ASA 1 use a console or SSH session and input the following commands. Be sure to use “no shutdown” on any interfaces you decide to use.
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 172.16.1.1 255.255.255.0 standby 172.16.1.2
!
failover lan interface lan_fail1 gig3
failover interface ip lan_fail1 10.2.2.1 255.255.255.252 standby 10.2.2.2
!
failover link stateful_fail2 gig2
failover interface ip stateful_fail2 10.1.1.1 255.255.255.252 standby 10.1.1.2
!
failover key cisco123
!
failover lan unit primary
!
failover replication http
!
prompt hostname priority state
!
failover
Once that is complete, you can now configure the secondary firewall, you can use the command “clear config all” on the secondary firewall to clear all config before you input the commands below. This is the absolute minimum you require to get the secondary firewall up and running, again be sure to use “no shutdown” on any interfaces you need.
interface gig3
no shutdown
!
failover lan interface lan_fail1 gig3
failover interface ip lan_fail1 10.2.2.1 255.255.255.252 standby 10.2.2.2
!
failover key cisco123
!
failover lan unit secondary
!
failover
After you enter the commands you will see the message “detected and active mate” this will confirm the 2 firewalls can see each other. The firewalls will begin to synchronise their configurations, the primary ASA will send over the configuration to the secondary. You will notice the prompt changes to ASA1/sec/stby# we use the command “prompt hostname priority state” for this purpose, so we can be sure which firewall is which.
The primary firewall prompt will be ASA1/pri/act#.
After this point you only need to make changes to the primary unit and any changes to the configuration and “write memory” you do on the primary will also be replicated to the standby unit.
The command “show failover” will provide you with all the necessary information you require should you need to troubleshoot or confirm your configuration is working as expected.
To manually failover the devices you can use the command “no failover active” on the active firewall or from the standby you can use ” failover active” note that when the primary unit recovers from a failure it does not automatically assume the active role.
You can have the ASA alert you when a failover has taken place by setting up email alerts.
logging mail critical
logging from-address asa1@yourdomain.com
logging recipient-address rh@mydomain.com
smtp-server x.x.x.x
This was one of my favourite blogs to write because the with the Cisco ASA everything just “works”
RH.
all-things-networking 