I had a remote site with two Cisco ASA 5525-X firewalls deployed as an Active-Standby failover pair. I've posted a blog a couple years back regarding this setup in a GNS3 environment but now I'm deploying it in the real world. Before its deployment, I've upgraded both ASA to the latest code 9.4(2)11, applied and configured the 10-security context license (multiple mode).
According to Cisco ASA 5500-X Configuration Guide starting ASA 8.3(1), you don't need to install identical licenses (with some exceptions) on both firewall units. You just buy and only install the license for the Primary/Active firewall unit. The Secondary/Standby unit will inherit the Primary license when it becomes Active.
I also confirmed with Cisco TAC that a 20-Security Context license ASA5500-SC-20 (vs L-ASA-SC-20) will work on a Cisco ASA 5500-X platform.
You can optionally skip the standby IP address under the context configuration and failover (and routing) would still work. For example, if you've got limited public IP address range, you can just configure the 'outside' interface with a single public IP address. The standby keyword is normally used in Active-Active failover where each context monitors its interface and activates failover if it multiple failed interfaces were detected. I explictily configure the standby IP address on the 'inside' interface since we're doing HSRP and allocate a /29 subnet.
ASA01/pri/act(config-if)# ip address 202.78.4.6 255.255.255.128
WARNING: Failover is enabled but standby IP address is not configured for this interface.
ASA-1
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 9.4(2)11
Device Manager Version 7.1(3)
Compiled on Mon 22-Feb-16 22:54 PST by builders
System image file is "disk0:/asa942-11-smp-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 1 hour 45 mins
Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB
Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005
IPSec microcode : CNPx-MC-IPSEC-MAIN-0026
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
0: Int: Internal-Data0/0 : address is 00fe.c8e5.10ac, irq 11
1: Ext: GigabitEthernet0/0 : address is 00fe.c8e5.10b1, irq 5
2: Ext: GigabitEthernet0/1 : address is 00fe.c8e5.10ad, irq 5
3: Ext: GigabitEthernet0/2 : address is 00fe.c8e5.10b2, irq 10
4: Ext: GigabitEthernet0/3 : address is 00fe.c8e5.10ae, irq 10
5: Ext: GigabitEthernet0/4 : address is 00fe.c8e5.10b3, irq 5
6: Ext: GigabitEthernet0/5 : address is 00fe.c8e5.10af, irq 5
7: Ext: GigabitEthernet0/6 : address is 00fe.c8e5.10b4, irq 10
8: Ext: GigabitEthernet0/7 : address is 00fe.c8e5.10b0, irq 10
9: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
12: Ext: Management0/0 : address is 00fe.c8e5.10ac, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual
This platform has an ASA5525 VPN Premium license.
Serial Number: FCH1949123
Running Permanent Activation Key: 0xcb10d26a 0xa440851c 0xc9326500 0xdaa01818 0xc325eabc
Configuration register is 0x1
Image type : Release
Key version : A
Configuration has not been modified since last system restart.
ciscoasa# configure terminal
ciscoasa(config)#
***************************** NOTICE *****************************
Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall
Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later:
ciscoasa(config)# activation-key d02ad148 f05363e7 5563850c c6d844bc 401fdxxx
Validating activation key. This may take a few minutes...
Both Running and Flash permanent activation key was updated with the requested key.
ciscoasa(config)# show version
Cisco Adaptive Security Appliance Software Version 9.4(2)11
Device Manager Version 7.1(3)
Compiled on Mon 22-Feb-16 22:54 PST by builders
System image file is "disk0:/asa942-11-smp-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 1 hour 50 mins
Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB
Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005
IPSec microcode : CNPx-MC-IPSEC-MAIN-0026
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
0: Int: Internal-Data0/0 : address is 00fe.c8e5.10ac, irq 11
1: Ext: GigabitEthernet0/0 : address is 00fe.c8e5.10b1, irq 5
2: Ext: GigabitEthernet0/1 : address is 00fe.c8e5.10ad, irq 5
3: Ext: GigabitEthernet0/2 : address is 00fe.c8e5.10b2, irq 10
4: Ext: GigabitEthernet0/3 : address is 00fe.c8e5.10ae, irq 10
5: Ext: GigabitEthernet0/4 : address is 00fe.c8e5.10b3, irq 5
6: Ext: GigabitEthernet0/5 : address is 00fe.c8e5.10af, irq 5
7: Ext: GigabitEthernet0/6 : address is 00fe.c8e5.10b4, irq 10
8: Ext: GigabitEthernet0/7 : address is 00fe.c8e5.10b0, irq 10
9: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
12: Ext: Management0/0 : address is 00fe.c8e5.10ac, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 10 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual
This platform has an ASA5525 VPN Premium license.
Serial Number: FCH19497123
Running Permanent Activation Key: 0xd02ad148 0xf05363e7 0x5563850c 0xc6d844bc 0x401fdabc
Configuration register is 0x1
Image type : Release
Key version : A
Configuration last modified by enable_15 at 20:36:32.329 UTC Mon Apr 25 2016
ciscoasa# configure terminal
ciscoasa(config)#
***************************** NOTICE *****************************
Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall
Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later: mod
ciscoasa(config)# mode ?
configure mode commands/options:
multiple Multiple mode; mode with security contexts
noconfirm Do not prompt for confirmation
single Single mode; mode without security contexts
ciscoasa(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
!
The old running configuration file will be written to flash
Converting the configuration - this may take several minutes for a large configuration
The admin context configuration will be written to flash
The new running configuration file was written to flash
Security context mode: multiple
ciscoasa(config)#
***
*** --- START GRACEFUL SHUTDOWN ---
***
*** Message to all terminals:
***
*** change mode
Shutting down isakmp
Shutting down sw-module
Shutting down License Controller
Shutting down File system
***
*** --- SHUTDOWN NOW ---
***
*** Message to all terminals:
***
*** change mode
Process shutdown finished
<OUTPUT TRUNCATED>
ciscoasa# show context
Context Name Class Interfaces Mode URL
*admin default Routed disk0:/admin.cfg
Total active Security Contexts: 1
ciscoasa#
ciscoasa# show run
: Saved
:
: Serial Number: FCH19497123
: Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
:
ASA Version 9.4(2)11 <system>
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
no mac-address auto
!
interface GigabitEthernet0/0
shutdown
!
interface GigabitEthernet0/1
shutdown
!
interface GigabitEthernet0/2
shutdown
!
interface GigabitEthernet0/3
shutdown
!
interface GigabitEthernet0/4
shutdown
!
interface GigabitEthernet0/5
shutdown
!
interface GigabitEthernet0/6
shutdown
!
interface GigabitEthernet0/7
shutdown
!
interface Management0/0
shutdown
!
class default
limit-resource All 0
limit-resource Mac-addresses 16384
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
!
boot system disk0:/asa942-11-smp-k8.bin
ftp mode passive
pager lines 24
no failover
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
ssh stricthostkeycheck
console timeout 0
admin-context admin
context admin
config-url disk0:/admin.cfg
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 20
subscribe-to-alert-group configuration periodic monthly 20
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:95676559a4c86494b73ae26e690ba578
: end
ASA-2
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 9.4(2)11
Device Manager Version 7.1(3)
Compiled on Mon 22-Feb-16 22:54 PST by builders
System image file is "disk0:/asa942-11-smp-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 2 hours 4 mins
Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2393 MHz, 1 CPU (4 cores)
ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB
Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005
IPSec microcode : CNPx-MC-IPSEC-MAIN-0026
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
0: Int: Internal-Data0/0 : address is 00fe.c8e5.1e75, irq 11
1: Ext: GigabitEthernet0/0 : address is 00fe.c8e5.1e7a, irq 5
2: Ext: GigabitEthernet0/1 : address is 00fe.c8e5.1e76, irq 5
3: Ext: GigabitEthernet0/2 : address is 00fe.c8e5.1e7b, irq 10
4: Ext: GigabitEthernet0/3 : address is 00fe.c8e5.1e77, irq 10
5: Ext: GigabitEthernet0/4 : address is 00fe.c8e5.1e7c, irq 5
6: Ext: GigabitEthernet0/5 : address is 00fe.c8e5.1e78, irq 5
7: Ext: GigabitEthernet0/6 : address is 00fe.c8e5.1e7d, irq 10
8: Ext: GigabitEthernet0/7 : address is 00fe.c8e5.1e79, irq 10
9: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
12: Ext: Management0/0 : address is 00fe.c8e5.1e75, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual
This platform has an ASA5525 VPN Premium license.
Serial Number: FCH19497456
Running Permanent Activation Key: 0x633bf67e 0xe0b086c6 0xcd4085cc 0xf1247860 0xcd13fdef
Configuration register is 0x1
Image type : Release
Key version : A
Configuration has not been modified since last system restart.
ciscoasa#
ciscoasa# configure terminal
ciscoasa(config)#
***************************** NOTICE *****************************
Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall
Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later:
ciscoasa(config)# activation-key e30af474 6cd49223 a19229c8 f72074f0 4506dyyy
Validating activation key. This may take a few minutes...
Both Running and Flash permanent activation key was updated with the requested key.
ciscoasa(config)# show version
Cisco Adaptive Security Appliance Software Version 9.4(2)11
Device Manager Version 7.1(3)
Compiled on Mon 22-Feb-16 22:54 PST by builders
System image file is "disk0:/asa942-11-smp-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 2 hours 5 mins
Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2393 MHz, 1 CPU (4 cores)
ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB
Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005
IPSec microcode : CNPx-MC-IPSEC-MAIN-0026
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
0: Int: Internal-Data0/0 : address is 00fe.c8e5.1e75, irq 11
1: Ext: GigabitEthernet0/0 : address is 00fe.c8e5.1e7a, irq 5
2: Ext: GigabitEthernet0/1 : address is 00fe.c8e5.1e76, irq 5
3: Ext: GigabitEthernet0/2 : address is 00fe.c8e5.1e7b, irq 10
4: Ext: GigabitEthernet0/3 : address is 00fe.c8e5.1e77, irq 10
5: Ext: GigabitEthernet0/4 : address is 00fe.c8e5.1e7c, irq 5
6: Ext: GigabitEthernet0/5 : address is 00fe.c8e5.1e78, irq 5
7: Ext: GigabitEthernet0/6 : address is 00fe.c8e5.1e7d, irq 10
8: Ext: GigabitEthernet0/7 : address is 00fe.c8e5.1e79, irq 10
9: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
12: Ext: Management0/0 : address is 00fe.c8e5.1e75, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 10 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual
This platform has an ASA5525 VPN Premium license.
Serial Number: FCH19497456
Running Permanent Activation Key: 0xe30af474 0x6cd49223 0xa19229c8 0xf72074f0 0x4506ddef
Configuration register is 0x1
Image type : Release
Key version : A
Configuration last modified by enable_15 at 20:43:43.989 UTC Mon Apr 25 2016
ciscoasa# configure terminal
ciscoasa(config)#
***************************** NOTICE *****************************
Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall
Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later: mode
ciscoasa(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
!
The old running configuration file will be written to flash
Converting the configuration - this may take several minutes for a large configuration
The admin context configuration will be written to flash
The new running configuration file was written to flash
Security context mode: multiple
ciscoasa(config)#
***
*** --- START GRACEFUL SHUTDOWN ---
***
*** Message to all terminals:
***
*** change mode
Shutting down isakmp
Shutting down sw-module
Shutting down License Controller
Shutting down File system
***
*** --- SHUTDOWN NOW ---
***
*** Message to all terminals:
***
*** change mode
Process shutdown finished
Rebooting.....
<OUTPUT TRUNCATED>
ciscoasa# show run
: Saved
:
: Serial Number: FCH19497456
: Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2393 MHz, 1 CPU (4 cores)
:
ASA Version 9.4(2)11 <system>
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
no mac-address auto
!
interface GigabitEthernet0/0
shutdown
!
interface GigabitEthernet0/1
shutdown
!
interface GigabitEthernet0/2
shutdown
!
interface GigabitEthernet0/3
shutdown
!
interface GigabitEthernet0/4
shutdown
!
interface GigabitEthernet0/5
shutdown
!
interface GigabitEthernet0/6
shutdown
!
interface GigabitEthernet0/7
shutdown
!
interface Management0/0
shutdown
!
class default
limit-resource All 0
limit-resource Mac-addresses 16384
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
!
boot system disk0:/asa942-11-smp-k8.bin
ftp mode passive
pager lines 24
no failover
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
ssh stricthostkeycheck
console timeout 0
admin-context admin
context admin
config-url disk0:/admin.cfg
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 15
subscribe-to-alert-group configuration periodic monthly 15
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e2c26c30eeb21bfeedab14fc04378836
: end
ASA-1
ciscoasa# configure terminal
ciscoasa(config)# hostname ASA01
ASA01(config)# mac-address auto
INFO: Converted to mac-address auto prefix 7797
ASA01(config)# interface GigabitEthernet0/0
ASA01(config-if)# description ### WAN TRUNK ###
ASA01(config)# interface GigabitEthernet0/1
ASA01(config-if)# description ### LAN TRUNK ###
ASA01(config-if)# no shutdown
ASA01(config-if)# interface GigabitEthernet0/1.400
ASA01(config-subif)# description ### INSIDE VLAN ###
ASA01(config-subif)# vlan 400
ASA01(config-subif)# interface Management0/0
ASA01(config-if)# no shutdown
ASA01(config-if)# interface GigabitEthernet0/6
ASA01(config-if)# description ### LAN FAILOVER ###
ASA01(config-if)# no shutdown
ASA01(config-if)# interface GigabitEthernet0/7
ASA01(config-if)# description ### STATEFUL FAILOVER ###
ASA01(config-if)# no shutdown
ASA01(config-if)# class ?
configure mode commands/options:
WORD Symbolic name of the class
ASA01(config-if)# class IPSEC-VPN
ASA01(config-class)# ?
Class configuration commands:
limit-resource Configure the resource limits
no Negate a command or set its defaults
ASA01(config-class)# limit-resource ?
class mode commands/options:
rate Enter this keyword to specify a rate/sec
Following resources available:
ASDM ASDM Connections
All All Resources
Conns Connections
Hosts Hosts
Mac-addresses MAC Address table entries
Routes Routing Table Entries
SSH SSH Sessions
Telnet Telnet Sessions
VPN VPN resources
Xlates XLATE Objects
ASA01(config-class)# limit-resource VPN ?
class mode commands/options:
Burst Burst limit over the configured limit. This burst limit is not
guaranteed. The context may take this resource if it is available on
the device at run time.
Other Other VPN sessions which include Site-to-Site, IKEv1 RA and L2tp
Sessions. These are guaranteed for a context and shouldn't exceed the
system capacity when combined across all contexts.
ikev1 Configure IKEv1 specific resources.
ASA01(config-class)# limit-resource VPN Other ?
class mode commands/options:
WORD Value of resource limit (in <value> or <value>%)
ASA01(config-class)# limit-resource VPN Other 10
ASA01(config-class)# context admin
ASA01(config-ctx)# ?
Context configuration commands:
allocate-interface Allocate interface to context
allocate-ips Allocate IPS virtual sensor to context
config-url Configure URL for a context configuration
description Provide a description of the context
exit Exit from context configuration mode
help Interactive help for context subcommands
join-failover-group Join a context to a failover group
member Configure class membership for a context
no Negate a command
scansafe Enable scansafe inspection in this context
ASA01(config-ctx)# member ?
context mode commands/options:
WORD Class name
ASA01(config-ctx)# member IPSEC-VPN
ASA01(config-ctx)# allocate-interface GigabitEthernet0/0
ASA01(config-ctx)# allocate-interface GigabitEthernet0/1.400
ASA01(config-ctx)# allocate-interface Management0/0
ASA01(config)# failover lan unit primary ?
configure mode commands/options:
primary Configure the unit as primary
secondary Configure the unit as secondary
ASA01(config)# failover lan unit primary
ASA01(config)# failover ?
configure mode commands/options:
group Configure/Enable failover group
interface Configure the IP address to be used for failover and/or
stateful update information
interface-policy Set the policy for failover due to interface failures
ipsec Configure the use of IPSec tunnel for failover
key Configure the failover shared secret or key
lan Specify the unit as primary or secondary or configure the
interface and vlan to be used for failover communication
link Configure the interface and vlan to be used as a link for
stateful update information
mac Specify the virtual mac address for a physical interface
mac-notification Configure failover MAC address movement notification
settings
polltime Configure failover poll interval
replication Enable HTTP (port 80) connection replication
standby Execute command in standby
timeout Specify the failover reconnect timeout value for
asymmetrically routed sessions
<cr>
exec mode commands/options:
active Make this system to be the active unit of the failover pair
exec Execute command on the designated unit
reload-standby Force standby unit to reboot
reset Force a unit or failover group to an unfailed state
ASA01(config)# failover lan ?
configure mode commands/options:
interface Configure the interface and vlan to be used for failover
communication
unit Configure the unit as primary or secondary
ASA01(config)# failover lan interface ?
configure mode commands/options:
WORD Specify the interface name
ASA01(config)# failover lan interface LANFO ?
configure mode commands/options:
WORD Specify physical or sub interface
<cr>
ASA01(config)# failover lan interface LANFO GigabitEthernet0/6
INFO: Non-failover interface config is cleared on GigabitEthernet0/6 and its sub-interfaces
ASA01(config)# failover interface ?
configure mode commands/options:
ip Configure the IP address and mask after this keyword
ASA01(config)# failover interface ip ?
configure mode commands/options:
Current available interface(s):
LANFO Name of interface GigabitEthernet0/6
ASA01(config)# failover interface ip LANFO ?
configure mode commands/options:
Hostname or A.B.C.D Specify the IP address
X:X:X:X::X/<0-128> Specify the IPv6 prefix
ASA01(config)# failover interface ip LANFO 172.27.24.237 ?
configure mode commands/options:
A.B.C.D Specify the mask for the IP address
ASA01(config)# failover interface ip LANFO 172.27.24.237 255.255.255.252 ?
configure mode commands/options:
standby Configure the standby IP address after this keyword
ASA01(config)# failover interface ip LANFO 172.27.24.237 255.255.255.252 standby ?
configure mode commands/options:
Hostname or A.B.C.D Specify the IP address
ASA01(config)# failover interface ip LANFO 172.27.24.237 255.255.255.252 standby 172.27.24.238
ASA01(config)# failover key ?
configure mode commands/options:
0 Specifies an UNENCRYPTED password will follow
8 Specifies an ENCRYPTED password will follow
WORD Failover shared secret
hex Enter 32-character key in hexadecimal format
ASA01(config)# failover key cisco
ASA01(config)# failover link ?
configure mode commands/options:
WORD Specify the interface name
ASA01(config)# failover link STATEFO ?
configure mode commands/options:
WORD Specify physical or sub interface
<cr>
ASA01(config)# failover link STATEFO GigabitEthernet0/7
INFO: Non-failover interface config is cleared on GigabitEthernet0/7 and its sub-interfaces
ASA01(config)# failover interface ip ?
configure mode commands/options:
Current available interface(s):
LANFO Name of interface GigabitEthernet0/6
STATEFO Name of interface GigabitEthernet0/7
ASA01(config)# failover interface ip STATEFO ?
configure mode commands/options:
Hostname or A.B.C.D Specify the IP address
X:X:X:X::X/<0-128> Specify the IPv6 prefix
ASA01(config)# failover interface ip STATEFO 172.27.24.241 ?
configure mode commands/options:
A.B.C.D Specify the mask for the IP address
ASA01(config)# failover interface ip STATEFO 172.27.24.241 255.255.255.252 ?
configure mode commands/options:
standby Configure the standby IP address after this keyword
ASA01(config)# failover interface ip STATEFO 172.27.24.241 255.255.255.252 ?
configure mode commands/options:
Hostname or A.B.C.D Specify the IP address
ASA01(config)# failover interface ip STATEFO 172.27.24.241 255.255.255.252 standby 172.27.24.242
ASA01(config)# prompt ?
configure mode commands/options:
cluster-unit Display the cluster unit name in the session prompt
context Display the context in the session prompt (multimode only)
domain Display the domain in the session prompt
hostname Display the hostname in the session prompt
management-mode Display management mode
priority Display the priority in the session prompt
state Display the traffic passing state in the session prompt
ASA01(config)# prompt hostname ?
configure mode commands/options:
cluster-unit Display the cluster unit name in the session prompt
context Display the context in the session prompt (multimode only)
domain Display the domain in the session prompt
management-mode Display management mode
priority Display the priority in the session prompt
state Display the traffic passing state in the session prompt
<cr>
ASA01(config)# prompt hostname priority ?
configure mode commands/options:
cluster-unit Display the cluster unit name in the session prompt
context Display the context in the session prompt (multimode only)
domain Display the domain in the session prompt
management-mode Display management mode
state Display the traffic passing state in the session prompt
<cr>
ASA01(config)# prompt hostname priority state // TO SHOW DEVICE IF IT'S PRIMAY OR SECONDARY and ACTIVE OR STANDBY
ASA01/pri/actNoFailover(config)# failover // ACTIVATE FAILOVER
ASA01/pri/act(config)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: LANFO GigabitEthernet0/6 (down)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 0 of 216 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.4(2)11, Mate Unknown
Last Failover at: 20:48:44 UTC Apr 25 2016
This host: Primary - Negotiation
Active time: 0 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.4(2)11) status (Up Sys)
Other host: Secondary - Not Detected // ASA-2 NOT YET CONFIGURED
Active time: 0 (sec)
Stateful Failover Logical Update Statistics
Link : STATEFO GigabitEthernet0/7 (down)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
SIP Tx 0 0 0 0
SIP Pinhole 0 0 0 0
Route Session 0 0 0 0
Router ID 0 0 0 0
User-Identity 0 0 0 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0
Configure the LAN-based failover (G0/6) and Stateful failover (G0/7) interfaces on ASA-2.
ciscoasa(config)# interface g0/0 // WAN/OUTSIDE INTERFACE
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface g0/1 // LAN/INSIDE INTERFACE
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface g0/6 // LAN FO INTERFACE
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface g0/7 // STATEFUL FO INTERFACE
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# failover lan unit secondary
ciscoasa(config)# failover pre-shared-key cisco
ciscoasa(config-if)# failover lan interface LANFO GigabitEthernet0/6
INFO: Non-failover interface config is cleared on GigabitEthernet0/6 and its sub-interfaces
ciscoasa(config)# failover interface ip LANFO 172.27.24.237 255.255.255.252 standby 172.27.24.238
ciscoasa(config)# failover // ONCE failover KEYWORD IS TYPED, ASA-2 SYNC WITH ASA-1
ciscoasa(config)# .
Detected an Active mate
Beginning configuration replication from mate.
Removing context 'admin' (1)... Done
INFO: Admin context is required to get the interfaces
INFO: Admin context is required to get the interfaces
Creating context 'admin'... Done. (2)
WARNING: Skip fetching the URL disk0:/admin.cfg
INFO: Admin context will take some time to come up .... please wait.
End configuration replication from mate.
ASA01/sec/stby(config)# show failover // HOSTNAME IMMEDIATELY CHANGED TO ASA01
Failover On
Failover unit Secondary
Failover LAN Interface: LANFO GigabitEthernet0/6 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 0 of 216 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.4(2)11, Mate 9.4(2)11
Last Failover at: 20:41:57 UTC Apr 25 2016
This host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.4(2)11) status (Up Sys)
Other host: Primary - Active
Active time: 313 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.4(2)11) status (Up Sys)
Stateful Failover Logical Update Statistics
Link : STATEFO GigabitEthernet0/7 (up)
Stateful Obj xmit xerr rcv rerr
General 5 0 6 0
sys cmd 5 0 5 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
SIP Tx 0 0 0 0
SIP Pinhole 0 0 0 0
Route Session 0 0 0 0
Router ID 0 0 0 0
User-Identity 0 0 1 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 14 170
Xmit Q: 0 1 7
ASA01/sec/stby(config)# show failover history
==========================================================================
From State To State Reason
==========================================================================
20:42:02 UTC Apr 25 2016
Not Detected Disabled No Error
21:56:46 UTC Apr 25 2016
Disabled Negotiation Set by the config command
21:56:47 UTC Apr 25 2016
Negotiation Cold Standby Detected an Active mate
21:56:49 UTC Apr 25 2016
Cold Standby Sync Config Detected an Active mate
21:56:58 UTC Apr 25 2016
Sync Config Sync File System Detected an Active mate
21:56:58 UTC Apr 25 2016
Sync File System Bulk Sync Detected an Active mate
21:57:11 UTC Apr 25 2016
Bulk Sync Standby Ready Detected an Active mate
==========================================================================
ASA01/sec/stby(config)# show failover state
State Last Failure Reason Date/Time
This host - Secondary
Standby Ready None
Other host - Primary
Active None
====Configuration State===
Sync Done - STANDBY
====Communication State===
ASA01/sec/stby(config)# show failover statistics
tx:277
rx:232
ASA01/sec/stby(config)# show run // ASA-2 SYNC ITS CONFIG WITH ASA-1
: Saved
:
: Serial Number: FCH19497456
: Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
:
ASA Version 9.4(2)11 <system>
!
hostname ASA01
enable password 8Ry2YjIyt7RRXU24 encrypted
mac-address auto prefix 7797
!
interface GigabitEthernet0/0
description ### WAN TRUNK ###
!
interface GigabitEthernet0/1
description ### LAN TRUNK ###
!
interface GigabitEthernet0/1.400
description ### INSIDE VLAN ###
vlan 400
!
interface GigabitEthernet0/2
shutdown
!
interface GigabitEthernet0/3
shutdown
!
interface GigabitEthernet0/4
shutdown
!
interface GigabitEthernet0/5
shutdown
!
interface GigabitEthernet0/6
description ### LAN FAILOVER ###
!
interface GigabitEthernet0/7
description ### STATEFUL FAILOVER ###
!
interface Management0/0
!
class default
limit-resource All 0
limit-resource Mac-addresses 16384
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
!
class IPSEC-VPN
limit-resource VPN Other 10
!
boot system disk0:/asa942-11-smp-k8.bin
ftp mode passive
pager lines 24
failover
failover lan unit secondary
failover lan interface LANFO GigabitEthernet0/6
failover key *****
failover link STATEFO GigabitEthernet0/7
failover interface ip LANFO 172.27.24.237 255.255.255.252 standby 172.27.24.238
failover interface ip STATEFO 172.27.24.241 255.255.255.252 standby 172.27.24.242
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
ssh stricthostkeycheck
console timeout 0
admin-context admin
context admin
member IPSEC-VPN
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/1.400
allocate-interface Management0/0
config-url disk0:/admin.cfg
!
prompt hostname priority state
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 15
subscribe-to-alert-group configuration periodic monthly 15
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:950c07895d257c4358b90a99c3c8a2d7
: end
ASA01/sec/stby(config)#
ASA-1
ASA01/pri/act# show failover ?
descriptor Show failover interface descriptors. Two numbers are shown for
each interface. When exchanging information regarding a
particular interface, this unit uses the first number in messages
it sends to its peer. And it expects the second number in
messages it receives from its peer. For trouble shooting, collect
the show output from both units and verify that the numbers
match.
exec Show failover command execution information
group Show failover group information
history Show failover switching history
interface Show failover command interface information
state Show failover internal state information
statistics Show failover command interface statistics information
| Output modifiers
<cr>
ASA01/pri/act# show failover history
==========================================================================
From State To State Reason
==========================================================================
20:48:49 UTC Apr 25 2016
Not Detected Disabled No Error
21:51:01 UTC Apr 25 2016
Disabled Negotiation Set by the config command
21:51:46 UTC Apr 25 2016
Negotiation Just Active No Active unit found
21:51:46 UTC Apr 25 2016
Just Active Active Drain No Active unit found
21:51:46 UTC Apr 25 2016
Active Drain Active Applying Config No Active unit found
21:51:46 UTC Apr 25 2016
Active Applying Config Active Config Applied No Active unit found
21:51:46 UTC Apr 25 2016
Active Config Applied Active No Active unit found
==========================================================================
ASA01/pri/act# show failover interface
interface LANFO GigabitEthernet0/6
System IP Address: 172.27.24.237 255.255.255.252
My IP Address : 172.27.24.237
Other IP Address : 172.27.24.238
interface STATEFO GigabitEthernet0/7
System IP Address: 172.27.24.241 255.255.255.252
My IP Address : 172.27.24.241
Other IP Address : 172.27.24.242
ASA01/pri/act# show failover state
State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Standby Ready Comm Failure 21:52:01 UTC Apr 25 2016
====Configuration State===
Sync Done
====Communication State===
To test failover, I've disconnected the LAN FO port G0/6 on ASA-1 and the Secondary ASA unit took over as the Active firewall.
ASA01/sec/act#
ASA01/sec/act# Failover LAN became OK
Switchover enabled
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate
ASA01/sec/act# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: LANFO GigabitEthernet0/6 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 216 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.4(2)11, Mate 9.4(2)11
Last Failover at: 22:29:46 UTC Apr 25 2016
This host: Secondary - Active
Active time: 541 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.4(2)11) status (Up Sys)
admin Interface inside (172.27.24.4): Normal (Monitored)
admin Interface outside (202.78.4.6): Normal (Monitored)
Other host: Primary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.4(2)11) status (Up Sys)
admin Interface inside (172.27.24.5): Normal (Monitored)
admin Interface outside (202.78.4.5): Normal (Monitored)
Stateful Failover Logical Update Statistics
Link : STATEFO GigabitEthernet0/7 (up)
Stateful Obj xmit xerr rcv rerr
General 293 0 303 8 sys cmd 292 0 292 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
SIP Tx 0 0 0 0
SIP Pinhole 0 0 0 0
Route Session 0 0 10 8
Router ID 0 0 0 0
User-Identity 1 0 1 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 17 4666
Xmit Q: 0 165 689
I've issued the no failover active command to give back ASA-1 the Active role again.
ASA01/sec/act# no failover ?
active Make this system to be the active unit of the failover pair
ASA01/sec/act# no failover active
ASA01/sec/act#
Switching to Standby
ASA01/sec/stby# show failover // I HAD MY CONSOLE CABLE TO ASA-2
Failover On
Failover unit Secondary
Failover LAN Interface: LANFO GigabitEthernet0/6 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 216 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.4(2)11, Mate 9.4(2)11
Last Failover at: 22:50:51 UTC Apr 25 2016
This host: Secondary - Standby Ready
Active time: 1264 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.4(2)11) status (Up Sys)
admin Interface inside (172.27.24.5): Normal (Waiting)
admin Interface outside (202.78.4.5): Normal (Waiting)
Other host: Primary - Active
Active time: 10 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.4(2)11) status (Up Sys)
admin Interface inside (172.27.24.4): Normal (Waiting)
admin Interface outside (202.78.4.6): Normal (Waiting)
Stateful Failover Logical Update Statistics
Link : STATEFO GigabitEthernet0/7 (up)
Stateful Obj xmit xerr rcv rerr
General 391 0 405 12 sys cmd 390 0 390 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
SIP Tx 0 0 0 0
SIP Pinhole 0 0 0 0
Route Session 0 0 14 12
Router ID 0 0 0 0
User-Identity 1 0 1 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 17 5523
Xmit Q: 0 165 1522
ASA01/sec/stby# show failover history
==========================================================================
From State To State Reason
==========================================================================
20:42:02 UTC Apr 25 2016
Not Detected Disabled No Error
21:56:46 UTC Apr 25 2016
Disabled Negotiation Set by the config command
21:56:47 UTC Apr 25 2016
Negotiation Cold Standby Detected an Active mate
21:56:49 UTC Apr 25 2016
Cold Standby Sync Config Detected an Active mate
21:56:58 UTC Apr 25 2016
Sync Config Sync File System Detected an Active mate
21:56:58 UTC Apr 25 2016
Sync File System Bulk Sync Detected an Active mate
21:57:11 UTC Apr 25 2016
Bulk Sync Standby Ready Detected an Active mate
22:29:46 UTC Apr 25 2016
Standby Ready Just Active HELLO not heard from mate
22:29:46 UTC Apr 25 2016
Just Active Active Drain HELLO not heard from mate
22:29:46 UTC Apr 25 2016
Active Drain Active Applying Config HELLO not heard from mate
22:29:46 UTC Apr 25 2016
Active Applying Config Active Config Applied HELLO not heard from mate
22:29:46 UTC Apr 25 2016
Active Config Applied Active HELLO not heard from mate
22:50:51 UTC Apr 25 2016
Active Standby Ready Set by the config command
==========================================================================
ASA01/sec/stby# show failover interface
interface LANFO GigabitEthernet0/6
System IP Address: 172.27.24.237 255.255.255.252
My IP Address : 172.27.24.238
Other IP Address : 172.27.24.237
interface STATEFO GigabitEthernet0/7
System IP Address: 172.27.24.241 255.255.255.252
My IP Address : 172.27.24.242
Other IP Address : 172.27.24.241
ASA01/sec/stby# show failover state
State Last Failure Reason Date/Time
This host - Secondary
Standby Ready None
Other host - Primary
Active Comm Failure 22:29:46 UTC Apr 25 2016
====Configuration State===
Sync Done
Sync Done - STANDBY
====Communication State===
Mac set
According to Cisco ASA 5500-X Configuration Guide starting ASA 8.3(1), you don't need to install identical licenses (with some exceptions) on both firewall units. You just buy and only install the license for the Primary/Active firewall unit. The Secondary/Standby unit will inherit the Primary license when it becomes Active.
I also confirmed with Cisco TAC that a 20-Security Context license ASA5500-SC-20 (vs L-ASA-SC-20) will work on a Cisco ASA 5500-X platform.
You can optionally skip the standby IP address under the context configuration and failover (and routing) would still work. For example, if you've got limited public IP address range, you can just configure the 'outside' interface with a single public IP address. The standby keyword is normally used in Active-Active failover where each context monitors its interface and activates failover if it multiple failed interfaces were detected. I explictily configure the standby IP address on the 'inside' interface since we're doing HSRP and allocate a /29 subnet.
ASA01/pri/act(config-if)# ip address 202.78.4.6 255.255.255.128
WARNING: Failover is enabled but standby IP address is not configured for this interface.
ASA-1
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 9.4(2)11
Device Manager Version 7.1(3)
Compiled on Mon 22-Feb-16 22:54 PST by builders
System image file is "disk0:/asa942-11-smp-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 1 hour 45 mins
Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB
Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005
IPSec microcode : CNPx-MC-IPSEC-MAIN-0026
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
0: Int: Internal-Data0/0 : address is 00fe.c8e5.10ac, irq 11
1: Ext: GigabitEthernet0/0 : address is 00fe.c8e5.10b1, irq 5
2: Ext: GigabitEthernet0/1 : address is 00fe.c8e5.10ad, irq 5
3: Ext: GigabitEthernet0/2 : address is 00fe.c8e5.10b2, irq 10
4: Ext: GigabitEthernet0/3 : address is 00fe.c8e5.10ae, irq 10
5: Ext: GigabitEthernet0/4 : address is 00fe.c8e5.10b3, irq 5
6: Ext: GigabitEthernet0/5 : address is 00fe.c8e5.10af, irq 5
7: Ext: GigabitEthernet0/6 : address is 00fe.c8e5.10b4, irq 10
8: Ext: GigabitEthernet0/7 : address is 00fe.c8e5.10b0, irq 10
9: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
12: Ext: Management0/0 : address is 00fe.c8e5.10ac, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual
This platform has an ASA5525 VPN Premium license.
Serial Number: FCH1949123
Running Permanent Activation Key: 0xcb10d26a 0xa440851c 0xc9326500 0xdaa01818 0xc325eabc
Configuration register is 0x1
Image type : Release
Key version : A
Configuration has not been modified since last system restart.
ciscoasa# configure terminal
ciscoasa(config)#
***************************** NOTICE *****************************
Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall
Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later:
ciscoasa(config)# activation-key d02ad148 f05363e7 5563850c c6d844bc 401fdxxx
Validating activation key. This may take a few minutes...
Both Running and Flash permanent activation key was updated with the requested key.
ciscoasa(config)# show version
Cisco Adaptive Security Appliance Software Version 9.4(2)11
Device Manager Version 7.1(3)
Compiled on Mon 22-Feb-16 22:54 PST by builders
System image file is "disk0:/asa942-11-smp-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 1 hour 50 mins
Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB
Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005
IPSec microcode : CNPx-MC-IPSEC-MAIN-0026
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
0: Int: Internal-Data0/0 : address is 00fe.c8e5.10ac, irq 11
1: Ext: GigabitEthernet0/0 : address is 00fe.c8e5.10b1, irq 5
2: Ext: GigabitEthernet0/1 : address is 00fe.c8e5.10ad, irq 5
3: Ext: GigabitEthernet0/2 : address is 00fe.c8e5.10b2, irq 10
4: Ext: GigabitEthernet0/3 : address is 00fe.c8e5.10ae, irq 10
5: Ext: GigabitEthernet0/4 : address is 00fe.c8e5.10b3, irq 5
6: Ext: GigabitEthernet0/5 : address is 00fe.c8e5.10af, irq 5
7: Ext: GigabitEthernet0/6 : address is 00fe.c8e5.10b4, irq 10
8: Ext: GigabitEthernet0/7 : address is 00fe.c8e5.10b0, irq 10
9: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
12: Ext: Management0/0 : address is 00fe.c8e5.10ac, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 10 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual
This platform has an ASA5525 VPN Premium license.
Serial Number: FCH19497123
Running Permanent Activation Key: 0xd02ad148 0xf05363e7 0x5563850c 0xc6d844bc 0x401fdabc
Configuration register is 0x1
Image type : Release
Key version : A
Configuration last modified by enable_15 at 20:36:32.329 UTC Mon Apr 25 2016
ciscoasa# configure terminal
ciscoasa(config)#
***************************** NOTICE *****************************
Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall
Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later: mod
ciscoasa(config)# mode ?
configure mode commands/options:
multiple Multiple mode; mode with security contexts
noconfirm Do not prompt for confirmation
single Single mode; mode without security contexts
ciscoasa(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
!
The old running configuration file will be written to flash
Converting the configuration - this may take several minutes for a large configuration
The admin context configuration will be written to flash
The new running configuration file was written to flash
Security context mode: multiple
ciscoasa(config)#
***
*** --- START GRACEFUL SHUTDOWN ---
***
*** Message to all terminals:
***
*** change mode
Shutting down isakmp
Shutting down sw-module
Shutting down License Controller
Shutting down File system
***
*** --- SHUTDOWN NOW ---
***
*** Message to all terminals:
***
*** change mode
Process shutdown finished
<OUTPUT TRUNCATED>
ciscoasa# show context
Context Name Class Interfaces Mode URL
*admin default Routed disk0:/admin.cfg
Total active Security Contexts: 1
ciscoasa#
ciscoasa# show run
: Saved
:
: Serial Number: FCH19497123
: Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
:
ASA Version 9.4(2)11 <system>
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
no mac-address auto
!
interface GigabitEthernet0/0
shutdown
!
interface GigabitEthernet0/1
shutdown
!
interface GigabitEthernet0/2
shutdown
!
interface GigabitEthernet0/3
shutdown
!
interface GigabitEthernet0/4
shutdown
!
interface GigabitEthernet0/5
shutdown
!
interface GigabitEthernet0/6
shutdown
!
interface GigabitEthernet0/7
shutdown
!
interface Management0/0
shutdown
!
class default
limit-resource All 0
limit-resource Mac-addresses 16384
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
!
boot system disk0:/asa942-11-smp-k8.bin
ftp mode passive
pager lines 24
no failover
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
ssh stricthostkeycheck
console timeout 0
admin-context admin
context admin
config-url disk0:/admin.cfg
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 20
subscribe-to-alert-group configuration periodic monthly 20
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:95676559a4c86494b73ae26e690ba578
: end
ASA-2
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 9.4(2)11
Device Manager Version 7.1(3)
Compiled on Mon 22-Feb-16 22:54 PST by builders
System image file is "disk0:/asa942-11-smp-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 2 hours 4 mins
Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2393 MHz, 1 CPU (4 cores)
ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB
Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005
IPSec microcode : CNPx-MC-IPSEC-MAIN-0026
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
0: Int: Internal-Data0/0 : address is 00fe.c8e5.1e75, irq 11
1: Ext: GigabitEthernet0/0 : address is 00fe.c8e5.1e7a, irq 5
2: Ext: GigabitEthernet0/1 : address is 00fe.c8e5.1e76, irq 5
3: Ext: GigabitEthernet0/2 : address is 00fe.c8e5.1e7b, irq 10
4: Ext: GigabitEthernet0/3 : address is 00fe.c8e5.1e77, irq 10
5: Ext: GigabitEthernet0/4 : address is 00fe.c8e5.1e7c, irq 5
6: Ext: GigabitEthernet0/5 : address is 00fe.c8e5.1e78, irq 5
7: Ext: GigabitEthernet0/6 : address is 00fe.c8e5.1e7d, irq 10
8: Ext: GigabitEthernet0/7 : address is 00fe.c8e5.1e79, irq 10
9: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
12: Ext: Management0/0 : address is 00fe.c8e5.1e75, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual
This platform has an ASA5525 VPN Premium license.
Serial Number: FCH19497456
Running Permanent Activation Key: 0x633bf67e 0xe0b086c6 0xcd4085cc 0xf1247860 0xcd13fdef
Configuration register is 0x1
Image type : Release
Key version : A
Configuration has not been modified since last system restart.
ciscoasa#
ciscoasa# configure terminal
ciscoasa(config)#
***************************** NOTICE *****************************
Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall
Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later:
ciscoasa(config)# activation-key e30af474 6cd49223 a19229c8 f72074f0 4506dyyy
Validating activation key. This may take a few minutes...
Both Running and Flash permanent activation key was updated with the requested key.
ciscoasa(config)# show version
Cisco Adaptive Security Appliance Software Version 9.4(2)11
Device Manager Version 7.1(3)
Compiled on Mon 22-Feb-16 22:54 PST by builders
System image file is "disk0:/asa942-11-smp-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 2 hours 5 mins
Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2393 MHz, 1 CPU (4 cores)
ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB
Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005
IPSec microcode : CNPx-MC-IPSEC-MAIN-0026
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
0: Int: Internal-Data0/0 : address is 00fe.c8e5.1e75, irq 11
1: Ext: GigabitEthernet0/0 : address is 00fe.c8e5.1e7a, irq 5
2: Ext: GigabitEthernet0/1 : address is 00fe.c8e5.1e76, irq 5
3: Ext: GigabitEthernet0/2 : address is 00fe.c8e5.1e7b, irq 10
4: Ext: GigabitEthernet0/3 : address is 00fe.c8e5.1e77, irq 10
5: Ext: GigabitEthernet0/4 : address is 00fe.c8e5.1e7c, irq 5
6: Ext: GigabitEthernet0/5 : address is 00fe.c8e5.1e78, irq 5
7: Ext: GigabitEthernet0/6 : address is 00fe.c8e5.1e7d, irq 10
8: Ext: GigabitEthernet0/7 : address is 00fe.c8e5.1e79, irq 10
9: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
12: Ext: Management0/0 : address is 00fe.c8e5.1e75, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 10 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual
This platform has an ASA5525 VPN Premium license.
Serial Number: FCH19497456
Running Permanent Activation Key: 0xe30af474 0x6cd49223 0xa19229c8 0xf72074f0 0x4506ddef
Configuration register is 0x1
Image type : Release
Key version : A
Configuration last modified by enable_15 at 20:43:43.989 UTC Mon Apr 25 2016
ciscoasa# configure terminal
ciscoasa(config)#
***************************** NOTICE *****************************
Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall
Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later: mode
ciscoasa(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
!
The old running configuration file will be written to flash
Converting the configuration - this may take several minutes for a large configuration
The admin context configuration will be written to flash
The new running configuration file was written to flash
Security context mode: multiple
ciscoasa(config)#
***
*** --- START GRACEFUL SHUTDOWN ---
***
*** Message to all terminals:
***
*** change mode
Shutting down isakmp
Shutting down sw-module
Shutting down License Controller
Shutting down File system
***
*** --- SHUTDOWN NOW ---
***
*** Message to all terminals:
***
*** change mode
Process shutdown finished
Rebooting.....
<OUTPUT TRUNCATED>
ciscoasa# show run
: Saved
:
: Serial Number: FCH19497456
: Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2393 MHz, 1 CPU (4 cores)
:
ASA Version 9.4(2)11 <system>
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
no mac-address auto
!
interface GigabitEthernet0/0
shutdown
!
interface GigabitEthernet0/1
shutdown
!
interface GigabitEthernet0/2
shutdown
!
interface GigabitEthernet0/3
shutdown
!
interface GigabitEthernet0/4
shutdown
!
interface GigabitEthernet0/5
shutdown
!
interface GigabitEthernet0/6
shutdown
!
interface GigabitEthernet0/7
shutdown
!
interface Management0/0
shutdown
!
class default
limit-resource All 0
limit-resource Mac-addresses 16384
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
!
boot system disk0:/asa942-11-smp-k8.bin
ftp mode passive
pager lines 24
no failover
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
ssh stricthostkeycheck
console timeout 0
admin-context admin
context admin
config-url disk0:/admin.cfg
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 15
subscribe-to-alert-group configuration periodic monthly 15
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e2c26c30eeb21bfeedab14fc04378836
: end
ASA-1
ciscoasa# configure terminal
ciscoasa(config)# hostname ASA01
ASA01(config)# mac-address auto
INFO: Converted to mac-address auto prefix 7797
ASA01(config)# interface GigabitEthernet0/0
ASA01(config-if)# description ### WAN TRUNK ###
ASA01(config)# interface GigabitEthernet0/1
ASA01(config-if)# description ### LAN TRUNK ###
ASA01(config-if)# no shutdown
ASA01(config-if)# interface GigabitEthernet0/1.400
ASA01(config-subif)# description ### INSIDE VLAN ###
ASA01(config-subif)# vlan 400
ASA01(config-subif)# interface Management0/0
ASA01(config-if)# no shutdown
ASA01(config-if)# interface GigabitEthernet0/6
ASA01(config-if)# description ### LAN FAILOVER ###
ASA01(config-if)# no shutdown
ASA01(config-if)# interface GigabitEthernet0/7
ASA01(config-if)# description ### STATEFUL FAILOVER ###
ASA01(config-if)# no shutdown
ASA01(config-if)# class ?
configure mode commands/options:
WORD Symbolic name of the class
ASA01(config-if)# class IPSEC-VPN
ASA01(config-class)# ?
Class configuration commands:
limit-resource Configure the resource limits
no Negate a command or set its defaults
ASA01(config-class)# limit-resource ?
class mode commands/options:
rate Enter this keyword to specify a rate/sec
Following resources available:
ASDM ASDM Connections
All All Resources
Conns Connections
Hosts Hosts
Mac-addresses MAC Address table entries
Routes Routing Table Entries
SSH SSH Sessions
Telnet Telnet Sessions
VPN VPN resources
Xlates XLATE Objects
ASA01(config-class)# limit-resource VPN ?
class mode commands/options:
Burst Burst limit over the configured limit. This burst limit is not
guaranteed. The context may take this resource if it is available on
the device at run time.
Other Other VPN sessions which include Site-to-Site, IKEv1 RA and L2tp
Sessions. These are guaranteed for a context and shouldn't exceed the
system capacity when combined across all contexts.
ikev1 Configure IKEv1 specific resources.
ASA01(config-class)# limit-resource VPN Other ?
class mode commands/options:
WORD Value of resource limit (in <value> or <value>%)
ASA01(config-class)# limit-resource VPN Other 10
ASA01(config-class)# context admin
ASA01(config-ctx)# ?
Context configuration commands:
allocate-interface Allocate interface to context
allocate-ips Allocate IPS virtual sensor to context
config-url Configure URL for a context configuration
description Provide a description of the context
exit Exit from context configuration mode
help Interactive help for context subcommands
join-failover-group Join a context to a failover group
member Configure class membership for a context
no Negate a command
scansafe Enable scansafe inspection in this context
ASA01(config-ctx)# member ?
context mode commands/options:
WORD Class name
ASA01(config-ctx)# member IPSEC-VPN
ASA01(config-ctx)# allocate-interface GigabitEthernet0/0
ASA01(config-ctx)# allocate-interface GigabitEthernet0/1.400
ASA01(config-ctx)# allocate-interface Management0/0
ASA01(config)# failover lan unit primary ?
configure mode commands/options:
primary Configure the unit as primary
secondary Configure the unit as secondary
ASA01(config)# failover lan unit primary
ASA01(config)# failover ?
configure mode commands/options:
group Configure/Enable failover group
interface Configure the IP address to be used for failover and/or
stateful update information
interface-policy Set the policy for failover due to interface failures
ipsec Configure the use of IPSec tunnel for failover
key Configure the failover shared secret or key
lan Specify the unit as primary or secondary or configure the
interface and vlan to be used for failover communication
link Configure the interface and vlan to be used as a link for
stateful update information
mac Specify the virtual mac address for a physical interface
mac-notification Configure failover MAC address movement notification
settings
polltime Configure failover poll interval
replication Enable HTTP (port 80) connection replication
standby Execute command in standby
timeout Specify the failover reconnect timeout value for
asymmetrically routed sessions
<cr>
exec mode commands/options:
active Make this system to be the active unit of the failover pair
exec Execute command on the designated unit
reload-standby Force standby unit to reboot
reset Force a unit or failover group to an unfailed state
ASA01(config)# failover lan ?
configure mode commands/options:
interface Configure the interface and vlan to be used for failover
communication
unit Configure the unit as primary or secondary
ASA01(config)# failover lan interface ?
configure mode commands/options:
WORD Specify the interface name
ASA01(config)# failover lan interface LANFO ?
configure mode commands/options:
WORD Specify physical or sub interface
<cr>
ASA01(config)# failover lan interface LANFO GigabitEthernet0/6
INFO: Non-failover interface config is cleared on GigabitEthernet0/6 and its sub-interfaces
ASA01(config)# failover interface ?
configure mode commands/options:
ip Configure the IP address and mask after this keyword
ASA01(config)# failover interface ip ?
configure mode commands/options:
Current available interface(s):
LANFO Name of interface GigabitEthernet0/6
ASA01(config)# failover interface ip LANFO ?
configure mode commands/options:
Hostname or A.B.C.D Specify the IP address
X:X:X:X::X/<0-128> Specify the IPv6 prefix
ASA01(config)# failover interface ip LANFO 172.27.24.237 ?
configure mode commands/options:
A.B.C.D Specify the mask for the IP address
ASA01(config)# failover interface ip LANFO 172.27.24.237 255.255.255.252 ?
configure mode commands/options:
standby Configure the standby IP address after this keyword
ASA01(config)# failover interface ip LANFO 172.27.24.237 255.255.255.252 standby ?
configure mode commands/options:
Hostname or A.B.C.D Specify the IP address
ASA01(config)# failover interface ip LANFO 172.27.24.237 255.255.255.252 standby 172.27.24.238
ASA01(config)# failover key ?
configure mode commands/options:
0 Specifies an UNENCRYPTED password will follow
8 Specifies an ENCRYPTED password will follow
WORD Failover shared secret
hex Enter 32-character key in hexadecimal format
ASA01(config)# failover key cisco
ASA01(config)# failover link ?
configure mode commands/options:
WORD Specify the interface name
ASA01(config)# failover link STATEFO ?
configure mode commands/options:
WORD Specify physical or sub interface
<cr>
ASA01(config)# failover link STATEFO GigabitEthernet0/7
INFO: Non-failover interface config is cleared on GigabitEthernet0/7 and its sub-interfaces
ASA01(config)# failover interface ip ?
configure mode commands/options:
Current available interface(s):
LANFO Name of interface GigabitEthernet0/6
STATEFO Name of interface GigabitEthernet0/7
ASA01(config)# failover interface ip STATEFO ?
configure mode commands/options:
Hostname or A.B.C.D Specify the IP address
X:X:X:X::X/<0-128> Specify the IPv6 prefix
ASA01(config)# failover interface ip STATEFO 172.27.24.241 ?
configure mode commands/options:
A.B.C.D Specify the mask for the IP address
ASA01(config)# failover interface ip STATEFO 172.27.24.241 255.255.255.252 ?
configure mode commands/options:
standby Configure the standby IP address after this keyword
ASA01(config)# failover interface ip STATEFO 172.27.24.241 255.255.255.252 ?
configure mode commands/options:
Hostname or A.B.C.D Specify the IP address
ASA01(config)# failover interface ip STATEFO 172.27.24.241 255.255.255.252 standby 172.27.24.242
ASA01(config)# prompt ?
configure mode commands/options:
cluster-unit Display the cluster unit name in the session prompt
context Display the context in the session prompt (multimode only)
domain Display the domain in the session prompt
hostname Display the hostname in the session prompt
management-mode Display management mode
priority Display the priority in the session prompt
state Display the traffic passing state in the session prompt
ASA01(config)# prompt hostname ?
configure mode commands/options:
cluster-unit Display the cluster unit name in the session prompt
context Display the context in the session prompt (multimode only)
domain Display the domain in the session prompt
management-mode Display management mode
priority Display the priority in the session prompt
state Display the traffic passing state in the session prompt
<cr>
ASA01(config)# prompt hostname priority ?
configure mode commands/options:
cluster-unit Display the cluster unit name in the session prompt
context Display the context in the session prompt (multimode only)
domain Display the domain in the session prompt
management-mode Display management mode
state Display the traffic passing state in the session prompt
<cr>
ASA01(config)# prompt hostname priority state // TO SHOW DEVICE IF IT'S PRIMAY OR SECONDARY and ACTIVE OR STANDBY
ASA01/pri/actNoFailover(config)# failover // ACTIVATE FAILOVER
ASA01/pri/act(config)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: LANFO GigabitEthernet0/6 (down)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 0 of 216 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.4(2)11, Mate Unknown
Last Failover at: 20:48:44 UTC Apr 25 2016
This host: Primary - Negotiation
Active time: 0 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.4(2)11) status (Up Sys)
Other host: Secondary - Not Detected // ASA-2 NOT YET CONFIGURED
Active time: 0 (sec)
Stateful Failover Logical Update Statistics
Link : STATEFO GigabitEthernet0/7 (down)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
SIP Tx 0 0 0 0
SIP Pinhole 0 0 0 0
Route Session 0 0 0 0
Router ID 0 0 0 0
User-Identity 0 0 0 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0
Configure the LAN-based failover (G0/6) and Stateful failover (G0/7) interfaces on ASA-2.
ciscoasa(config)# interface g0/0 // WAN/OUTSIDE INTERFACE
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface g0/1 // LAN/INSIDE INTERFACE
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface g0/6 // LAN FO INTERFACE
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface g0/7 // STATEFUL FO INTERFACE
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# failover lan unit secondary
ciscoasa(config)# failover pre-shared-key cisco
ciscoasa(config-if)# failover lan interface LANFO GigabitEthernet0/6
INFO: Non-failover interface config is cleared on GigabitEthernet0/6 and its sub-interfaces
ciscoasa(config)# failover interface ip LANFO 172.27.24.237 255.255.255.252 standby 172.27.24.238
ciscoasa(config)# failover // ONCE failover KEYWORD IS TYPED, ASA-2 SYNC WITH ASA-1
ciscoasa(config)# .
Detected an Active mate
Beginning configuration replication from mate.
Removing context 'admin' (1)... Done
INFO: Admin context is required to get the interfaces
INFO: Admin context is required to get the interfaces
Creating context 'admin'... Done. (2)
WARNING: Skip fetching the URL disk0:/admin.cfg
INFO: Admin context will take some time to come up .... please wait.
End configuration replication from mate.
ASA01/sec/stby(config)# show failover // HOSTNAME IMMEDIATELY CHANGED TO ASA01
Failover On
Failover unit Secondary
Failover LAN Interface: LANFO GigabitEthernet0/6 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 0 of 216 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.4(2)11, Mate 9.4(2)11
Last Failover at: 20:41:57 UTC Apr 25 2016
This host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.4(2)11) status (Up Sys)
Other host: Primary - Active
Active time: 313 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.4(2)11) status (Up Sys)
Stateful Failover Logical Update Statistics
Link : STATEFO GigabitEthernet0/7 (up)
Stateful Obj xmit xerr rcv rerr
General 5 0 6 0
sys cmd 5 0 5 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
SIP Tx 0 0 0 0
SIP Pinhole 0 0 0 0
Route Session 0 0 0 0
Router ID 0 0 0 0
User-Identity 0 0 1 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 14 170
Xmit Q: 0 1 7
ASA01/sec/stby(config)# show failover history
==========================================================================
From State To State Reason
==========================================================================
20:42:02 UTC Apr 25 2016
Not Detected Disabled No Error
21:56:46 UTC Apr 25 2016
Disabled Negotiation Set by the config command
21:56:47 UTC Apr 25 2016
Negotiation Cold Standby Detected an Active mate
21:56:49 UTC Apr 25 2016
Cold Standby Sync Config Detected an Active mate
21:56:58 UTC Apr 25 2016
Sync Config Sync File System Detected an Active mate
21:56:58 UTC Apr 25 2016
Sync File System Bulk Sync Detected an Active mate
21:57:11 UTC Apr 25 2016
Bulk Sync Standby Ready Detected an Active mate
==========================================================================
ASA01/sec/stby(config)# show failover state
State Last Failure Reason Date/Time
This host - Secondary
Standby Ready None
Other host - Primary
Active None
====Configuration State===
Sync Done - STANDBY
====Communication State===
ASA01/sec/stby(config)# show failover statistics
tx:277
rx:232
ASA01/sec/stby(config)# show run // ASA-2 SYNC ITS CONFIG WITH ASA-1
: Saved
:
: Serial Number: FCH19497456
: Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
:
ASA Version 9.4(2)11 <system>
!
hostname ASA01
enable password 8Ry2YjIyt7RRXU24 encrypted
mac-address auto prefix 7797
!
interface GigabitEthernet0/0
description ### WAN TRUNK ###
!
interface GigabitEthernet0/1
description ### LAN TRUNK ###
!
interface GigabitEthernet0/1.400
description ### INSIDE VLAN ###
vlan 400
!
interface GigabitEthernet0/2
shutdown
!
interface GigabitEthernet0/3
shutdown
!
interface GigabitEthernet0/4
shutdown
!
interface GigabitEthernet0/5
shutdown
!
interface GigabitEthernet0/6
description ### LAN FAILOVER ###
!
interface GigabitEthernet0/7
description ### STATEFUL FAILOVER ###
!
interface Management0/0
!
class default
limit-resource All 0
limit-resource Mac-addresses 16384
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
!
class IPSEC-VPN
limit-resource VPN Other 10
!
boot system disk0:/asa942-11-smp-k8.bin
ftp mode passive
pager lines 24
failover
failover lan unit secondary
failover lan interface LANFO GigabitEthernet0/6
failover key *****
failover link STATEFO GigabitEthernet0/7
failover interface ip LANFO 172.27.24.237 255.255.255.252 standby 172.27.24.238
failover interface ip STATEFO 172.27.24.241 255.255.255.252 standby 172.27.24.242
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
ssh stricthostkeycheck
console timeout 0
admin-context admin
context admin
member IPSEC-VPN
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/1.400
allocate-interface Management0/0
config-url disk0:/admin.cfg
!
prompt hostname priority state
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 15
subscribe-to-alert-group configuration periodic monthly 15
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:950c07895d257c4358b90a99c3c8a2d7
: end
ASA01/sec/stby(config)#
ASA-1
ASA01/pri/act# show failover ?
descriptor Show failover interface descriptors. Two numbers are shown for
each interface. When exchanging information regarding a
particular interface, this unit uses the first number in messages
it sends to its peer. And it expects the second number in
messages it receives from its peer. For trouble shooting, collect
the show output from both units and verify that the numbers
match.
exec Show failover command execution information
group Show failover group information
history Show failover switching history
interface Show failover command interface information
state Show failover internal state information
statistics Show failover command interface statistics information
| Output modifiers
<cr>
ASA01/pri/act# show failover history
==========================================================================
From State To State Reason
==========================================================================
20:48:49 UTC Apr 25 2016
Not Detected Disabled No Error
21:51:01 UTC Apr 25 2016
Disabled Negotiation Set by the config command
21:51:46 UTC Apr 25 2016
Negotiation Just Active No Active unit found
21:51:46 UTC Apr 25 2016
Just Active Active Drain No Active unit found
21:51:46 UTC Apr 25 2016
Active Drain Active Applying Config No Active unit found
21:51:46 UTC Apr 25 2016
Active Applying Config Active Config Applied No Active unit found
21:51:46 UTC Apr 25 2016
Active Config Applied Active No Active unit found
==========================================================================
ASA01/pri/act# show failover interface
interface LANFO GigabitEthernet0/6
System IP Address: 172.27.24.237 255.255.255.252
My IP Address : 172.27.24.237
Other IP Address : 172.27.24.238
interface STATEFO GigabitEthernet0/7
System IP Address: 172.27.24.241 255.255.255.252
My IP Address : 172.27.24.241
Other IP Address : 172.27.24.242
ASA01/pri/act# show failover state
State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Standby Ready Comm Failure 21:52:01 UTC Apr 25 2016
====Configuration State===
Sync Done
====Communication State===
To test failover, I've disconnected the LAN FO port G0/6 on ASA-1 and the Secondary ASA unit took over as the Active firewall.
ASA01/sec/act#
ASA01/sec/act# Failover LAN became OK
Switchover enabled
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate
ASA01/sec/act# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: LANFO GigabitEthernet0/6 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 216 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.4(2)11, Mate 9.4(2)11
Last Failover at: 22:29:46 UTC Apr 25 2016
This host: Secondary - Active
Active time: 541 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.4(2)11) status (Up Sys)
admin Interface inside (172.27.24.4): Normal (Monitored)
admin Interface outside (202.78.4.6): Normal (Monitored)
Other host: Primary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.4(2)11) status (Up Sys)
admin Interface inside (172.27.24.5): Normal (Monitored)
admin Interface outside (202.78.4.5): Normal (Monitored)
Stateful Failover Logical Update Statistics
Link : STATEFO GigabitEthernet0/7 (up)
Stateful Obj xmit xerr rcv rerr
General 293 0 303 8 sys cmd 292 0 292 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
SIP Tx 0 0 0 0
SIP Pinhole 0 0 0 0
Route Session 0 0 10 8
Router ID 0 0 0 0
User-Identity 1 0 1 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 17 4666
Xmit Q: 0 165 689
I've issued the no failover active command to give back ASA-1 the Active role again.
ASA01/sec/act# no failover ?
active Make this system to be the active unit of the failover pair
ASA01/sec/act# no failover active
ASA01/sec/act#
Switching to Standby
ASA01/sec/stby# show failover // I HAD MY CONSOLE CABLE TO ASA-2
Failover On
Failover unit Secondary
Failover LAN Interface: LANFO GigabitEthernet0/6 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 216 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.4(2)11, Mate 9.4(2)11
Last Failover at: 22:50:51 UTC Apr 25 2016
This host: Secondary - Standby Ready
Active time: 1264 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.4(2)11) status (Up Sys)
admin Interface inside (172.27.24.5): Normal (Waiting)
admin Interface outside (202.78.4.5): Normal (Waiting)
Other host: Primary - Active
Active time: 10 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.4(2)11) status (Up Sys)
admin Interface inside (172.27.24.4): Normal (Waiting)
admin Interface outside (202.78.4.6): Normal (Waiting)
Stateful Failover Logical Update Statistics
Link : STATEFO GigabitEthernet0/7 (up)
Stateful Obj xmit xerr rcv rerr
General 391 0 405 12 sys cmd 390 0 390 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
SIP Tx 0 0 0 0
SIP Pinhole 0 0 0 0
Route Session 0 0 14 12
Router ID 0 0 0 0
User-Identity 1 0 1 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 17 5523
Xmit Q: 0 165 1522
ASA01/sec/stby# show failover history
==========================================================================
From State To State Reason
==========================================================================
20:42:02 UTC Apr 25 2016
Not Detected Disabled No Error
21:56:46 UTC Apr 25 2016
Disabled Negotiation Set by the config command
21:56:47 UTC Apr 25 2016
Negotiation Cold Standby Detected an Active mate
21:56:49 UTC Apr 25 2016
Cold Standby Sync Config Detected an Active mate
21:56:58 UTC Apr 25 2016
Sync Config Sync File System Detected an Active mate
21:56:58 UTC Apr 25 2016
Sync File System Bulk Sync Detected an Active mate
21:57:11 UTC Apr 25 2016
Bulk Sync Standby Ready Detected an Active mate
22:29:46 UTC Apr 25 2016
Standby Ready Just Active HELLO not heard from mate
22:29:46 UTC Apr 25 2016
Just Active Active Drain HELLO not heard from mate
22:29:46 UTC Apr 25 2016
Active Drain Active Applying Config HELLO not heard from mate
22:29:46 UTC Apr 25 2016
Active Applying Config Active Config Applied HELLO not heard from mate
22:29:46 UTC Apr 25 2016
Active Config Applied Active HELLO not heard from mate
22:50:51 UTC Apr 25 2016
Active Standby Ready Set by the config command
==========================================================================
ASA01/sec/stby# show failover interface
interface LANFO GigabitEthernet0/6
System IP Address: 172.27.24.237 255.255.255.252
My IP Address : 172.27.24.238
Other IP Address : 172.27.24.237
interface STATEFO GigabitEthernet0/7
System IP Address: 172.27.24.241 255.255.255.252
My IP Address : 172.27.24.242
Other IP Address : 172.27.24.241
ASA01/sec/stby# show failover state
State Last Failure Reason Date/Time
This host - Secondary
Standby Ready None
Other host - Primary
Active Comm Failure 22:29:46 UTC Apr 25 2016
====Configuration State===
Sync Done
Sync Done - STANDBY
====Communication State===
Mac set