Cisco ASA Failover Best Practice

Security-ASA-5520_frnt_back_rt_1000

Here’s the recommended best practice to configure Failover on Cisco ASA.

Active unit:

interface Ethernet0/0
 duplex full
 nameif outside
 ip address 10.67.78.1 255.255.255.248 standby 10.67.78.2
 no shutdown
interface Ethernet0/1
 duplex full
 nameif inside
 ip address 172.16.0.1 255.255.255.0 standby 172.16.0.2
 no shutdown
interface Ethernet0/2
 description STATE Failover Interface
 no shutdown
interface Ethernet0/3
 description LAN Failover Interface
 no shutdown
failover lan unit primary
failover lan interface FOLINK Ethernet0/3
failover link STATELINK Ethernet0/2
failover interface ip folink 10.10.10.1 255.255.255.252 standby 10.10.10.2
failover interface ip statelink 11.11.11.1 255.255.255.252 standby 11.11.11.2
failover

Standby unit:

failover lan interface FOLINK Ethernet0/3
failover link STATELINK Ethernet0/2
failover interface ip folink 10.10.10.1 255.255.255.252 standby 10.10.10.2
failover interface ip statelink 11.11.11.1 255.255.255.252 standby 11.11.11.2
failover

To show the failover state (which one is active and which one is standby) on the hostname:

prompt hostname state

Subsecond failover:

failover polltime unit msec 200 holdtime msec 800
failover polltime interface msec 500 holdtime 5

 

Share on FacebookShare on Google+Share on LinkedInPin on PinterestTweet about this on TwitterShare on TumblrShare on RedditPrint this pageEmail this to someone

Leave a Reply