Bootstrap ASA failover configuration

Posted by & filed under Sécurité.

Here the configuration I use for ASA failover 8.4+ based on my experience:

On the primary:

interface GigabitEthernet0/4
no shutdown
failover
failover lan unit primary
failover lan interface FAILINK GigabitEthernet0/4
failover interface ip FAILINK 169.254.255.249 255.255.255.252 standby 169.254.255.250
failover key 222Th3Hak3Y222
failover link FAILINK GigabitEthernet0/4
prompt hostname state priority

On the secondary:

interface GigabitEthernet0/4
no shutdown
failover lan unit secondary
failover lan interface FAILINK GigabitEthernet0/4
failover interface ip FAILINK 169.254.255.249 255.255.255.252 standby 169.254.255.250
failover key 222Th3Hak3Y222
failover link FAILINK GigabitEthernet0/4
failover

To validate:

show failover

Notes:

  • About the stateful link / failover link, you can:
    • use one interface for each
    • use a redundant interface
    • use an etherchannel but only one interface in the EtherChannel is used
  • The IP 169.254.x.x are link local addresses not meant to be routed. Perfect for HA link.
  • The prompt is mandatory as it allow you to quickly validate the state of the cluster.

 

 

 

Leave a Reply