Failover Firewall - ASA 5540 Active/Passive

In this situation we had a single 5540 acting as the sole firewall for one of our divisions.  We will be purchasing a redundant Internet link so we are working on removing all single points of failure in the network.

Firstly the following MUST be the same accross the ASA Pairs:


- Platform type (i.e. 5510 + 5510)
- Number and types of Interfaces
- Licensed features
      - Encryption
      - Security contexts
      - Number of VPN peers
- Flash memory
- RAM


Also the IOS must be 7.1 or higher and if using a 5510 you'll need to have the security plus feature set.




Operation
If the active firewall fails the secondary takes over the primary firewalls IP and MAC addresses.


The two firewalls must be connected by what is called a LAN based fail-over link.  This can be a separate VLAN through a switch or a straight-through or cross-over cable.

The following data communication takes place over this link:

- Applicance state

- Hellos

- Link status

- MACs

- Config synchs (active to standby)

   

Changes must always be made on the active appliance and never on the standby firewall.

Stateful failover
Unless stateful failover is configured if the primary firewall fails all application connections will lose their state and will have to reconnect to their respective endpoints.  Configuring stateful failover makes sure that the following state data is shared from the active to the passive router so that applications will continue working without interruption:

- NAT table
- TCP connection state
- UDP connection stae
- ARP table
- Layer 2 brdge y able
- HTTP connection states
- ISAKMP and IPSec security association table
- GTP database info

Info not passed includes
- user auth table
- routing table

The stateful failover link is the link used by the ASAs to pass state info, this can be the same as the LAN-based failover link or it can be another physically separate link.  Data going over this link is sent in clear text unless a PSK has been configured at both ends.

Tasks required to create active/failover pair
Connect the two firewalls together and to their respective network - note that the IP addresses in the secondary unit are different but must be in the same subnet.

Veryfy that any switch port that connects to a security appliance failover link is configured to support LAN-based failover.
    - enable portfast
   - turn off channeling
- verify time ins synched on primary and secondary devices
- ensure speeds and duplex settings are all the same
- configure primary ASA for failover
- allow ASDM to configure secondary appliance
- save replicated config on the standby appliance


failover
failover lan unit primary
failover lan interface Failover GigabitEthernet0/3
failover polltime unit msec 500 holdtime 3
failover polltime interface 3 holdtime 15
failover key *****
failover replication http
failover link Failover GigabitEthernet0/3
failover interface ip Failover 10.21.35.9 255.255.255.252 standby 10.21.35.10

interface GigabitEthernet0/0.128
 description ASA-ISR Transit
 vlan 128
 nameif Outside
 security-level 0
 ip address 144.140.148.129 255.255.255.248 standby 144.140.148.130
 interface GigabitEthernet0/3
 description LAN/STATE Failover Interface