Cisco ASA Active/Active Failover
Cisco ASA Active/Active failover requires two identical Cisco ASA appliances talking to each other through a dedicated failover link and a dedicated stateful link (these can be the same interface).
With Active/Active failover both appliances will carry traffic. Failover contexts and failover groups need to be created, the failover group is then applied to the Primary or Secondary ASA appliance.
Example configuration parameters:
ASA1 & ASA2 are the firewall names being used. Make sure the interfaces being used for the failover and state are in an up state.
Failover:
ASA1: Primary
ASA2: Secondary
Lan Interface: GigabitEthernet0/3
Primary-Standby IP: 192.168.200.1/24 – 192.168.200.2/24
Name: LAN
Link Interface: GigabitEthernet0/4
Primary-Standby IP: 192.168.201.1/24 – 192.168.201.2/24
Name: Link-STATE
Failover Group 1: Primary
Failover Group 2: Secondary
Contexts:
Name: admin
Allocate Interface: Management 0/0
Configuration URL: admin.cfg
Make sure both of the appliances are in multiple context mode before you start!
mode multiple
Let’s get to the configuration starting with ASA1, the primary appliance.
!failover configuration for primary
!
failover lan unit primary
!set interface gig0/3 for the failover interface
failover lan interface LAN gig0/3
!set interface gig0/4 for the stateful failover interface
failover link Link-STATE gig0/4
!set the failover interface IP
failover interface ip LAN 192.168.200.1 255.255.255.0 standby 192.168.200.2
!set the stateful interface IP
failover interface ip Link-STATE 192.168.201.1 255.255.255.0 standby 192.168.201.2
!
!Create the failover groups, group 1 will be for the primary, group 2 will be for the secondary
!
failover group 1
primary
preempt
failover group 2
secondary
preempt
!
!Configure the admin context
!
admin-context admin
context admin
allocate-interface management0/0
config-url admin.cfg
!
!Now lets configure the sub interfaces so we can allocate them to the other contexts
!
interface gig0/0.1
vlan 20
no shut
!
interface gig0/0.2
vlan 30
no shut
!
interface gig0/2.1
vlan 40
no shut
!
interface gig0/2.2
vlan 50
no shut
!
!Now create the contexts and allocate the interfaces
!
context c1
allocate-interface gig0/0.1 inside-c1
allocate-interface gig0/0.2 outside-c2
config-url c1.cfg
!
context c2
allocate-interface gig0/2.1 inside-c2
allocate-interface gig0/2.2 outside-c2
config-url c2.cfg
!
!Configure some IP’s on the different interfaces
!
changeto context admin
int man0/0
nameif Management
security-level 100
ip address 10.100.10.20 255.255.255.0 standby 10.100.10.21
no shut
!
changeto context c1
int inside-c1
nameif inside
security-level 100
ip address 10.200.1.1 255.255.255.0 standby 10.200.1.2
no shut
int outside-c1
nameif outside
security-level 0
ip address 10.150.1.1 255.255.255.0 standby 10.150.1.2
no shut
!
!While we’re here, let’s set all these interfaces to be monitored
!
monitor-interface inside
monitor-interface outside
!
changeto context c2
interface inside-c2
nameif inside
security-level 100
ip address 10.120.5.1 255.255.255.0 standby 10.120.5.2
no shut
interface outside-c2
nameif outside
security-level 0
ip address 10.155.1.1 255.255.255.0 standby 10.155.1.2
no shut
!
!While we’re here, let’s set all these interfaces to be monitored
!
monitor-interface inside
monitor-interface outside
!
!Now let’s prep ASA2, the secondary
!
failover lan unit secondary
failover lan interface LAN gig0/3
failover Link-STATE gig0/4
failover interface ip LAN 192.168.200.1 255.255.255.0 standby 192.168.200.2
failover interface ip Link-STATE 192.168.201.1 255.255.255.0 standby 192.168.201.2
!
!Now we join the contexts to the failover groups we want, if we don’t do this they will end up all in group 1 by default. We do this on ASA1 since that’s where the contexts were defined
!
context c1
join-failover-group 1
exit
!
context c2
join-failover-group 2
exit
!
!Finally, we can kick off failover
!
failover
!
!Now on ASA2
!
failover
Verification:
show failover