simple & straight upto point..clearly explained . I was working on ASA for the past 3 months but never had such understanding of failover. Your videos had really helped me going deep dive with ASA. thank you very much........ Eager to see some more !!!!!
I could not find anywhere in the book how to configure different state full and LBF Failover likns but you showed me that, 2nd I found "prompt hostname priority state command very useful thanks for sharing this video, Can Not Tell You How Happy I Am :)
There's no need in acls on both ifaces. Inside and outside nameifs get a priority 100 and - respectively. To make icmp work without acls at all, all you need is just to enable icmp protocol tracking using fixup protocol icmp. But if you want to have an acl on the outside iface you can allow icmp return traffic. The recommended way is to track icmp packets in so called conntrack table. Also, for the peerlink it's good to use an etherchannel link between nodes to get a redundancy. Cheers!
If regular failover configured alone it means that active standby, if both regular and stafull full configured then it will be active active. Please suggest me whether my understanding is correct ?
Thank you so much sir for uploading Cisco HA vedio. I have a doubt in this concept that Why should we assign same GE1 ethernet port in ASA-1 & ASA-2 192.168.2.2 is primary and 192.168.2.3. standby but when coming to diagram its mention that GE1 ip in ASA-1 is 192.168.2.2 and GE1 ip in ASA-2 is 192.168.2.3 Please clarify my doubt
+Samih Khan : Hi Samih, starting software versions 8.3(1) and later, Cisco has made some changes to the requirements for failover licenses. I would recommend that you refer this URL for the exact information about your version: www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/license.html#wp1315746
Hi Shyam, How to make standby firewall to active firewall ( if some problem with active firewall ). is there any command ? if we use "failover active" command in standby firewall ? does command forcefully convert standby firewall to active firewall ??
Shyam Thanks you very much for sharing video. It was informative. I had a doubt of what default gateway we should give to inside PC, it got cleared after reading Ibrahim's post below.
+Shiva Ram A regular failover, also known as the stateless failover causes the connections to be dropped when a failover occurs. This means, all connections will have to be re-established when the failover happens. A stateful failover configuration will maintain the connections when a failover happens.
by default, the ASA monitors all physical interfaces, and if one goes down it fails over to the standby asa. you can manually configure specific interfaces to be monitored using the global config command "monitor-interface lanlink"
Hello Shyam.. We have VRRP configured on old firewall and we are migrating it to Cisco ASA 5525-X. In VRRP we have virtual IP (VIP) configured and that IP we are using as a default gateway on our servers.IN ASA do we need to configure VIP address (similar to HSRP on L3 switchs or routers)? Below you informed Ibrahim that active firewall IP address will be used as DG for servers.
Hi Shyam, I have one doubt, as shown in the video is "wr standby" compulsory, should "wr mem" not replicate the configuration from Primary to secondary unit. Kindly share your views.
+Prathamesh Patil Hi Prathamesh, you're correct. The "write memory" command synchronizes the configuration from the primary to the secondary firewall. Normally you never have to use the "write standby" command, because it wipes out the config on the secondary firewall. The only time you'd have to use "write standby" is when your standby firewall is out-of-sync with the active firewall; you want to wipe out everything and sync again. This should be a good read: www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115999-write-standby-command-qanda-00.html
+Shiva Ram Hey Shiva, the gateway of your PC will never change. It should always be set to the IP address of the firewall, which in this case is 192.168.1.2. When a failover occurs, the active firewall will take that address.
+Shyam Raj bro one more query which is if two ASA are in Active/active state then how PC does know which firewall is in active ? is there any way to find that ? one interviewer has asked me this question
Hi I am having following challenge after following the steps given by you. Ping failed between Router R1 and PC 172.16.1.4 Ping is failed between 172.16.1.4 and 192.168.1.2 Ping is success between between R1 and 192.168.1.2 Again ping is success from FW1 to 10.1.1.2 and 172.16.1.4 Please assist.
we need people like you who are very precise and straight to the point. Thank you very much!
simple & straight upto point..clearly explained . I was working on ASA for the past 3 months but never had such understanding of failover. Your videos had really helped me going deep dive with ASA. thank you very much........
Eager to see some more !!!!!
Shyam, you did a great work on this video. Congratulation
great video Shyam , you explained this in very simple manner .Keep posting such videos on other topics in Security
Thank you very much Shyam. Explanation is at the best, its too clear and crispy.
+Naresh Medaram : Thanks mate, glad it helped you.
I could not find anywhere in the book how to configure different state full and LBF Failover likns but you showed me that, 2nd I found "prompt hostname priority state command very useful thanks for sharing this video, Can Not Tell You How Happy I Am :)
Thank you Pranay. I'm glad you found what you were looking for :).
Thanks for the demo - I love videos like this. Keep them coming.
Sure thing Euan :). Glad you loved it.
Hi Shyam,
This video is very helpful! Thank you for giving effort making this tutorial.
Thank you for the video, explanation is given in very simple words.......
good brief explanation thanks Raj!
Explained in detail. very useful
Hey Shyam, thanks alot for explaining so good and simple. keep it up the good work. ALL THE BEST OF LUCK.
Thanks mate.
There's no need in acls on both ifaces. Inside and outside nameifs get a priority 100 and - respectively. To make icmp work without acls at all, all you need is just to enable icmp protocol tracking using fixup protocol icmp. But if you want to have an acl on the outside iface you can allow icmp return traffic. The recommended way is to track icmp packets in so called conntrack table. Also, for the peerlink it's good to use an etherchannel link between nodes to get a redundancy. Cheers!
Great video Shyam.. Plz upload more.. Thank you.
thanks for the awesome video! I'm about to configure my first ASA 5540
I'm glad you found it to be useful :).
Thanks for the tutorial!
good one shyam, great exaplanation! Could you also post a video on IPsec (ASA)
you have really nicely demonstrate
thanks eng shyam great session
very clearly explained..
thanks raj ,really helpfull
for the cabling, what cables were used to configure the cluster? cross-over on both interfaces on the failover and stateful interfaces?
I am using ASAv 961-3 qcow2 +gns3. For that I am getting the issue which was posted earlier.
Great job and thanks for sharing!!!
Jaime Alcarria Thank you Jaime :).
Super buddy..Ur video is awesome.. dude can u make video about context in ASA and how does it work plz😊
Worked 1st time thank you.
Glad it helped you Mark :).
Thank you!
Thanks!, Question; have you simulate on Gns3 an Asa failover by disabling/unplug the OUTSIDE interface(GE3) on Active ASA-1?
What ports. protocols for outside interface so they can monitor each other? Can I use Mac addresses?
Very useful tnx
If regular failover configured alone it means that active standby, if both regular and stafull full configured then it will be active active.
Please suggest me whether my understanding is correct ?
Great video Shyam, is there any way you can make a video for an active/active setup for an ASA. Cheers !
Thanks Paul, I don't work on ASA's anymore.
excellent
NICE good job
Thank you so much sir for uploading Cisco HA vedio.
I have a doubt in this concept that Why should we assign same GE1 ethernet port in ASA-1 & ASA-2 192.168.2.2 is primary and 192.168.2.3. standby
but when coming to diagram its mention that GE1 ip in ASA-1 is 192.168.2.2 and GE1 ip in ASA-2 is 192.168.2.3
Please clarify my doubt
Please help, When configuring failover do you have to assign interface IP's manually on the Secondary unit or you configure everything on the Primary?
everything on primary
Great, however you might wanted to add the commands for failing over to standby and viceversa
Hello Shyam,
Waht would be the config on the switch ports between the ASA's
Nothing required, since its a layer 2 device. port should be up buddy
Hi shyam - what type of license is needed for the ASA 5512 for HA and what Image? as i will be configuring two ASA in failover soon.
thanks
sajk
+Samih Khan : Hi Samih, starting software versions 8.3(1) and later, Cisco has made some changes to the requirements for failover licenses.
I would recommend that you refer this URL for the exact information about your version: www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/license.html#wp1315746
Hi Shyam,
How to make standby firewall to active firewall ( if some problem with active firewall ).
is there any command ?
if we use "failover active" command in standby firewall ? does command forcefully convert standby firewall to active firewall ??
Yes, run the command failover active
Shyam Thanks you very much for sharing video. It was informative. I had a doubt of what default gateway we should give to inside PC, it got cleared after reading Ibrahim's post below.
abasapure Thank you :).
what is the difference between regular failover and statefull failover ?
+Shiva Ram A regular failover, also known as the stateless failover causes the connections to be dropped when a failover occurs. This means, all connections will have to be re-established when the failover happens.
A stateful failover configuration will maintain the connections when a failover happens.
How standby firewall does know that if active firewall goes down ? how standby firewall will become a active firewall once active firewall goes down ?
by default, the ASA monitors all physical interfaces, and if one goes down it fails over to the standby asa. you can manually configure specific interfaces to be monitored using the global config command "monitor-interface lanlink"
Hello Shyam.. We have VRRP configured on old firewall and we are migrating it to Cisco ASA 5525-X. In VRRP we have virtual IP (VIP) configured and that IP we are using as a default gateway on our servers.IN ASA do we need to configure VIP address (similar to HSRP on L3 switchs or routers)? Below you informed Ibrahim that active firewall IP address will be used as DG for servers.
Ashok Basapure Hello Ashok, on the Cisco ASA, there's nothing as a VIP address. So you can use the IP address of the primary firewall as your gateway.
Thanks Shyam for clarifying doubt,
💯💯💯💯💯💯💯💯💯💯💯
Hi Shyam,
I have one doubt, as shown in the video is "wr standby" compulsory, should "wr mem" not replicate the configuration from Primary to secondary unit.
Kindly share your views.
+Prathamesh Patil
Hi Prathamesh, you're correct. The "write memory" command synchronizes the configuration from the primary to the secondary firewall.
Normally you never have to use the "write standby" command, because it wipes out the config on the secondary firewall.
The only time you'd have to use "write standby" is when your standby firewall is out-of-sync with the active firewall; you want to wipe out everything and sync again.
This should be a good read: www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115999-write-standby-command-qanda-00.html
+Shyam Raj Thanks a lot for the info...
Great video. BTW, your domain has expired.
What is the PC GW please !! which ASA should be GW ?!!!
Hi Ibrahim, you need to use the IP of the primary ASA as the gateway. In this topology, it is 192.168.1.2
+Shyam Raj if primary firewall goes down and what what is the gw of PC ?
+Shiva Ram Hey Shiva, the gateway of your PC will never change. It should always be set to the IP address of the firewall, which in this case is 192.168.1.2.
When a failover occurs, the active firewall will take that address.
+Shyam Raj great ,thanks a lot to clarify the doubt and how PC does know which Firewall is Active ? with the help of mac address or other ?
+Shyam Raj bro one more query which is if two ASA are in Active/active state then how PC does know which firewall is in active ? is there any way to find that ? one interviewer has asked me this question
Hi
I am having following challenge after following the steps given by you.
Ping failed between Router R1 and PC 172.16.1.4
Ping is failed between 172.16.1.4 and 192.168.1.2
Ping is success between between R1 and 192.168.1.2
Again ping is success from FW1 to 10.1.1.2 and 172.16.1.4
Please assist.
Hi, this sounds like a routing issue either on the firewall or the router. Have you checked the routing tables?
Plese share the config for routing.
Sorry I do not have the config saved. But the routing is available at 0:56 on the video.