1. Overview
It is strongly recommended to implement Cisco ASA firewall clustering such as active/active or active/standby in a production environment to achieve the high available of the critical services.
In this instruction will explains you how to configure high availability clustering using active/standby mode or failover mode between two Cisco ASA firewall running IOS version 9.x.
2. Prerequisites
In this article, it is presumed that:
a. You have two Cisco ASA firewall hardware appliance with the same model, the same number and types of interfaces, and the same amount of RAM.
b. You have a direct console access to ASA firewall
4. Network Diagram
We will set up the active/standby clustering on Cisco ASA firewalls using the following diagram. In case of the primary unit fails, the secondary unit will becomes active automatically without any downtime.
The following is IP address plan to be used in above diagram for this set up.
| Primary Unit | Secondary Unit | |
| Port | Gi0/2 | Gi0/2 |
| Interface Name | outside | outside |
| P2P Public IP | 117.111.111.1/29 | 117.111.111.2/29 |
| Port | Gi0/1 | Gi0/1 |
| Interface Name | inside | inside |
| P2P Private IP | 10.0.0.1/24 | 10.0.0.2/24 |
| Failover Port | Gi0/0 | Gi0/0 |
| Failover IP | 172.16.0.1/30 | 172.16.0.2/30 |
5. Configure Primary Unit
First, we need to bring up the interface Gi0/0 to be used for LAN failover and make this firewall the primary unit for this failover cluster.
# config t
# int g0/0
no sh
# failover lan unit primary
Next, we need to assign the failover interface, names it as “FAIL-LAN”, and failover IP address. This interface, in our case now is Gi0/0 will be used to replicate the configuration between primary unit and the secondary unit.
# failover lan int FAIL-LAN g0/0
# failover link FAIL-LAN
# failover int ip FAIL-LAN 172.16.0.1 255.255.255.252 standby 172.16.0.2
Now, we need to configure the IP address for the outside interface. We also need to set the standby IP address on that will be used by the secondary unit.
# int g0/2
nameif outside
ip address 117.111.111.1 255.255.255.248 standby 117.111.111.2
no sh
Next, we need to configure the IP address for the inside interface. We also need to set the standby IP address that will be used by the secondary unit.
# int g0/1
nameif inside
ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2
no sh
Finally, We need to enable failover by execute the following command.
# failover
6. Configure Secondary Unit
On the secondary unit, we need to bring up the interface Gi0/0 to be used for LAN failover and make this firewall the secondary unit for this failover cluster.
# int g0/0
no sh
# failover lan unit secondary
Then, we just need to execute the following few commands, and the rest of the configuration will be automatically replicated from the primary unit.
# failover lan int FAIL-LAN g0/0
# failover link FAIL-LAN
# failover int ip FAIL-LAN 172.16.0.1 255.255.255.252 standby 172.16.0.2
# failover
You probably got the following message log in your console screen after finish executing those above commands.
Detected an Active mate
Beginning configuration replication from mate.
Creating trustpoint "_SmartCallHome_ServerCA" and installing certificate...
Trustpoint '_SmartCallHome_ServerCA' is a subordinate CA and holds a non self-signed certificate.
Trustpoint CA certificate accepted.
WARNING: Trustpoint _SmartCallHome_ServerCA is already authenticated.
End configuration replication from mate.
7. Verify the Configuration
We can use the following command to verify the failover clustering configuration on Cisco ASA firewall and following is the command out on the primary unit.
# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: FAIL-LAN GigabitEthernet0/0 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 61 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.4(1)203, Mate 9.4(1)203
Last Failover at: 15:13:54 UTC Jun 10 2017
This host: Primary - Active
Active time: 1143 (sec)
slot 0: empty
Interface outside (117.111.111.1): Normal (Monitored)
Interface inside (10.0.0.1): Normal (Monitored)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
Interface outside (117.111.111.2): Normal (Monitored)
Interface inside (10.0.0.2): Normal (Monitored)
Stateful Failover Logical Update Statistics
Link : FAIL-LAN GigabitEthernet0/0 (up)
Stateful Obj xmit xerr rcv rerr
General 57 0 56 0
sys cmd 56 0 56 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
SIP Tx 0 0 0 0
SIP Pinhole 0 0 0 0
Route Session 0 0 0 0
Router ID 0 0 0 0
User-Identity 1 0 0 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 17 57
Xmit Q: 0 29 341
Below is the command out put on secondary unit.
# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: FAIL-LAN GigabitEthernet0/0 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 61 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.4(1)203, Mate 9.4(1)203
Last Failover at: 15:07:04 UTC Jun 10 2017
This host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: empty
Interface inside (10.0.0.2): Normal (Monitored)
Interface outside (117.111.111.2): Normal (Monitored)
Other host: Primary - Active
Active time: 1333 (sec)
Interface inside (10.0.0.1): Normal (Monitored)
Interface outside (117.111.111.1): Normal (Monitored)
Stateful Failover Logical Update Statistics
Link : FAIL-LAN GigabitEthernet0/0 (up)
Stateful Obj xmit xerr rcv rerr
General 82 0 83 0
sys cmd 82 0 82 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
SIP Tx 0 0 0 0
SIP Pinhole 0 0 0 0
Route Session 0 0 0 0
Router ID 0 0 0 0
User-Identity 0 0 1 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 17 468
Xmit Q: 0 1 82
If you do not want read a long message out put, you can use the following command instead and below is the out put from primary unit.
# sh failover state
State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Standby Ready Comm Failure 15:14:13 UTC Jun 10 2017
====Configuration State===
Sync Done
====Communication State===
Mac set
====VM Properties Compatibility===
vCPUs - This host: 1
Other host: 1
Memory - This host: 2048 Mhz
Other host: 2048 Mhz
Interfaces - This host: 5
Other host: 5
8. Setup Additional Configuration
For security reason, you should also configure a failover key. Execute the following command on the primary unit. You don’t need to execute this command again on the secondary unit since the configuration will sync to the secondary unit automatically.
# failover key Hi@K1y
9. Conclusion
Now you should be able configure the high availability clustering using active/standby mode or failover mode between two Cisco ASA firewall running IOS version 9.x. Hopefully, you can find this document informative. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.
