SlideShare a Scribd company logo

How to configure hot failover cisco asa 5510, 5500 series firewalls

Download as DOCX, PDF
IT Tech
IT Tech

How to configure hot failover cisco asa 5510, 5500 series firewalls. More details...

Internet
1 of 3
How to Configure Hot Failover-Cisco ASA 5510 and ASA 5500 Series-ActiveStandby? In this article, the author told the detailed info of Cisco asa 5505, 5500 failover configuration from primary to standby. What we need to pay attention? Let’s start. Two Cisco ASAs have identical hardware specs. From "Show version" compare the licenses installed. Licenses must match on both ASAs. If you are running ASA IOS 8.3 and above, licenses don't need to match. Before upgrading to 8.3 (in case you want to but you don't have to), study well! Access Lists and NAT are different so you need to do manual clean up and re-configuration. Also 8.3 needs 1G of memory. After failover is configured, configuration from primary will replicate to standby. Note that Important: If you have AnyConnect or VPN images loaded on the primary, you need to copy them into the secondary because again that will not replicate - only configuration will replicate. Connect the two ASAs through a cat5 cable for fail-over link (Heartbeat). You could use the Management interface management0/0 for that. Pick a network and IP address for that interface like 192.168.150.1. The standby will have 192.168.150.2 Primary ASA: For each interface with IP address and mask pick an ip address for the standby from the same network. For instance for inside network with IP address 192.168.99.1 255.255.255.0, pick an ip address for the standby like 192.168.99.2 (no mask needed) and configure that interface: ip address 192.168.99.1 255.255.255.0 standby 192.168.99.2 Do the same thing for all other interfaces that you are going to use like the Outside and DMZ. Make sure they are in "no shutdown". Interfaces need to be on different networks. For management interface, do a no shutdown. Make sure interface has no interface name "no nameif". Don't configure ip address for it. Type the following commands ASA(config)# failover lan unit primary ASA(config)# failover lan interface failover Management0/0 When you type this command the ASA will say "INFO: Non-failover interface config is cleared on Management0/0 and its sub-interfaces" and it will give a description to that interface as "description LAN Failover Interface" ASA(config)# failover interface ip failover 192.168.150.1 255.255.255.0 standby 192.168.150.2
ASA(config)# failover link failover Management0/0 If you do show running-config you will see that the description of interface Management 0/0 has changed to "description LAN/STATE Failover Interface". ASA(config)# failover replication http ASA(config)# Failover Secondary/Standby ASA: Connect all interfaces to the respective network (at least the inside interface to the inside network and outside interface to the outside network. The Management 0/0 interfaces on both ASAs are connected together through a cross-over cable). Connect to the ASA through a consol. Go to all interfaces that you are going to use (just like the Primary ASA) and do a no shutdown. Don't forget the Management Interface that we are going to use as a failover interface - Make sure interface has no interface name "no nameif". ASA configuration including IP addresses will replicate from the Primary ASA when replication starts. Following is the minimum configuration that you need to do on the standby. No more! Type the following: ASA(config)# failover lan interface failover Management0/0 ASA(config)# failover interface ip failover 192.168.150.1 255.255.255.0 standby 192.168.150.2 (this is the same exact command you typed on the Primary). ASA(config)# failover link failover Management0/0 ASA(config)# failover lan unit secondary ASA(config)# failover replication http ASA(config)# failover (This is the last command that you need to do and as soon as you do that the replication of configuration will start) You will see messages similar to the following: "Detected an Active mate Beginning configuration replication from mate.... Jul 12 2013 23:37:14: %ASA-6-720037: (VPN-Secondary) HA progression callback: id =3,seq=200,grp=0,event=101,op=15,my=Sync Config,peer=Active. Jul 12 2013 23:37:14: %ASA-6-721003: (WebVPN-Secondary) HA progression change: event HA_PROG_STANDBY_CONFIG, my state Sync Config, peer state Active. Jul 12 2013 23:37:14: %ASA-1-709006: (Secondary) End Configuration Replication (STB)"
Gie some time for replication to finish before you proceed with the following After that, go back to the primary ASA (not standby) and save config on it and that will save it on both ASAs: ASA#Wr mem You can use the following two commands to see the state of failover ASA# show failover ASA# show failover state Down the road, if standy configuration is out of sync with the Active asa, go to standby and do: conf t no failover failover Last resort if configures are not matching, on the Active/primary ASA: Wr standby [make sure you read more about "wr standby" this before you do it] More Cisco ASA Topics: How to Configure Cisco ASA Failover into Active/Standby Mode? Cisco ASA Failover, Failover Modes & ASA Failover Configuration Cisco ASA IPS Module Configuration How to Configure New ASA 5510 in Transparent Mode? Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software Cisco ASA SNMP Polling Via VPN Site-to-Site Tunnel Create IPv6 LAN-to-LAN VPN Tunnel on Cisco ASAs

Recommended

Study Notes BGP Exam
Study Notes BGP ExamStudy Notes BGP Exam
Study Notes BGP ExamDuane Bodle
 
Cisco asa 5500 x series migration options-asa 5555-x, asa 5525-x & asa 55...
Cisco asa 5500 x series migration options-asa 5555-x, asa 5525-x & asa 55...Cisco asa 5500 x series migration options-asa 5555-x, asa 5525-x & asa 55...
Cisco asa 5500 x series migration options-asa 5555-x, asa 5525-x & asa 55...IT Tech
 
Configuring the cisco switch with the cli based setup program
Configuring the cisco switch with the cli based setup programConfiguring the cisco switch with the cli based setup program
Configuring the cisco switch with the cli based setup program3Anetwork com
 
如何建立IPSEC VPN
如何建立IPSEC VPN如何建立IPSEC VPN
如何建立IPSEC VPNsharetech
 
Cisco 1921 vs. cisco 1941 vs. cisco 1941 w
Cisco 1921 vs. cisco 1941 vs. cisco 1941 wCisco 1921 vs. cisco 1941 vs. cisco 1941 w
Cisco 1921 vs. cisco 1941 vs. cisco 1941 wIT Tech
 
Juniper SA Overview
Juniper SA OverviewJuniper SA Overview
Juniper SA OverviewDaniel Rohan
 
300 101 Dumps - Implementing Cisco IP Routing
300 101 Dumps - Implementing Cisco IP Routing300 101 Dumps - Implementing Cisco IP Routing
300 101 Dumps - Implementing Cisco IP RoutingSara Rock
 
BGP Protocol Makes the Internet Work
BGP Protocol Makes the Internet WorkBGP Protocol Makes the Internet Work
BGP Protocol Makes the Internet WorkIT Tech
 

Recommended

Study Notes BGP Exam
Study Notes BGP ExamStudy Notes BGP Exam
Study Notes BGP ExamDuane Bodle
 
Cisco asa 5500 x series migration options-asa 5555-x, asa 5525-x & asa 55...
Cisco asa 5500 x series migration options-asa 5555-x, asa 5525-x & asa 55...Cisco asa 5500 x series migration options-asa 5555-x, asa 5525-x & asa 55...
Cisco asa 5500 x series migration options-asa 5555-x, asa 5525-x & asa 55...IT Tech
 
Configuring the cisco switch with the cli based setup program
Configuring the cisco switch with the cli based setup programConfiguring the cisco switch with the cli based setup program
Configuring the cisco switch with the cli based setup program3Anetwork com
 
如何建立IPSEC VPN
如何建立IPSEC VPN如何建立IPSEC VPN
如何建立IPSEC VPNsharetech
 
Cisco 1921 vs. cisco 1941 vs. cisco 1941 w
Cisco 1921 vs. cisco 1941 vs. cisco 1941 wCisco 1921 vs. cisco 1941 vs. cisco 1941 w
Cisco 1921 vs. cisco 1941 vs. cisco 1941 wIT Tech
 
Juniper SA Overview
Juniper SA OverviewJuniper SA Overview
Juniper SA OverviewDaniel Rohan
 
300 101 Dumps - Implementing Cisco IP Routing
300 101 Dumps - Implementing Cisco IP Routing300 101 Dumps - Implementing Cisco IP Routing
300 101 Dumps - Implementing Cisco IP RoutingSara Rock
 
BGP Protocol Makes the Internet Work
BGP Protocol Makes the Internet WorkBGP Protocol Makes the Internet Work
BGP Protocol Makes the Internet WorkIT Tech
 
Network protocols
Network protocolsNetwork protocols
Network protocolsIT Tech
 
How to configure Nagios in Fedora ?
How to configure Nagios in Fedora ?How to configure Nagios in Fedora ?
How to configure Nagios in Fedora ?Pankaj Rane
 
Cisco switch selector layer2 or layer3
Cisco switch selector layer2 or layer3Cisco switch selector layer2 or layer3
Cisco switch selector layer2 or layer3IT Tech
 
The feature licenses available for main cisco asa 5500 models
The feature licenses available for main cisco asa 5500 modelsThe feature licenses available for main cisco asa 5500 models
The feature licenses available for main cisco asa 5500 modelsIT Tech
 
How to configure flexible netflow export on cisco routers
How to configure flexible netflow export on cisco routersHow to configure flexible netflow export on cisco routers
How to configure flexible netflow export on cisco routersIT Tech
 
Nagios
NagiosNagios
Nagioscharlielefebvre14
 
Ordering guide for cisco isr g2
Ordering guide for cisco isr g2Ordering guide for cisco isr g2
Ordering guide for cisco isr g2IT Tech
 
5. mrtg in nagios1 0
5. mrtg in nagios1 05. mrtg in nagios1 0
5. mrtg in nagios1 0aqpjuan
 
Cisco ip phone key expansion module setup
Cisco ip phone key expansion module setupCisco ip phone key expansion module setup
Cisco ip phone key expansion module setupIT Tech
 
Cisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideCisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideIT Tech
 
Cisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideCisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideIT Tech
 
Hpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guideHpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guideIT Tech
 
The new cisco isr 4461 faq
The new cisco isr 4461 faqThe new cisco isr 4461 faq
The new cisco isr 4461 faqIT Tech
 
New nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switchesNew nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switchesIT Tech
 
Tested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi featuresTested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi featuresIT Tech
 
Aruba campus and branch switching solution
Aruba campus and branch switching solutionAruba campus and branch switching solution
Aruba campus and branch switching solutionIT Tech
 
Cisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesCisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesIT Tech
 
Cisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesCisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesIT Tech
 
Cisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesCisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesIT Tech
 
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellCompetitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellIT Tech
 
Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000IT Tech
 
The difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexThe difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexIT Tech
 

More Related Content

Viewers also liked

Network protocols
Network protocolsNetwork protocols
Network protocolsIT Tech
 
How to configure Nagios in Fedora ?
How to configure Nagios in Fedora ?How to configure Nagios in Fedora ?
How to configure Nagios in Fedora ?Pankaj Rane
 
Cisco switch selector layer2 or layer3
Cisco switch selector layer2 or layer3Cisco switch selector layer2 or layer3
Cisco switch selector layer2 or layer3IT Tech
 
The feature licenses available for main cisco asa 5500 models
The feature licenses available for main cisco asa 5500 modelsThe feature licenses available for main cisco asa 5500 models
The feature licenses available for main cisco asa 5500 modelsIT Tech
 
How to configure flexible netflow export on cisco routers
How to configure flexible netflow export on cisco routersHow to configure flexible netflow export on cisco routers
How to configure flexible netflow export on cisco routersIT Tech
 
Ordering guide for cisco isr g2
Ordering guide for cisco isr g2Ordering guide for cisco isr g2
Ordering guide for cisco isr g2IT Tech
 
5. mrtg in nagios1 0
5. mrtg in nagios1 05. mrtg in nagios1 0
5. mrtg in nagios1 0aqpjuan
 

Viewers also liked (8)

Network protocols
Network protocolsNetwork protocols
Network protocols
 
How to configure Nagios in Fedora ?
How to configure Nagios in Fedora ?How to configure Nagios in Fedora ?
How to configure Nagios in Fedora ?
 
Cisco switch selector layer2 or layer3
Cisco switch selector layer2 or layer3Cisco switch selector layer2 or layer3
Cisco switch selector layer2 or layer3
 
The feature licenses available for main cisco asa 5500 models
The feature licenses available for main cisco asa 5500 modelsThe feature licenses available for main cisco asa 5500 models
The feature licenses available for main cisco asa 5500 models
 
How to configure flexible netflow export on cisco routers
How to configure flexible netflow export on cisco routersHow to configure flexible netflow export on cisco routers
How to configure flexible netflow export on cisco routers
 
Nagios
NagiosNagios
Nagios
 
Ordering guide for cisco isr g2
Ordering guide for cisco isr g2Ordering guide for cisco isr g2
Ordering guide for cisco isr g2
 
5. mrtg in nagios1 0
5. mrtg in nagios1 05. mrtg in nagios1 0
5. mrtg in nagios1 0
 

More from IT Tech

Cisco ip phone key expansion module setup
Cisco ip phone key expansion module setupCisco ip phone key expansion module setup
Cisco ip phone key expansion module setupIT Tech
 
Cisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideCisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideIT Tech
 
Cisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideCisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideIT Tech
 
Hpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guideHpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guideIT Tech
 
The new cisco isr 4461 faq
The new cisco isr 4461 faqThe new cisco isr 4461 faq
The new cisco isr 4461 faqIT Tech
 
New nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switchesNew nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switchesIT Tech
 
Tested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi featuresTested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi featuresIT Tech
 
Aruba campus and branch switching solution
Aruba campus and branch switching solutionAruba campus and branch switching solution
Aruba campus and branch switching solutionIT Tech
 
Cisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesCisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesIT Tech
 
Cisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesCisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesIT Tech
 
Cisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesCisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesIT Tech
 
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellCompetitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellIT Tech
 
Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000IT Tech
 
The difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexThe difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexIT Tech
 
Cisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches seriesCisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches seriesIT Tech
 
Guide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 seriesGuide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 seriesIT Tech
 
892 f sfp configuration example
892 f sfp configuration example892 f sfp configuration example
892 f sfp configuration exampleIT Tech
 
Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700IT Tech
 
Cisco firepower ngips series migration options
Cisco firepower ngips series migration optionsCisco firepower ngips series migration options
Cisco firepower ngips series migration optionsIT Tech
 
Eol transceiver to replacement model
Eol transceiver to replacement modelEol transceiver to replacement model
Eol transceiver to replacement modelIT Tech
 

More from IT Tech (20)

Cisco ip phone key expansion module setup
Cisco ip phone key expansion module setupCisco ip phone key expansion module setup
Cisco ip phone key expansion module setup
 
Cisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideCisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guide
 
Cisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideCisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guide
 
Hpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guideHpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guide
 
The new cisco isr 4461 faq
The new cisco isr 4461 faqThe new cisco isr 4461 faq
The new cisco isr 4461 faq
 
New nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switchesNew nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switches
 
Tested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi featuresTested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi features
 
Aruba campus and branch switching solution
Aruba campus and branch switching solutionAruba campus and branch switching solution
Aruba campus and branch switching solution
 
Cisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesCisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switches
 
Cisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesCisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switches
 
Cisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesCisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modes
 
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellCompetitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
 
Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000
 
The difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexThe difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fex
 
Cisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches seriesCisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches series
 
Guide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 seriesGuide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 series
 
892 f sfp configuration example
892 f sfp configuration example892 f sfp configuration example
892 f sfp configuration example
 
Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700
 
Cisco firepower ngips series migration options
Cisco firepower ngips series migration optionsCisco firepower ngips series migration options
Cisco firepower ngips series migration options
 
Eol transceiver to replacement model
Eol transceiver to replacement modelEol transceiver to replacement model
Eol transceiver to replacement model
 

Recently uploaded

在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查ydyuyu
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirtrahman018755
 
Microsoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftMicrosoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftAanSulistiyo
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasDigicorns Technologies
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Roommeghakumariji156
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsMonica Sydney
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtrahman018755
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdfMatthew Sinclair
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge GraphsEleniIlkou
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
Power point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria IuzzolinoPower point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria Iuzzolinonuriaiuzzolino1
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"growthgrids
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdfMatthew Sinclair
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样ayvbos
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.krishnachandrapal52
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdfMatthew Sinclair
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfJOHNBEBONYAP1
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制pxcywzqs
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrHenryBriggs2
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsMonica Sydney
 

Recently uploaded (20)

在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
Microsoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftMicrosoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck Microsoft
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
Power point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria IuzzolinoPower point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria Iuzzolino
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 

How to configure hot failover cisco asa 5510, 5500 series firewalls

  • 1. How to Configure Hot Failover-Cisco ASA 5510 and ASA 5500 Series-ActiveStandby? In this article, the author told the detailed info of Cisco asa 5505, 5500 failover configuration from primary to standby. What we need to pay attention? Let’s start. Two Cisco ASAs have identical hardware specs. From "Show version" compare the licenses installed. Licenses must match on both ASAs. If you are running ASA IOS 8.3 and above, licenses don't need to match. Before upgrading to 8.3 (in case you want to but you don't have to), study well! Access Lists and NAT are different so you need to do manual clean up and re-configuration. Also 8.3 needs 1G of memory. After failover is configured, configuration from primary will replicate to standby. Note that Important: If you have AnyConnect or VPN images loaded on the primary, you need to copy them into the secondary because again that will not replicate - only configuration will replicate. Connect the two ASAs through a cat5 cable for fail-over link (Heartbeat). You could use the Management interface management0/0 for that. Pick a network and IP address for that interface like 192.168.150.1. The standby will have 192.168.150.2 Primary ASA: For each interface with IP address and mask pick an ip address for the standby from the same network. For instance for inside network with IP address 192.168.99.1 255.255.255.0, pick an ip address for the standby like 192.168.99.2 (no mask needed) and configure that interface: ip address 192.168.99.1 255.255.255.0 standby 192.168.99.2 Do the same thing for all other interfaces that you are going to use like the Outside and DMZ. Make sure they are in "no shutdown". Interfaces need to be on different networks. For management interface, do a no shutdown. Make sure interface has no interface name "no nameif". Don't configure ip address for it. Type the following commands ASA(config)# failover lan unit primary ASA(config)# failover lan interface failover Management0/0 When you type this command the ASA will say "INFO: Non-failover interface config is cleared on Management0/0 and its sub-interfaces" and it will give a description to that interface as "description LAN Failover Interface" ASA(config)# failover interface ip failover 192.168.150.1 255.255.255.0 standby 192.168.150.2
  • 2. ASA(config)# failover link failover Management0/0 If you do show running-config you will see that the description of interface Management 0/0 has changed to "description LAN/STATE Failover Interface". ASA(config)# failover replication http ASA(config)# Failover Secondary/Standby ASA: Connect all interfaces to the respective network (at least the inside interface to the inside network and outside interface to the outside network. The Management 0/0 interfaces on both ASAs are connected together through a cross-over cable). Connect to the ASA through a consol. Go to all interfaces that you are going to use (just like the Primary ASA) and do a no shutdown. Don't forget the Management Interface that we are going to use as a failover interface - Make sure interface has no interface name "no nameif". ASA configuration including IP addresses will replicate from the Primary ASA when replication starts. Following is the minimum configuration that you need to do on the standby. No more! Type the following: ASA(config)# failover lan interface failover Management0/0 ASA(config)# failover interface ip failover 192.168.150.1 255.255.255.0 standby 192.168.150.2 (this is the same exact command you typed on the Primary). ASA(config)# failover link failover Management0/0 ASA(config)# failover lan unit secondary ASA(config)# failover replication http ASA(config)# failover (This is the last command that you need to do and as soon as you do that the replication of configuration will start) You will see messages similar to the following: "Detected an Active mate Beginning configuration replication from mate.... Jul 12 2013 23:37:14: %ASA-6-720037: (VPN-Secondary) HA progression callback: id =3,seq=200,grp=0,event=101,op=15,my=Sync Config,peer=Active. Jul 12 2013 23:37:14: %ASA-6-721003: (WebVPN-Secondary) HA progression change: event HA_PROG_STANDBY_CONFIG, my state Sync Config, peer state Active. Jul 12 2013 23:37:14: %ASA-1-709006: (Secondary) End Configuration Replication (STB)"
  • 3. Gie some time for replication to finish before you proceed with the following After that, go back to the primary ASA (not standby) and save config on it and that will save it on both ASAs: ASA#Wr mem You can use the following two commands to see the state of failover ASA# show failover ASA# show failover state Down the road, if standy configuration is out of sync with the Active asa, go to standby and do: conf t no failover failover Last resort if configures are not matching, on the Active/primary ASA: Wr standby [make sure you read more about "wr standby" this before you do it] More Cisco ASA Topics: How to Configure Cisco ASA Failover into Active/Standby Mode? Cisco ASA Failover, Failover Modes & ASA Failover Configuration Cisco ASA IPS Module Configuration How to Configure New ASA 5510 in Transparent Mode? Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software Cisco ASA SNMP Polling Via VPN Site-to-Site Tunnel Create IPv6 LAN-to-LAN VPN Tunnel on Cisco ASAs