Options
enabling active/passive failover on the 5505
Young Grasshopper
Member Posts: 51 ■■□□□□□□□□
hi,
would someone mind posting a sample configs of what active/standy failover would look like on a asa 5505 on both devices? im looking at cisco guides however the commands on these seem to be for the 5510s and up. 5505s are a little different.
thanks
would someone mind posting a sample configs of what active/standy failover would look like on a asa 5505 on both devices? im looking at cisco guides however the commands on these seem to be for the 5510s and up. 5505s are a little different.
thanks
Comments
-
Options
mikej412
Member Posts: 10,086 ■■■■■■■■■■
You need a Security Plus license which lets you have 20 VLAN interfaces, including a VLAN interface for failover and VLAN interface as an ISP backup (in routed mode).
Then the Configuring LAN-Based Active/Standby Failover Cisco Security Appliance Command Line Configuration Guide should work.
There may be a diagram and better example in the LAN-Based Active/Standby Failover Configuration section of the PIX/ASA 7.x Active/Standby Failover Configuration Example Document.:mike: Cisco Certifications -- Collect the Entire Set! -
Optionsredwarrior
Member Posts: 285
We just set this up recently and it works like a charm. A couple of the things I learned at work setting this up:
1. If you are running an AIP module on your ASA, you may need to upgrade to a stable version and have a match on both ASA's modules so that you are running the same software in order to keep failover working. In our case, having a different version of an unstable OS on both the primary and secondary ASA's IPS (AIP) module caused us to need to upgrade because they kept losing communication and the failover would no longer work.
2. If you make changes to your ASA after you have configured failover, be sure to make them on the primary ASA, otherwise they will not synch. This is also why you want to bring the primary ASA back up and fail back to it asap.
3. Configuration changes to modules within the ASA such as IPS modules, do not synch! You will need to duplicate your changes on the secondary ASA to make sure that it is ready to go.
4. Keep in mind that when failover occurs, whatever ASA is active takes on the active IP address and the inactive ASA takes on the other IP address when it comes back up. This can be confusing when they swap addresses and you aren't quite sure which ASA you are really in. The show failover command will help you see which is which.
Overall, I was impressed by how easy it was to configure, though, and how little network disruption you see when failover occurs.
CCNP Progress
ONT, ISCW, BCMSN - DONE
BSCI - In Progress
http://www.redwarriornet.com/ <--My Cisco Blog