Skip to content

How to Configure Failover on Cisco ASA Firewall

Configuring a Cisco ASA firewall to achieve resiliency is straightforward. Implementing the failover feature in the firewall to be on Active Standby mode can achieved by the following commands.

Please note that it is not recommended to use the Management interface for failover purposes, especially for stateful failover in which the security appliance constantly sends the connection information from one security appliance to the other.

Furthermore, we have to consider the future implication of using such Management Interface, as you may be want to create a completely new network for the Out Of Bound (OOB) access where the Management Interface on each device will participate. Therefore, using a Management Interface might cause design issues in the future.

On this example below, I will be using GigabitEthernet0/5 on both devices as the Failover interface.

Primary

failover lan unit primary
failover lan interface FAILOVER GigabitEthernet0/5
failover link FAILOVER GigabitEthernet0/5
failover interface ip FAILOVER 10.1.0.1 255.255.255.252 standby 10.1.0.2

Secondary

failover lan unit secondary
failover lan interface FAILOVER GigabitEthernet0/5
failover link FAILOVER GigabitEthernet0/5
failover interface ip FAILOVER 10.1.0.1 255.255.255.252 standby 10.1.0.2

Do make sure to no shut the appropriate interfaces after configuring each devices.

Once you have the configuration in place, you should see the following message.

Beginning configuration replication from mate.
comments powered by Disqus