There is a special connectivity for control plane of this failover called failover link. In the diagram it is the connectivity between eth0 interfaces.
There are 2 things to be shared between the ASAs, configuration and the stateful information. You can use 2 separate interfaces for this or you can use 1 for both which is the most popular deployment.
In this setup, I am also using 1 link for both the purposes. Also this link is used to monitor each other's availability by the ASAs.
We will make ASA1 the primary and ASA2 the secondary.
On ASA1;
failover lan unit primary
failover lan interface FO Ethernet0
failover link FO Ethernet0
failover interface ip FO 10.10.10.1 255.255.255.0 standby 10.10.10.2
failover
On ASA2;
failover lan unit secondary
failover lan interface FO Ethernet0
failover link FO Ethernet0
failover interface ip FO 10.10.10.1 255.255.255.0 standby 10.10.10.2
failover
failover lan interface command is there to define the config syncing interface where as failover link command is to define the stateful information syncing interface. 'FO' is just a name given.
If you are defining another seperate interface for stateful information sync up, use the floowing command;
failover link SF g0/3
SF is just a name given.
Now you can configure anything on the primary active firewall and will be synced up to the secondary.
Additional Note:-
You can configure prompt hostname command to identify the current active device.
Following are some verification commands,
show failover
show failover history
show failover state
failover exec standby <any exec level command> can be used in configure mode of primary ASA to execute commands in standby unit.
No comments:
Post a Comment