ASAv | Configuration of HA Failover

Preparation

The following IP Address are used

InterfacesIP AddressStandby IPVMware
Outside192.168.1.100/24192.168.1.101/24Adapter 2
Inside192.168.45.100/24192.168.45.101/24Adapter 3
LANFAIL (HeartBeat)10.10.10.100/2410.10.10.101/24Adapter 10

Adapter 1 is refer to the Management Interface in ASAv, and we are not using it for this lab

Connect the Network Adapter 10 – GigabitEthernet 0/8 in ASAvA & ASAvB

Change the Security Settings of Port Group where Cisco ASAv connected to

#Select the PortGroup where ASAv is used
$PortGroup = Get-VirtualPortGroup | ? Name -eq "192.168.45.x" 

#List the existing Security Policy - Default Setting are all False / Rejected for Security reason
$PortGroup | Get-SecurityPolicy

VirtualPortGroup               AllowPromiscuous   ForgedTransmits  MacChanges 
----------------               ----------------   ---------------  ---------- 
192.168.45.x                   False             False            False      

#Change it to All TRUE 
$PortGroup | Get-SecurityPolicy | Set-SecurityPolicy -AllowPromiscuous $true -ForgedTransmits $true -MacChanges $true

Configuration on ASAv (Active Unit)

Make it a primary HA unit

failover lan unit primary

Bring up Interface GigabitEtnernet 0/8

interface gigabitEthernet 0/8 
no shut

Configure Failover

failover lan interface LANFAIL gigabitethernet0/8

failover interface ip LANFAIL 10.10.10.100 255.255.255.0 standby 10.10.10.101

failover key cisco123

failover link LANFAIL

Configure Standby IP for outside & inside interface

#Outside Interface
interface GigabitEtnernet 0/0
ip address 192.168.1.100 255.255.255.0 standby 192.168.1.101 

#Inside Interface
interface GigabitEtnernet 0/1
ip address 192.168.45.100 255.255.255.0 standby 192.168.45.101 

Configure Monitored Interface

monitor-interface outside
monitor-interface inside

Enable Failover

failover

Configuration on ASAv (Standby unit)

Power on the new ASAvB and configure

#Disable Failover first
no failover 
#Specific as HA Secondary unit
failover lan unit secondary 

#Bring up Interface GigabitEthernet 0/8
interface gigabitEthernet 0/8
no shutdown

#Configure Failover
failover lan interface LANFAIL gigabitethernet0/8

failover interface ip LANFAIL 10.10.10.100 255.255.255.0 standby 10.10.10.101

failover key cisco123

failover link LANFAIL

Enable Failover and the configuration will be copied from Active (ASAvA) to Standby (ASAvB) automatically

failover

#Save the configuration to Startup-Configure
wri mem

Verify the HA Sync is completed

ASAvA# sh failover state

               State          Last Failure Reason      Date/Time
This host  -   Primary
               Active         None
Other host -   Secondary
               Standby Ready  Comm Failure             12:36:02 MYT Aug 2 2019

====Configuration State===
        Sync Done
====Communication State===
        Mac set

====VM Properties Compatibility===
vCPUs - This host:  1
        Other host: 1
Memory - This host:  1024 Mhz
         Other host: 1024 Mhz
Interfaces - This host:  9
             Other host: 9

Commands for Failover

#Reload Standby unit
failover reload-standby

#Farce failover from Active to Standby unit
no failover active
Scroll to Top