Re: CISCO ASA 5505 Failover

---

• From: Wade B Gieni <wgieni@xxxxxxxxx>
• Date: Fri, 27 Jul 2007 23:30:33 -0000

---

Just to update this. I tried again with the MAC address information
but it did not work.

I ended up setting the seconday back to the factory default settings
(config factory-default) and removed the dchpd and dchpd pool
addresses. I then uploaded the configuration from the primary
firewall via tftp. I set the failover to be secondary (failover lan
unit secondary).

After hooking up the two firewalls the failover now works!!

Thanks for everyone's help.

On Jul 25, 12:22 pm, wgi...@xxxxxxxxx wrote:

Thanks for the information. I have some more solutions to try today.
I re-read the documentation that CISCO has supplied and came up with
the following exerpts (Cisco Systems, 2006. Cisco Security Appliance
Command Line Configuration Guide, For the Cisco ASA 5500 Series and
Cisco PIX 500 Series, Software Version 7.2(2). Cisco Systems, Inc.
San Jose, CA,www.cisco.com, Text Part Number OL-10088-02.)

Page 14-4 States that you can use a cross-over cable
You can use any unused Ethernet interface on the device as the
failover link. You cannot specify an interface that is currently
configured with a name. The failover link interface is not configured
as a normal networking interface; it exists only for failover
communication. This interface should only be used for the failover
link (and optionally for the Stateful Failover link). You can connect
the LAN-based failover link by using a dedicated switch with no hosts
or routers on the link or by using a crossover Ethernet cable to link
the units directly.

Page 14-22 States that I should be using a VLAN
Step 4 Define the failover interface:
a. Specify the interface to be used as the failover interface:
hostname(config)# failover lan interface if_name phy_if

The if_name argument assigns a name to the interface specified by the
phy_if argument. The phy_if argument can be the physical port name,
such as Ethernet1, or a previously created subinterface, such as
Ethernet0/2.3. On the ASA 5505 adaptive security appliance, the phy_if
specifies a VLAN.

On Page 14-7 There is another note that caught my eye yesterday:

If the secondary unit boots without detecting the primary unit, it
becomes the active unit. It uses its own MAC addresses for the active
IP addresses. However, when the primary unit becomes available, the
secondary unit changes the MAC addresses to those of the primary unit,
which can cause an interruption in your network traffic. To avoid
this, configure the failover pair with virtual MAC addresses. See the
"Configuring Virtual MAC Addresses" section on page 14-25 for more
information.

As I had not done this would it have caused the network to become
unstable?

On Jul 25, 10:28 am, "Scott Perry" <scottperry@aciscocompany> wrote:

You can use a crossover cable between the configured failover ports on the
ASA devices.

Here is a working configuration:

failover
failover lan unit primary
failover lan interface Failover GigabitEthernet0/2
failover link Failover GigabitEthernet0/2
failover interface ip Failover 10.1.1.1 255.255.255.252 standby 10.1.1.2
monitor-interface DMZ
monitor-interface LAN
monitor-interface INET

Pick a physical interface for your failover, not a VLAN. After this
configuration, the failover interface config will look similar to this:

interface GigabitEthernet0/2
description LAN/STATE Failover Interface

A "show failover" command will demonstrate how the failover is functioning.
Do not forget to alter the second line of the provided configuration for the
secondary firewall.

--

===========
Scott Perry
===========
Indianapolis, Indiana
________________________________________<wgi...@xxxxxxxxx> wrote in message

news:1185212216.075362.240270@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Hide quoted text -

- Show quoted text -

.

---

• References:
  • Re: CISCO ASA 5505 Failover
    • From: wgieni

• Prev by Date: Re: Remote Capi for Cisco ISDN Ports - Second Request ...
• Next by Date: Upgrading the Cisco IOS on Cisco router 3640.
• Previous by thread: Re: CISCO ASA 5505 Failover
• Next by thread: How crucial is a public IP on WAN port for VPN?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Which cable for ASA failover? ... You have to see your failover kit as a single unit with a single ... in the configuration is the failover lines. ... And when you configure an ip address on an interface of a failover kit, ... address and the standby address, ... (comp.dcom.sys.cisco) Re: Which cable for ASA failover? ... Can you post your failover config of both unit. ... interface Ethernet0/0 ... mtu management 1500 ... timeout xlate 3:00:00 ... (comp.dcom.sys.cisco) Re: Which cable for ASA failover? ... Can you post your failover config of both unit. ... interface Ethernet0/0 ... mtu management 1500 ... timeout xlate 3:00:00 ... (comp.dcom.sys.cisco) Re: IP Failover: strange behaviour ... As long as both machines are up and running, IP failover ... network interface, and enters the status described in 1). ... IPPSA2> tcpip ifconfig -a ... IE2 are not participating in a ip failover. ... (comp.os.vms) Re: CISCO ASA 5505 Failover ... the following exerpts (Cisco Systems, ... You can use any unused Ethernet interface on the device as the ... The failover link interface is not configured ... (comp.dcom.sys.cisco)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)