The ASA 5505 is the smallest (and cheapest) solution from the current Cisco hardware security appliances. Still, if we have the proper software license (like Security Plus for example) we can use the ASA5505 to setup rather complex solutions. This post will show how we can setup a pair of ASA5505 in failover configuration, solution that can be very useful in a small office where we want to achieve a high availability and we can’t tolerate a failure of our frontend firewall.
Prerequisites
Before even starting, let’s check that our ASA5505′s are running the appropriate software license. For example the sh run command will output something like this:
sh ver
...
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 20, DMZ Unrestricted
Inside Hosts : Unlimited
Failover : Active/Standby
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 25
WebVPN Peers : 2
Dual ISPs : Enabled
VLAN Trunk Ports : 8
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has an ASA 5505 Security Plus license.
.
You should look at the Failover feature and you should have “Active/Standby“. If this outputs disabled, you will have to order and install a software license upgrade from Cisco in order to be able to use the ASA’s in failover.
Cisco (as always) has a very complex documentation on how you can achieve this. Still, it is hard to digest, as they try to cover all possible devices on the same page (even the obsolete pix500); even more the ASA5505 has some particularities compared with the rest of the ASA 5500 range of products and this is not very clearly explained. Hopefully this post will be more useful and simpler to follow.
First we need to understand some limitations of our devices. The ASA5505 can only perform Active/Standby failover and not Active/Active. If you need that, you will have to look at a higher range device. Also they can only perform LAN-Based Failover (as opposed to old pixes that can use cable based failover) and they don’t support Stateful Failover (meaning all active connections will be lost after a failover event). Also both units must have the same hardware, software configuration, and proper license and run in same mode (single or multiple, transparent or routed).
Configuring the Primary Unit
For each of the IPs assigned to the interfaces of the ASA we will need to allocate a secondary IP from the same network range; this will be used as the IP of the standby unit, while the main IPs will always be used by the primary (active) unit and will be normally used by the clients (as default gateways for ex). The first step is to configure the active and standby IP addresses for each data interface; the cisco documentation is confusing here and it is not clear that on the ASA5505 this is done for each of the used vlans, and not real interfaces:
conf t
(config)#interface Vlan1
(config-if)#ip address active_addr netmask standby standby_addr
for ex:
(config-if)#ip address 192.168.0.1 255.255.255.0 standby 192.168.0.2
Once we have defined all standby IPs we can move forward…
You will also need to define one interface that will be used for failover. You can either cross-connect this between the 2 ASAs or you can use a switch with a dedicated vlan for this. The later one is preferred as it will more accurately detect if one ASA is down. Again in the documentation this is not clear how to do it on the ASA5505 and it discusses about real interfaces, while on the ASA5505 we have to use vlans.
The trick is to create a new vlan and don’t assign any ip on the vlan inteface:
interface Vlan32
description LAN Failover Interface
no shutdown
the ip will be assigned by the failover commands;
Finally enable failover:
failover
failover lan unit primary
failover lan interface failover Vlan32
failover interface ip failover 192.168.255.1 255.255.255.0 standby 192.168.255.2
(where you will use one unused ip range for the failover ips).
Save the running config: copy running-config startup-config
Configuring the Secondary Unit
The configuration of the secondary, standby unit is very simple as it needs only the failover interface configuration. The secondary unit requires these commands to initially communicate with the primary unit, and get its configuration from the active unit.
As with the main ASA we have to define the vlan that will be used for failover first:
interface Vlan32
description LAN Failover Interface
no shutdown
And next we just have to enable failover and set this unit as secondary:
failover
failover lan unit secondary
failover lan interface failover Vlan32
failover interface ip failover 192.168.255.1 255.255.255.0 standby 192.168.255.2
After this, the active unit sends the configuration in running memory to the standby unit. As the configuration synchronizes, the messages “Beginning configuration replication: Sending to mate” and “End Configuration Replication to mate” appear on the active unit console.
Verifying the Failover Configuration
The command show failover can be used to show the status of the failover operation; the output on the active device will look similar to:
sh failover
Failover On
Failover unit Primary
Failover LAN Interface: failover Vlan32 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 5 of 250 maximum
Version: Ours 8.0(4), Mate 8.0(4)
Last Failover at: 02:28:31 CST Jan 23 2009
This host: Primary - Active
Active time: 2166923 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.0(4)) status (Up Sys)
Interface inside (10.10.10.1): Normal
Interface outside (192.168.0.1): Normal
slot 1: empty
Other host: Secondary - Standby Ready
Active time: 378 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.0(4)) status (Up Sys)
Interface inside (10.10.10.2): Normal
Interface outside (192.168.0.2): Normal
slot 1: empty
Finally, you will probably want to test the failover functionality and maybe tune the triggers of the failover, but maybe we will talk about this in a future post.
I hope you found this post useful and helped to explain better the steps needed to configure the Active/Standby Failover on the ASA5505.
What version software are you running? I have the same Security Plus license, but my inside hosts are limited to 10.
Cisco Adaptive Security Appliance Software Version 8.0(2)
Device Manager Version 6.0(2)
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 20, DMZ Unrestricted
Inside Hosts : 10
Failover : Active/Standby
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 25
WebVPN Peers : 2
Dual ISPs : Enabled
VLAN Trunk Ports : 8
Advanced Endpoint Assessment : Disabled
This platform has an ASA 5505 Security Plus license.
@ slocoach: see above in the post. we are running 8.0(4) that was the latest version at the time of writing this post. If I remember correctly we had a regular license, and then upgraded to ‘Unlimited hosts’ and later we got the security plus license. hth.
Very well described, thanks for the post.
Yes, nice – and working – description. Easy to follow
It’s very useful.
Thanks very much….
I don’t understand what you mean by:
“You can either cross-connect this between the 2 ASAs or you can use a switch with a dedicated vlan for this. The later one is preferred as it will more accurately detect if one ASA is down”
How is the VLAN method preferred? What if the switch that the VLAN is connected to fails? I would think the cross over cable would give the ‘truest’ indication of a firewall failure
hi
what is the failover time. I.E. when the primary unit fails, how long before the standby becomes active and takes over. I assume state is passed between the units
thanks
Thanks for you time to write this down for us.
I read the Cisco document over and over but couldn`t get it right. Works like a charm now!!
MMJP » Cisco ASA 5505: Active/Standby Failover Configuration // Feb 22, 2011 at 9:08 am
[...] Cisco ASA 5505: Active/Standby Failover Configuration [...]
Hi,
I am currently running 8.2 IOS with bith ASA 5505 in Transparent mode.
sh run
: Saved
:
ASA Version 8.2(1)
!
firewall transparent
hostname pro-asa-02
domain-name tmi-cms.local
enable password 5REOWXSNDmF7qN69 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan2
no nameif
no security-level
!
interface Vlan5
nameif outside
security-level 0
!
interface Vlan40
nameif inside
security-level 100
When I am trying to add the “Failover” it is showing error as follows.
pro-asa-02(config)# failover lan interface Vlan2
ERROR: Legacy syntax is only supported for configure conversion.
Usage: [no] failover
[no] failover polltime [unit] [msec] [holdtime [msec] ]
[no] failover polltime interface [msec] [holdtime ]
[no] failover replication http
[no] failover lan unit primary|secondary
[no] failover interface ip standby
[no] failover interface-policy [%]
[no] failover key |{hex }
[no] failover lan interface [.]
[no] failover link [[.]]
[no] failover mac address
[no] failover timeout
[no] failover active
failover reset
failover reload-standby
show failover [history|interface|state|statistics]
show running-config failover
clear configure failover
clear failover statistics
It is saying to add the But I don’t have Interface name for failover “Vlan2″. Since it is a transparent firewall, it is not allowing me to add more than 2 “nameif” or Interface Name to add.
Please help me to resolve this issue.
Thanks in advance.
Firewall: Configuring Active/Standby failover using ASA5505 pair. « The Network Journal // May 1, 2011 at 1:27 pm
[...] http://linuxsysadminblog.com/2009/02/cisco-asa-5505-activestandby-failover-configuration/ [...]
This is an excellent document and easy to follow. I configured my 2 ASA running version 8.3 however when i do Show failover command, the other host which is primary on standby ready
Shows
inside interface (0.0.0.0), normal
Outside interface (0.0.0.0) , normal
Why is it not showing the specific addresses?
Great work, thanks !