Comments on: Cisco ASA 5505: Active/Standby Failover Configuration

By: Al

Al — Wed, 29 Feb 2012 20:13:45 +0000

Assignment of the a physical interface to the failover vlan is missing

!
interface Vlan32
description LAN Failover Interface
no shutdown
!
interface e0/0
switchport access vlan 32
no shut
!

By: Pete

Pete — Sat, 11 Feb 2012 12:03:45 +0000

Nice work – but one thing that isn’t described in here is the assignment of the vlan to an ethernet port or any switch configuration that is recommended such as stp, no channel group and no trunk.

By: Cipher

Cipher — Sat, 14 Jan 2012 16:19:05 +0000

Great work, thanks !

By: Kupa

Kupa — Sun, 01 Jan 2012 09:07:18 +0000

This is an excellent document and easy to follow. I configured my 2 ASA running version 8.3 however when i do Show failover command, the other host which is primary on standby ready

Shows
inside interface (0.0.0.0), normal
Outside interface (0.0.0.0) , normal

Why is it not showing the specific addresses?

By: Firewall: Configuring Active/Standby failover using ASA5505 pair. « The Network Journal

Sun, 01 May 2011 18:27:45 +0000

[...] http://linuxsysadminblog.com/2009/02/cisco-asa-5505-activestandby-failover-configuration/ [...]

By: Robin

Robin — Mon, 14 Mar 2011 17:17:09 +0000

Hi,

I am currently running 8.2 IOS with bith ASA 5505 in Transparent mode.

sh run
: Saved
:
ASA Version 8.2(1)
!
firewall transparent
hostname pro-asa-02
domain-name tmi-cms.local
enable password 5REOWXSNDmF7qN69 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan2
no nameif
no security-level
!
interface Vlan5
nameif outside
security-level 0
!
interface Vlan40
nameif inside
security-level 100

When I am trying to add the “Failover” it is showing error as follows.

pro-asa-02(config)# failover lan interface Vlan2
ERROR: Legacy syntax is only supported for configure conversion.
Usage: [no] failover
[no] failover polltime [unit] [msec] [holdtime [msec] ]
[no] failover polltime interface [msec] [holdtime ]
[no] failover replication http
[no] failover lan unit primary|secondary
[no] failover interface ip standby
[no] failover interface-policy [%]
[no] failover key |{hex }
[no] failover lan interface [.]
[no] failover link [[.]]
[no] failover mac address
[no] failover timeout
[no] failover active
failover reset
failover reload-standby
show failover [history|interface|state|statistics]
show running-config failover
clear configure failover
clear failover statistics

It is saying to add the But I don’t have Interface name for failover “Vlan2″. Since it is a transparent firewall, it is not allowing me to add more than 2 “nameif” or Interface Name to add.

Please help me to resolve this issue.
Thanks in advance.

By: MMJP » Cisco ASA 5505: Active/Standby Failover Configuration

MMJP » Cisco ASA 5505: Active/Standby Failover Configuration — Tue, 22 Feb 2011 14:08:22 +0000

[...] Cisco ASA 5505: Active/Standby Failover Configuration [...]

By: Richard

Richard — Thu, 29 Apr 2010 11:14:47 +0000

Thanks for you time to write this down for us.
I read the Cisco document over and over but couldn`t get it right. Works like a charm now!!

By: jm

jm — Sun, 14 Feb 2010 09:18:41 +0000

hi
what is the failover time. I.E. when the primary unit fails, how long before the standby becomes active and takes over. I assume state is passed between the units
thanks

By: vince

vince — Mon, 07 Dec 2009 21:20:16 +0000

I don’t understand what you mean by:

“You can either cross-connect this between the 2 ASAs or you can use a switch with a dedicated vlan for this. The later one is preferred as it will more accurately detect if one ASA is down”

How is the VLAN method preferred? What if the switch that the VLAN is connected to fails? I would think the cross over cable would give the ‘truest’ indication of a firewall failure