In this article, we take a look at the configuration steps to set up High Availability between two Cisco Secure Firewalls running ASA software using the command line interface (CLI) with a shared dedicated physical link for the Failover and Stateful Link features.
Pre-requisites
To enable high availability between two Cisco firewalls, there are some things that need to match between them and some things you need to prepare before entering the configuration.
The firewalls must be of the same model/SKU.
The firewalls must be running the same ASA software version.
The firewalls must have the same license level.
Select an IP network to be used for the HA link (sync, pick something that would never be routed on the network. A tip is to use 169.254.X.0/24, but do not use 169.254.1.0/24 specifically because it’s used internally in Firepower appliances running ASA software.
In this example, we will connect the Failover/State Link directly between the two ASA firewalls, but it is also supported to connect them together via a switch. If you decide to do this, create a new dedicated VLAN for this purpose and connect the two Failover/State Links to access ports configured with this new dedicated VLAN.
Primary Firewall Configuration
failover lan unit primary
failover lan interface folink eth1/12
failover interface ip folink 169.254.10.1 255.255.255.0 standby 169.254.10.2
failover key Fa1L0v3rK3Y!!
interface eth1/12
no shutdown
exit
failover
write mem
Secondary Firewall Configuration
! FW02 (Secondary)
failover lan unit secondary
failover lan interface folink eth1/12
failover interface ip folink 169.254.10.1 255.255.255.0 standby 169.254.10.2
failover key Fa1L0v3rK3Y!!
interface eth1/12
no shutdown
exit
failover
write mem
When both firewalls are configured, connect them using the Failover Link and to the network itself. If possible, simply issue the “reload” command on both the firewalls and connect all necessary cables while the firewalls are rebooting.
After the firewalls have started up and found each other, they will begin synchronizing configuration from the Primary firewall to the Secondary firewall. After this process is complete, there are some optional steps to implement to improve the cluster setup.
Enable Smarter Command Prompt
After High Availability is configured, you will always connect to the currently Active firewall when using SSH or ASDM to connect to the firewall’s management IP address. This makes it hard to see if you are connected to the Primary or Secondary firewall since you might not know which one is the current Active firewall, especially in case there’s been an incident that might have caused a Failover between the firewalls.
To combat this issue, you can issue a command to tell the ASA to change the CLI prompt depending on which firewall is currently the Active firewall, and if that firewall was the designated Primary firewall or Secondary firewall in the first place.
prompt hostname priority stateFor example, this command makes the hostname prompt look something like this when the Primary unit is the Active unit.
myASA/pri/act(config)# If your firewall has multiple Contexts (that is, multiple virtual firewalls running on the same hardware), you the following command instead to include the current Context in the hostname as well:
prompt hostname context priority stateAssign IP addresses to the Standby Firewall
If possible, assign IP addresses to all of the Standby firewall’s interfaces to enable proper monitoring of those interfaces between the two firewalls. While some deployments may lack access to multiple public IP addresses to enable monitoring of public-facing interfaces, you should at the very least be able to configure the Standby firewall’s IP address on all internal interfaces.
interface Ethernet1/1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0 standby 10.10.10.2
To further configure Interface Monitoring and which interfaces should be designated as “important”, I think it’s easier to do in ASDM than in the CLI. In ASDM, navigate to Configuration > Device Management > High Availability and Scalability > Failover > Criteria > Interface Policy to configure this.
Enable Logging on the Standby Firewall
Run this command on the Primary firewall to enable the Standby firewall to also send Syslog messages to the configured Syslog server. The complete Syslog configuration is not covered here, only the command that enables this feature.
logging standby
Verification
Use the command “show failover” to see which ASA is currently the Active firewall and which role it was assigned (Primary or Secondary).
Use the command “show failover history” to see a log detailing failover events that have caused the firewalls to switch roles.