DEPLOYING HIGH AVAILABILITY FEATURES ON THE ASA (ACTIVE/STANDBY FAILOVER)
When a single Cisco Adaptive Security Appliance (ASA) is configured with security features and policies, it can offer reliable protection—as long as it continues to run properly, has a continuous source of power, and has consistent network connectivity. Power and connectivity are resources that are provided outside the ASA, but the ASA itself might experience a hardware or software failure, making it a single point of failure.
You can configure two ASAs as a failover pair, allowing them to operate in tandem. The result is greater reliability because one or both ASAs are always available for use.
Two ASAs can be configured to operate as a high availability or “failover” pair. The idea is to leverage two separate devices so that one of them is always available in case the other one fails. Naturally, there is a possibility that both ASAs might fail within the same timeframe, but our goal should be to minimize that chance. For example, you might want to install each ASA in a different building to give them physical separation, in case power fails in one building for an extended time.
In this demonstration we are going to configure two ASA Firewall in an Active/Standby fashion.
CONFIGURING ACTIVE/STANDBY FAILOVER
The figure below shows the configuration of Active/Standby Failover.
ACTIVE/STANDBY FAILOVER VERIFICATION
Currently the MOIGETECH-ASA-1 firewall is the active firewall while the MOIGETECH-ASA-2 is the standby firewall. I am going to change the active firewall by issuing the command no fail active on the active firewall as show below.
ASA-1 (Switching to standby)
ASA-2(Switching to Active)
As you can see from the above diagrams, the two ASA firewalls have been configured as a failover pair. That is to say if one of them (active one) fails, the other one (Standby) takes over immediately. With this deployment, your users will always be able to access the resources that they usually access be it from inside the company or outside using Remote Access or Site-to-Site VPNs.