Sunday, June 19, 2016

Cisco ASA 9.x Active-Standby Configuration

I had a remote site with two Cisco ASA 5525-X firewalls deployed as an Active-Standby failover pair. I've posted a blog a couple years back regarding this setup in a GNS3 environment but now I'm deploying it in the real world. Before its deployment, I've upgraded both ASA to the latest code 9.4(2)11, applied and configured the 10-security context license (multiple mode).

According to Cisco ASA 5500-X Configuration Guide starting ASA 8.3(1), you don't need to install identical licenses (with some exceptions) on both firewall units. You just buy and only install the license for the Primary/Active firewall unit. The Secondary/Standby unit will inherit the Primary license when it becomes Active.

I also confirmed with Cisco TAC that a 20-Security Context license ASA5500-SC-20 (vs L-ASA-SC-20) will work on a Cisco ASA 5500-X platform.

You can optionally skip the standby IP address under the context configuration and failover (and routing) would still work. For example, if you've got limited public IP address range, you can just configure the 'outside' interface with a single public IP address. The standby keyword is normally used in Active-Active failover where each context monitors its interface and activates failover if it multiple failed interfaces were detected. I explictily configure the standby IP address on the 'inside' interface since we're doing HSRP and allocate a /29 subnet.

ASA01/pri/act(config-if)# ip address 202.78.4.6 255.255.255.128
WARNING: Failover is enabled but standby IP address is not configured for this interface.


ASA-1

ciscoasa# show version

Cisco Adaptive Security Appliance Software Version 9.4(2)11
Device Manager Version 7.1(3)

Compiled on Mon 22-Feb-16 22:54 PST by builders
System image file is "disk0:/asa942-11-smp-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 1 hour 45 mins

Hardware:   ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
            ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
                             Boot microcode        : CNPx-MC-BOOT-2.00
                             SSL/IKE microcode     : CNPx-MC-SSL-SB-PLUS-0005
                             IPSec microcode       : CNPx-MC-IPSEC-MAIN-0026
                             Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4


 0: Int: Internal-Data0/0    : address is 00fe.c8e5.10ac, irq 11
 1: Ext: GigabitEthernet0/0  : address is 00fe.c8e5.10b1, irq 5
 2: Ext: GigabitEthernet0/1  : address is 00fe.c8e5.10ad, irq 5
 3: Ext: GigabitEthernet0/2  : address is 00fe.c8e5.10b2, irq 10
 4: Ext: GigabitEthernet0/3  : address is 00fe.c8e5.10ae, irq 10
 5: Ext: GigabitEthernet0/4  : address is 00fe.c8e5.10b3, irq 5
 6: Ext: GigabitEthernet0/5  : address is 00fe.c8e5.10af, irq 5
 7: Ext: GigabitEthernet0/6  : address is 00fe.c8e5.10b4, irq 10
 8: Ext: GigabitEthernet0/7  : address is 00fe.c8e5.10b0, irq 10
 9: Int: Internal-Data0/1    : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2    : address is 0000.0001.0003, irq 0
12: Ext: Management0/0       : address is 00fe.c8e5.10ac, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 200            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 750            perpetual
Total VPN Peers                   : 750            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
IPS Module                        : Disabled       perpetual
Cluster                           : Enabled        perpetual
Cluster Members                   : 2              perpetual

This platform has an ASA5525 VPN Premium license.

Serial Number: FCH1949123
Running Permanent Activation Key: 0xcb10d26a 0xa440851c 0xc9326500 0xdaa01818 0xc325eabc
Configuration register is 0x1

Image type          : Release
Key version         : A

Configuration has not been modified since last system restart.

ciscoasa# configure terminal
ciscoasa(config)#

***************************** NOTICE *****************************

Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall

Would you like to enable anonymous error reporting to help improve

the product? [Y]es, [N]o, [A]sk later:

ciscoasa(config)# activation-key d02ad148 f05363e7 5563850c c6d844bc 401fdxxx
Validating activation key. This may take a few minutes...
Both Running and Flash permanent activation key was updated with the requested key.

ciscoasa(config)# show version

Cisco Adaptive Security Appliance Software Version 9.4(2)11
Device Manager Version 7.1(3)

Compiled on Mon 22-Feb-16 22:54 PST by builders
System image file is "disk0:/asa942-11-smp-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 1 hour 50 mins

Hardware:   ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
            ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
                             Boot microcode        : CNPx-MC-BOOT-2.00
                             SSL/IKE microcode     : CNPx-MC-SSL-SB-PLUS-0005
                             IPSec microcode       : CNPx-MC-IPSEC-MAIN-0026
                             Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4


 0: Int: Internal-Data0/0    : address is 00fe.c8e5.10ac, irq 11
 1: Ext: GigabitEthernet0/0  : address is 00fe.c8e5.10b1, irq 5
 2: Ext: GigabitEthernet0/1  : address is 00fe.c8e5.10ad, irq 5
 3: Ext: GigabitEthernet0/2  : address is 00fe.c8e5.10b2, irq 10
 4: Ext: GigabitEthernet0/3  : address is 00fe.c8e5.10ae, irq 10
 5: Ext: GigabitEthernet0/4  : address is 00fe.c8e5.10b3, irq 5
 6: Ext: GigabitEthernet0/5  : address is 00fe.c8e5.10af, irq 5
 7: Ext: GigabitEthernet0/6  : address is 00fe.c8e5.10b4, irq 10
 8: Ext: GigabitEthernet0/7  : address is 00fe.c8e5.10b0, irq 10
 9: Int: Internal-Data0/1    : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2    : address is 0000.0001.0003, irq 0
12: Ext: Management0/0       : address is 00fe.c8e5.10ac, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 200            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 10             perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 750            perpetual
Total VPN Peers                   : 750            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
IPS Module                        : Disabled       perpetual
Cluster                           : Enabled        perpetual
Cluster Members                   : 2              perpetual

This platform has an ASA5525 VPN Premium license.

Serial Number: FCH19497123
Running Permanent Activation Key: 0xd02ad148 0xf05363e7 0x5563850c 0xc6d844bc 0x401fdabc
Configuration register is 0x1

Image type          : Release
Key version         : A

Configuration last modified by enable_15 at 20:36:32.329 UTC Mon Apr 25 2016

ciscoasa# configure terminal
ciscoasa(config)#

***************************** NOTICE *****************************

Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall

Would you like to enable anonymous error reporting to help improve

the product? [Y]es, [N]o, [A]sk later: mod

ciscoasa(config)# mode ?

configure mode commands/options:
  multiple   Multiple mode; mode with security contexts
  noconfirm  Do not prompt for confirmation
  single     Single mode; mode without security contexts

ciscoasa(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
!
The old running configuration file will be written to flash

Converting the configuration - this may take several minutes for a large configuration

The admin context configuration will be written to flash

The new running configuration file was written to flash
Security context mode: multiple

ciscoasa(config)#


***
*** --- START GRACEFUL SHUTDOWN ---
***
*** Message to all terminals:
***
***   change mode
Shutting down isakmp
Shutting down sw-module
Shutting down License Controller
Shutting down File system


***
*** --- SHUTDOWN NOW ---
***
*** Message to all terminals:
***
***   change mode
Process shutdown finished


<OUTPUT TRUNCATED>


ciscoasa# show context
Context Name      Class      Interfaces           Mode         URL
*admin            default                         Routed       disk0:/admin.cfg

Total active Security Contexts: 1

ciscoasa#

ciscoasa# show run
: Saved

:
: Serial Number: FCH19497123
: Hardware:   ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
:
ASA Version 9.4(2)11 <system>
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
no mac-address auto
!
interface GigabitEthernet0/0
 shutdown
!
interface GigabitEthernet0/1
 shutdown
!
interface GigabitEthernet0/2
 shutdown
!
interface GigabitEthernet0/3
 shutdown
!
interface GigabitEthernet0/4
 shutdown
!
interface GigabitEthernet0/5
 shutdown
!
interface GigabitEthernet0/6
 shutdown
!
interface GigabitEthernet0/7
 shutdown
!
interface Management0/0
 shutdown
!
class default
  limit-resource All 0
  limit-resource Mac-addresses 16384
  limit-resource ASDM 5
  limit-resource SSH 5
  limit-resource Telnet 5
!

boot system disk0:/asa942-11-smp-k8.bin
ftp mode passive
pager lines 24
no failover
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
ssh stricthostkeycheck
console timeout 0

admin-context admin
context admin
  config-url disk0:/admin.cfg
!

prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 20
  subscribe-to-alert-group configuration periodic monthly 20
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:95676559a4c86494b73ae26e690ba578
: end



ASA-2

ciscoasa# show version

Cisco Adaptive Security Appliance Software Version 9.4(2)11
Device Manager Version 7.1(3)

Compiled on Mon 22-Feb-16 22:54 PST by builders
System image file is "disk0:/asa942-11-smp-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 2 hours 4 mins

Hardware:   ASA5525, 8192 MB RAM, CPU Lynnfield 2393 MHz, 1 CPU (4 cores)
            ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
                             Boot microcode        : CNPx-MC-BOOT-2.00
                             SSL/IKE microcode     : CNPx-MC-SSL-SB-PLUS-0005
                             IPSec microcode       : CNPx-MC-IPSEC-MAIN-0026
                             Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4


 0: Int: Internal-Data0/0    : address is 00fe.c8e5.1e75, irq 11
 1: Ext: GigabitEthernet0/0  : address is 00fe.c8e5.1e7a, irq 5
 2: Ext: GigabitEthernet0/1  : address is 00fe.c8e5.1e76, irq 5
 3: Ext: GigabitEthernet0/2  : address is 00fe.c8e5.1e7b, irq 10
 4: Ext: GigabitEthernet0/3  : address is 00fe.c8e5.1e77, irq 10
 5: Ext: GigabitEthernet0/4  : address is 00fe.c8e5.1e7c, irq 5
 6: Ext: GigabitEthernet0/5  : address is 00fe.c8e5.1e78, irq 5
 7: Ext: GigabitEthernet0/6  : address is 00fe.c8e5.1e7d, irq 10
 8: Ext: GigabitEthernet0/7  : address is 00fe.c8e5.1e79, irq 10
 9: Int: Internal-Data0/1    : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2    : address is 0000.0001.0003, irq 0
12: Ext: Management0/0       : address is 00fe.c8e5.1e75, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 200            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 750            perpetual 
Total VPN Peers                   : 750            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
IPS Module                        : Disabled       perpetual
Cluster                           : Enabled        perpetual
Cluster Members                   : 2              perpetual

This platform has an ASA5525 VPN Premium license.

Serial Number: FCH19497456
Running Permanent Activation Key: 0x633bf67e 0xe0b086c6 0xcd4085cc 0xf1247860 0xcd13fdef
Configuration register is 0x1

Image type          : Release
Key version         : A

Configuration has not been modified since last system restart.

ciscoasa#
ciscoasa# configure terminal
ciscoasa(config)#

***************************** NOTICE *****************************

Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall

Would you like to enable anonymous error reporting to help improve

the product? [Y]es, [N]o, [A]sk later:

ciscoasa(config)# activation-key e30af474 6cd49223 a19229c8 f72074f0 4506dyyy
Validating activation key. This may take a few minutes...
Both Running and Flash permanent activation key was updated with the requested key.

ciscoasa(config)# show version

Cisco Adaptive Security Appliance Software Version 9.4(2)11
Device Manager Version 7.1(3)

Compiled on Mon 22-Feb-16 22:54 PST by builders
System image file is "disk0:/asa942-11-smp-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 2 hours 5 mins

Hardware:   ASA5525, 8192 MB RAM, CPU Lynnfield 2393 MHz, 1 CPU (4 cores)
            ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
                             Boot microcode        : CNPx-MC-BOOT-2.00
                             SSL/IKE microcode     : CNPx-MC-SSL-SB-PLUS-0005
                             IPSec microcode       : CNPx-MC-IPSEC-MAIN-0026
                             Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4


 0: Int: Internal-Data0/0    : address is 00fe.c8e5.1e75, irq 11
 1: Ext: GigabitEthernet0/0  : address is 00fe.c8e5.1e7a, irq 5
 2: Ext: GigabitEthernet0/1  : address is 00fe.c8e5.1e76, irq 5
 3: Ext: GigabitEthernet0/2  : address is 00fe.c8e5.1e7b, irq 10
 4: Ext: GigabitEthernet0/3  : address is 00fe.c8e5.1e77, irq 10
 5: Ext: GigabitEthernet0/4  : address is 00fe.c8e5.1e7c, irq 5
 6: Ext: GigabitEthernet0/5  : address is 00fe.c8e5.1e78, irq 5
 7: Ext: GigabitEthernet0/6  : address is 00fe.c8e5.1e7d, irq 10
 8: Ext: GigabitEthernet0/7  : address is 00fe.c8e5.1e79, irq 10
 9: Int: Internal-Data0/1    : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2    : address is 0000.0001.0003, irq 0
12: Ext: Management0/0       : address is 00fe.c8e5.1e75, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 200            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 10             perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 750            perpetual  
Total VPN Peers                   : 750            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
IPS Module                        : Disabled       perpetual
Cluster                           : Enabled        perpetual
Cluster Members                   : 2              perpetual

This platform has an ASA5525 VPN Premium license.

Serial Number: FCH19497456
Running Permanent Activation Key: 0xe30af474 0x6cd49223 0xa19229c8 0xf72074f0 0x4506ddef
Configuration register is 0x1

Image type          : Release
Key version         : A

Configuration last modified by enable_15 at 20:43:43.989 UTC Mon Apr 25 2016


ciscoasa# configure terminal
ciscoasa(config)#

***************************** NOTICE *****************************

Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall

Would you like to enable anonymous error reporting to help improve

the product? [Y]es, [N]o, [A]sk later: mode

ciscoasa(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
!
The old running configuration file will be written to flash

Converting the configuration - this may take several minutes for a large configuration

The admin context configuration will be written to flash

The new running configuration file was written to flash
Security context mode: multiple

ciscoasa(config)#


***
*** --- START GRACEFUL SHUTDOWN ---
***
*** Message to all terminals:
***
***   change mode
Shutting down isakmp
Shutting down sw-module
Shutting down License Controller
Shutting down File system


***
*** --- SHUTDOWN NOW ---
***
*** Message to all terminals:
***
***   change mode
Process shutdown finished
Rebooting.....


<OUTPUT TRUNCATED>


ciscoasa# show run
: Saved

:
: Serial Number: FCH19497456
: Hardware:   ASA5525, 8192 MB RAM, CPU Lynnfield 2393 MHz, 1 CPU (4 cores)
:
ASA Version 9.4(2)11 <system>
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
no mac-address auto
!
interface GigabitEthernet0/0
 shutdown
!
interface GigabitEthernet0/1
 shutdown
!
interface GigabitEthernet0/2
 shutdown
!
interface GigabitEthernet0/3
 shutdown
!
interface GigabitEthernet0/4
 shutdown
!
interface GigabitEthernet0/5
 shutdown
!
interface GigabitEthernet0/6
 shutdown
!
interface GigabitEthernet0/7
 shutdown
!
interface Management0/0
 shutdown
!
class default
  limit-resource All 0
  limit-resource Mac-addresses 16384
  limit-resource ASDM 5
  limit-resource SSH 5
  limit-resource Telnet 5
!

boot system disk0:/asa942-11-smp-k8.bin
ftp mode passive  
pager lines 24
no failover
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
ssh stricthostkeycheck
console timeout 0

admin-context admin
context admin
  config-url disk0:/admin.cfg
!

prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 15   
  subscribe-to-alert-group configuration periodic monthly 15
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e2c26c30eeb21bfeedab14fc04378836
: end


ASA-1

ciscoasa# configure terminal
ciscoasa(config)# hostname ASA01
ASA01(config)# mac-address auto
INFO: Converted to mac-address auto prefix 7797
ASA01(config)# interface GigabitEthernet0/0
ASA01(config-if)#  description ### WAN TRUNK ###
ASA01(config)# interface GigabitEthernet0/1
ASA01(config-if)#  description ### LAN TRUNK ###
ASA01(config-if)#  no shutdown
ASA01(config-if)# interface GigabitEthernet0/1.400
ASA01(config-subif)#  description ### INSIDE VLAN ###
ASA01(config-subif)#  vlan 400
ASA01(config-subif)# interface Management0/0
ASA01(config-if)# no shutdown
ASA01(config-if)# interface GigabitEthernet0/6
ASA01(config-if)#  description ### LAN FAILOVER ###
ASA01(config-if)#  no shutdown
ASA01(config-if)# interface GigabitEthernet0/7
ASA01(config-if)#  description ### STATEFUL FAILOVER ###
ASA01(config-if)#  no shutdown
ASA01(config-if)# class ?

configure mode commands/options:
  WORD  Symbolic name of the class

ASA01(config-if)# class IPSEC-VPN

ASA01(config-class)# ?

Class configuration commands:
  limit-resource  Configure the resource limits
  no              Negate a command or set its defaults

ASA01(config-class)# limit-resource ?

class mode commands/options:
  rate           Enter this keyword to specify a rate/sec
Following resources available:
  ASDM           ASDM Connections
  All            All Resources
  Conns          Connections
  Hosts          Hosts
  Mac-addresses  MAC Address table entries
  Routes         Routing Table Entries
  SSH            SSH Sessions
  Telnet         Telnet Sessions
  VPN            VPN resources
  Xlates         XLATE Objects

ASA01(config-class)# limit-resource VPN ?

class mode commands/options:
  Burst  Burst limit over the configured limit. This burst limit is not
         guaranteed. The context may take this resource if it is available on
         the device at run time.
  Other  Other VPN sessions which include Site-to-Site, IKEv1 RA and L2tp
         Sessions. These are guaranteed for a context and shouldn't exceed the
         system capacity when combined across all contexts.
  ikev1  Configure IKEv1 specific resources.

ASA01(config-class)# limit-resource VPN Other ?

class mode commands/options:
  WORD  Value of resource limit (in <value> or <value>%)

ASA01(config-class)# limit-resource VPN Other 10
ASA01(config-class)# context admin
ASA01(config-ctx)# ?

Context configuration commands:
  allocate-interface   Allocate interface to context
  allocate-ips         Allocate IPS virtual sensor to context
  config-url           Configure URL for a context configuration
  description          Provide a description of the context
  exit                 Exit from context configuration mode
  help                 Interactive help for context subcommands
  join-failover-group  Join a context to a failover group
  member               Configure class membership for a context
  no                   Negate a command
  scansafe             Enable scansafe inspection in this context

ASA01(config-ctx)# member ?

context mode commands/options:
  WORD  Class name

ASA01(config-ctx)# member IPSEC-VPN
ASA01(config-ctx)#  allocate-interface GigabitEthernet0/0
ASA01(config-ctx)#  allocate-interface GigabitEthernet0/1.400
ASA01(config-ctx)#  allocate-interface Management0/0
ASA01(config)# failover lan unit primary ?

configure mode commands/options:
  primary    Configure the unit as primary
  secondary  Configure the unit as secondary

ASA01(config)# failover lan unit primary
ASA01(config)# failover ?

configure mode commands/options:
  group             Configure/Enable failover group
  interface         Configure the IP address to be used for failover and/or
                    stateful update information
  interface-policy  Set the policy for failover due to interface failures
  ipsec             Configure the use of IPSec tunnel for failover
  key               Configure the failover shared secret or key
  lan               Specify the unit as primary or secondary or configure the
                    interface and vlan to be used for failover communication
  link              Configure the interface and vlan to be used as a link for
                    stateful update information
  mac               Specify the virtual mac address for a physical interface
  mac-notification  Configure failover MAC address movement notification
                    settings
  polltime          Configure failover poll interval
  replication       Enable HTTP (port 80) connection replication
  standby           Execute command in  standby
  timeout           Specify the failover reconnect timeout value for
                    asymmetrically routed sessions
  <cr>

exec mode commands/options:
  active          Make this system to be the active unit of the failover pair
  exec            Execute command on the designated unit
  reload-standby  Force standby unit to reboot
  reset           Force a unit or failover group to an unfailed state

ASA01(config)# failover lan ?

configure mode commands/options:
  interface  Configure the interface and vlan to be used for failover
             communication
  unit       Configure the unit as primary or secondary

ASA01(config)# failover lan interface ?

configure mode commands/options:
  WORD  Specify the interface name

ASA01(config)# failover lan interface LANFO ?

configure mode commands/options:
  WORD  Specify physical or sub interface
  <cr>

ASA01(config)# failover lan interface LANFO GigabitEthernet0/6
INFO: Non-failover interface config is cleared on GigabitEthernet0/6 and its sub-interfaces

ASA01(config)# failover interface ?

configure mode commands/options:
  ip  Configure the IP address and mask after this keyword

ASA01(config)# failover interface ip ?

configure mode commands/options:
Current available interface(s):
  LANFO  Name of interface GigabitEthernet0/6

ASA01(config)# failover interface ip LANFO ?

configure mode commands/options:
  Hostname or A.B.C.D  Specify the IP address
  X:X:X:X::X/<0-128>   Specify the IPv6 prefix

ASA01(config)# failover interface ip LANFO 172.27.24.237 ?

configure mode commands/options:
  A.B.C.D  Specify the mask for the IP address

ASA01(config)# failover interface ip LANFO 172.27.24.237 255.255.255.252 ?

configure mode commands/options:
  standby  Configure the standby IP address after this keyword

ASA01(config)# failover interface ip LANFO 172.27.24.237 255.255.255.252 standby ?

configure mode commands/options:
  Hostname or A.B.C.D  Specify the IP address

ASA01(config)# failover interface ip LANFO 172.27.24.237 255.255.255.252 standby 172.27.24.238
ASA01(config)# failover key ?

configure mode commands/options:
  0     Specifies an UNENCRYPTED password will follow
  8     Specifies an ENCRYPTED password will follow
  WORD  Failover shared secret
  hex   Enter 32-character key in hexadecimal format

ASA01(config)# failover key cisco

ASA01(config)# failover link ?

configure mode commands/options:
  WORD  Specify the interface name

ASA01(config)# failover link STATEFO ?

configure mode commands/options:
  WORD  Specify physical or sub interface
  <cr>

ASA01(config)# failover link STATEFO GigabitEthernet0/7
INFO: Non-failover interface config is cleared on GigabitEthernet0/7 and its sub-interfaces

ASA01(config)# failover interface ip ?

configure mode commands/options:
Current available interface(s):
  LANFO    Name of interface GigabitEthernet0/6
  STATEFO  Name of interface GigabitEthernet0/7

ASA01(config)# failover interface ip STATEFO ?

configure mode commands/options:
  Hostname or A.B.C.D  Specify the IP address
  X:X:X:X::X/<0-128>   Specify the IPv6 prefix

ASA01(config)# failover interface ip STATEFO 172.27.24.241 ?

configure mode commands/options:
  A.B.C.D  Specify the mask for the IP address

ASA01(config)# failover interface ip STATEFO 172.27.24.241 255.255.255.252 ?

configure mode commands/options:
  standby  Configure the standby IP address after this keyword

ASA01(config)# failover interface ip STATEFO 172.27.24.241 255.255.255.252 ?

configure mode commands/options:
  Hostname or A.B.C.D  Specify the IP address

ASA01(config)# failover interface ip STATEFO 172.27.24.241 255.255.255.252 standby 172.27.24.242

ASA01(config)# prompt ?

configure mode commands/options:
  cluster-unit     Display the cluster unit name in the session prompt
  context          Display the context in the session prompt (multimode only)
  domain           Display the domain in the session prompt
  hostname         Display the hostname in the session prompt
  management-mode  Display management mode
  priority         Display the priority in the session prompt
  state            Display the traffic passing state in the session prompt

ASA01(config)# prompt hostname ?

configure mode commands/options:
  cluster-unit     Display the cluster unit name in the session prompt
  context          Display the context in the session prompt (multimode only)
  domain           Display the domain in the session prompt
  management-mode  Display management mode
  priority         Display the priority in the session prompt
  state            Display the traffic passing state in the session prompt
  <cr>

ASA01(config)# prompt hostname priority ?

configure mode commands/options:
  cluster-unit     Display the cluster unit name in the session prompt
  context          Display the context in the session prompt (multimode only)
  domain           Display the domain in the session prompt
  management-mode  Display management mode
  state            Display the traffic passing state in the session prompt
  <cr>

ASA01(config)# prompt hostname priority state    // TO SHOW DEVICE IF IT'S PRIMAY OR SECONDARY and ACTIVE OR STANDBY

ASA01/pri/actNoFailover(config)# failover   // ACTIVATE FAILOVER

ASA01/pri/act(config)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: LANFO GigabitEthernet0/6 (down)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 0 of 216 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.4(2)11, Mate Unknown
Last Failover at: 20:48:44 UTC Apr 25 2016
    This host: Primary - Negotiation
        Active time: 0 (sec)
        slot 0: ASA5525 hw/sw rev (1.0/9.4(2)11) status (Up Sys)
    Other host: Secondary - Not Detected    // ASA-2 NOT YET CONFIGURED
        Active time: 0 (sec)

Stateful Failover Logical Update Statistics
    Link : STATEFO GigabitEthernet0/7 (down)
    Stateful Obj     xmit       xerr       rcv        rerr     
    General        0          0          0          0        
    sys cmd      0          0          0          0        
    up time      0          0          0          0        
    RPC services      0          0          0          0        
    TCP conn     0          0          0          0        
    UDP conn     0          0          0          0        
    ARP tbl      0          0          0          0        
    Xlate_Timeout      0          0          0          0        
    IPv6 ND tbl      0          0          0          0        
    VPN IKEv1 SA     0          0          0          0        
    VPN IKEv1 P2     0          0          0          0        
    VPN IKEv2 SA     0          0          0          0        
    VPN IKEv2 P2     0          0          0          0        
    VPN CTCP upd     0          0          0          0        
    VPN SDI upd     0          0          0          0        
    VPN DHCP upd     0          0          0          0        
    SIP Session     0          0          0          0        
    SIP Tx     0          0          0          0        
    SIP Pinhole     0          0          0          0        
    Route Session     0          0          0          0        
    Router ID     0          0          0          0        
    User-Identity     0          0          0          0        
    CTS SGTNAME     0          0          0          0        
    CTS PAC     0          0          0          0        
    TrustSec-SXP     0          0          0          0        
    IPv6 Route     0          0          0          0        
    STS Table     0          0          0          0        

    Logical Update Queue Information
              Cur     Max     Total
    Recv Q:     0     0     0
    Xmit Q:     0     0     0


Configure the LAN-based failover (G0/6) and Stateful failover (G0/7) interfaces on ASA-2.

ciscoasa(config)# interface g0/0       // WAN/OUTSIDE INTERFACE
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface g0/1      // LAN/INSIDE INTERFACE
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface g0/6    // LAN FO INTERFACE
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface g0/7   // STATEFUL FO INTERFACE
ciscoasa(config-if)# no shutdown

ciscoasa(config-if)# failover lan  unit secondary
ciscoasa(config)# failover pre-shared-key cisco
ciscoasa(config-if)# failover lan interface LANFO GigabitEthernet0/6
INFO: Non-failover interface config is cleared on GigabitEthernet0/6 and its sub-interfaces
ciscoasa(config)# failover interface ip LANFO 172.27.24.237 255.255.255.252 standby 172.27.24.238
ciscoasa(config)# failover    // ONCE failover KEYWORD IS TYPED, ASA-2 SYNC WITH ASA-1
ciscoasa(config)# .

    Detected an Active mate
Beginning configuration replication from mate.
Removing context 'admin' (1)... Done

INFO: Admin context is required to get the interfaces
INFO: Admin context is required to get the interfaces
Creating context 'admin'... Done. (2)

WARNING: Skip fetching the URL disk0:/admin.cfg
INFO: Admin context will take some time to come up .... please wait.
End configuration replication from mate.


ASA01/sec/stby(config)# show failover    // HOSTNAME IMMEDIATELY CHANGED TO ASA01
Failover On
Failover unit Secondary
Failover LAN Interface: LANFO GigabitEthernet0/6 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 0 of 216 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.4(2)11, Mate 9.4(2)11
Last Failover at: 20:41:57 UTC Apr 25 2016
    This host: Secondary - Standby Ready
        Active time: 0 (sec)
        slot 0: ASA5525 hw/sw rev (1.0/9.4(2)11) status (Up Sys)
    Other host: Primary - Active
        Active time: 313 (sec)
        slot 0: ASA5525 hw/sw rev (1.0/9.4(2)11) status (Up Sys)

Stateful Failover Logical Update Statistics
    Link : STATEFO GigabitEthernet0/7 (up)
    Stateful Obj     xmit       xerr       rcv        rerr     
    General        5          0          6          0        
    sys cmd      5          0          5          0        
    up time      0          0          0          0        
    RPC services      0          0          0          0        
    TCP conn     0          0          0          0        
    UDP conn     0          0          0          0        
    ARP tbl      0          0          0          0        
    Xlate_Timeout      0          0          0          0        
    IPv6 ND tbl      0          0          0          0        
    VPN IKEv1 SA     0          0          0          0        
    VPN IKEv1 P2     0          0          0          0        
    VPN IKEv2 SA     0          0          0          0        
    VPN IKEv2 P2     0          0          0          0        
    VPN CTCP upd     0          0          0          0        
    VPN SDI upd     0          0          0          0        
    VPN DHCP upd     0          0          0          0        
    SIP Session     0          0          0          0        
    SIP Tx     0          0          0          0        
    SIP Pinhole     0          0          0          0        
    Route Session     0          0          0          0        
    Router ID     0          0          0          0        
    User-Identity     0          0          1          0        
    CTS SGTNAME     0          0          0          0        
    CTS PAC     0          0          0          0        
    TrustSec-SXP     0          0          0          0        
    IPv6 Route     0          0          0          0        
    STS Table     0          0          0          0         
    Logical Update Queue Information
              Cur     Max     Total
    Recv Q:     0     14     170
    Xmit Q:     0     1     7


ASA01/sec/stby(config)# show failover history
==========================================================================
From State                 To State                   Reason
==========================================================================
20:42:02 UTC Apr 25 2016
Not Detected               Disabled                   No Error

21:56:46 UTC Apr 25 2016
Disabled                   Negotiation                Set by the config command

21:56:47 UTC Apr 25 2016
Negotiation                Cold Standby               Detected an Active mate

21:56:49 UTC Apr 25 2016
Cold Standby               Sync Config                Detected an Active mate

21:56:58 UTC Apr 25 2016
Sync Config                Sync File System           Detected an Active mate

21:56:58 UTC Apr 25 2016
Sync File System           Bulk Sync                  Detected an Active mate

21:57:11 UTC Apr 25 2016
Bulk Sync                  Standby Ready              Detected an Active mate

==========================================================================

ASA01/sec/stby(config)# show failover state

               State          Last Failure Reason      Date/Time
This host  -   Secondary
               Standby Ready  None
Other host -   Primary
               Active         None

====Configuration State===
    Sync Done - STANDBY
====Communication State===


ASA01/sec/stby(config)#  show failover statistics
    tx:277
    rx:232

ASA01/sec/stby(config)# show run    // ASA-2 SYNC ITS CONFIG WITH ASA-1
: Saved

:
: Serial Number: FCH19497456
: Hardware:   ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
:
ASA Version 9.4(2)11 <system>
!
hostname ASA01
enable password 8Ry2YjIyt7RRXU24 encrypted
mac-address auto prefix 7797
!
interface GigabitEthernet0/0
 description ### WAN TRUNK ###
!
interface GigabitEthernet0/1
 description ### LAN TRUNK ###
!
interface GigabitEthernet0/1.400
 description ### INSIDE VLAN ###
 vlan 400
!
interface GigabitEthernet0/2
 shutdown

interface GigabitEthernet0/3
 shutdown
!
interface GigabitEthernet0/4
 shutdown
!
interface GigabitEthernet0/5
 shutdown
!
interface GigabitEthernet0/6
 description ### LAN FAILOVER ###
!
interface GigabitEthernet0/7
 description ### STATEFUL FAILOVER ###
!
interface Management0/0
!
class default
  limit-resource All 0
  limit-resource Mac-addresses 16384
  limit-resource ASDM 5
  limit-resource SSH 5
  limit-resource Telnet 5
!
class IPSEC-VPN
  limit-resource VPN Other 10
!

boot system disk0:/asa942-11-smp-k8.bin
ftp mode passive
pager lines 24
failover
failover lan unit secondary
failover lan interface LANFO GigabitEthernet0/6
failover key *****
failover link STATEFO GigabitEthernet0/7
failover interface ip LANFO 172.27.24.237 255.255.255.252 standby 172.27.24.238
failover interface ip STATEFO 172.27.24.241 255.255.255.252 standby 172.27.24.242
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
ssh stricthostkeycheck
console timeout 0

admin-context admin
context admin
  member IPSEC-VPN      
  allocate-interface GigabitEthernet0/0
  allocate-interface GigabitEthernet0/1.400
  allocate-interface Management0/0
  config-url disk0:/admin.cfg
!

prompt hostname priority state
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 15
  subscribe-to-alert-group configuration periodic monthly 15
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:950c07895d257c4358b90a99c3c8a2d7
: end

ASA01/sec/stby(config)#


ASA-1

ASA01/pri/act# show failover ?

  descriptor  Show failover interface descriptors. Two numbers are shown for
              each interface. When exchanging information regarding a
              particular interface, this unit uses the first number in messages
              it sends to its peer. And it expects the second number in
              messages it receives from its peer. For trouble shooting, collect
              the show output from both units and verify that the numbers
              match.
  exec        Show failover command execution information
  group       Show failover group information
  history     Show failover switching history
  interface   Show failover command interface information
  state       Show failover internal state information
  statistics  Show failover command interface statistics information
  |           Output modifiers
  <cr>

ASA01/pri/act# show failover history
==========================================================================
From State                 To State                   Reason
==========================================================================
20:48:49 UTC Apr 25 2016
Not Detected               Disabled                   No Error

21:51:01 UTC Apr 25 2016
Disabled                   Negotiation                Set by the config command

21:51:46 UTC Apr 25 2016
Negotiation                Just Active                No Active unit found

21:51:46 UTC Apr 25 2016
Just Active                Active Drain               No Active unit found

21:51:46 UTC Apr 25 2016
Active Drain               Active Applying Config     No Active unit found

21:51:46 UTC Apr 25 2016
Active Applying Config     Active Config Applied      No Active unit found

21:51:46 UTC Apr 25 2016
Active Config Applied      Active                     No Active unit found

==========================================================================

ASA01/pri/act# show failover interface
    interface LANFO GigabitEthernet0/6
        System IP Address: 172.27.24.237 255.255.255.252
        My IP Address    : 172.27.24.237
        Other IP Address : 172.27.24.238
    interface STATEFO GigabitEthernet0/7
        System IP Address: 172.27.24.241 255.255.255.252
        My IP Address    : 172.27.24.241
        Other IP Address : 172.27.24.242

ASA01/pri/act# show failover state

               State          Last Failure Reason      Date/Time
This host  -   Primary
               Active         None
Other host -   Secondary
               Standby Ready  Comm Failure             21:52:01 UTC Apr 25 2016

====Configuration State===
    Sync Done
====Communication State===


To test failover, I've disconnected the LAN FO port G0/6 on ASA-1 and the Secondary ASA unit took over as the Active firewall.


ASA01/sec/act#

ASA01/sec/act# Failover LAN became OK
Switchover enabled
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate
 
ASA01/sec/act# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: LANFO GigabitEthernet0/6 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 216 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.4(2)11, Mate 9.4(2)11
Last Failover at: 22:29:46 UTC Apr 25 2016
    This host: Secondary - Active
        Active time: 541 (sec)
        slot 0: ASA5525 hw/sw rev (1.0/9.4(2)11) status (Up Sys)
          admin Interface inside (172.27.24.4): Normal (Monitored)
          admin Interface outside (202.78.4.6): Normal (Monitored)
    Other host: Primary - Standby Ready
        Active time: 0 (sec)
        slot 0: ASA5525 hw/sw rev (1.0/9.4(2)11) status (Up Sys)
          admin Interface inside (172.27.24.5): Normal (Monitored)
          admin Interface outside (202.78.4.5): Normal (Monitored)

Stateful Failover Logical Update Statistics
    Link : STATEFO GigabitEthernet0/7 (up)
    Stateful Obj     xmit       xerr       rcv        rerr     
    General        293        0          303        8             sys cmd      292        0          292        0        
    up time      0          0          0          0        
    RPC services      0          0          0          0        
    TCP conn     0          0          0          0        
    UDP conn     0          0          0          0        
    ARP tbl      0          0          0          0        
    Xlate_Timeout      0          0          0          0        
    IPv6 ND tbl      0          0          0          0        
    VPN IKEv1 SA     0          0          0          0        
    VPN IKEv1 P2     0          0          0          0        
    VPN IKEv2 SA     0          0          0          0        
    VPN IKEv2 P2     0          0          0          0        
    VPN CTCP upd     0          0          0          0        
    VPN SDI upd     0          0          0          0        
    VPN DHCP upd     0          0          0          0        
    SIP Session     0          0          0          0        
    SIP Tx     0          0          0          0        
    SIP Pinhole     0          0          0          0        
    Route Session     0          0          10         8        
    Router ID     0          0          0          0        
    User-Identity     1          0          1          0        
    CTS SGTNAME     0          0          0          0        
    CTS PAC     0          0          0          0        
    TrustSec-SXP     0          0          0          0        
    IPv6 Route     0          0          0          0        
    STS Table     0          0          0          0        

    Logical Update Queue Information
              Cur     Max     Total
    Recv Q:     0     17     4666
    Xmit Q:     0     165     689


I've issued the no failover active command to give back ASA-1 the Active role again.


ASA01/sec/act#  no failover ?

  active  Make this system to be the active unit of the failover pair

ASA01/sec/act#  no failover active

ASA01/sec/act#
    Switching to Standby


ASA01/sec/stby# show failover      // I HAD MY CONSOLE CABLE TO ASA-2
Failover On
Failover unit Secondary
Failover LAN Interface: LANFO GigabitEthernet0/6 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 216 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.4(2)11, Mate 9.4(2)11
Last Failover at: 22:50:51 UTC Apr 25 2016
    This host: Secondary - Standby Ready
        Active time: 1264 (sec)
        slot 0: ASA5525 hw/sw rev (1.0/9.4(2)11) status (Up Sys)
          admin Interface inside (172.27.24.5): Normal (Waiting)
          admin Interface outside (202.78.4.5): Normal (Waiting)
    Other host: Primary - Active
        Active time: 10 (sec)
        slot 0: ASA5525 hw/sw rev (1.0/9.4(2)11) status (Up Sys)
          admin Interface inside (172.27.24.4): Normal (Waiting)
          admin Interface outside (202.78.4.6): Normal (Waiting)

Stateful Failover Logical Update Statistics
    Link : STATEFO GigabitEthernet0/7 (up)
    Stateful Obj     xmit       xerr       rcv        rerr     
    General        391        0          405        12            sys cmd      390        0          390        0        
    up time      0          0          0          0        
    RPC services      0          0          0          0        
    TCP conn     0          0          0          0        
    UDP conn     0          0          0          0        
    ARP tbl      0          0          0          0        
    Xlate_Timeout      0          0          0          0        
    IPv6 ND tbl      0          0          0          0        
    VPN IKEv1 SA     0          0          0          0        
    VPN IKEv1 P2     0          0          0          0        
    VPN IKEv2 SA     0          0          0          0        
    VPN IKEv2 P2     0          0          0          0        
    VPN CTCP upd     0          0          0          0        
    VPN SDI upd     0          0          0          0        
    VPN DHCP upd     0          0          0          0        
    SIP Session     0          0          0          0        
    SIP Tx     0          0          0          0        
    SIP Pinhole     0          0          0          0        
    Route Session     0          0          14         12       
    Router ID     0          0          0          0        
    User-Identity     1          0          1          0        
    CTS SGTNAME     0          0          0          0        
    CTS PAC     0          0          0          0        
    TrustSec-SXP     0          0          0          0        
    IPv6 Route     0          0          0          0        
    STS Table     0          0          0          0        

    Logical Update Queue Information
              Cur     Max     Total
    Recv Q:     0     17     5523
    Xmit Q:     0     165     1522

ASA01/sec/stby# show failover history
==========================================================================
From State                 To State                   Reason
==========================================================================
20:42:02 UTC Apr 25 2016
Not Detected               Disabled                   No Error

21:56:46 UTC Apr 25 2016
Disabled                   Negotiation                Set by the config command

21:56:47 UTC Apr 25 2016
Negotiation                Cold Standby               Detected an Active mate

21:56:49 UTC Apr 25 2016
Cold Standby               Sync Config                Detected an Active mate

21:56:58 UTC Apr 25 2016
Sync Config                Sync File System           Detected an Active mate

21:56:58 UTC Apr 25 2016
Sync File System           Bulk Sync                  Detected an Active mate

21:57:11 UTC Apr 25 2016
Bulk Sync                  Standby Ready              Detected an Active mate

22:29:46 UTC Apr 25 2016
              Standby Ready              Just Active                HELLO not heard from mate

22:29:46 UTC Apr 25 2016
Just Active                Active Drain               HELLO not heard from mate

22:29:46 UTC Apr 25 2016
Active Drain               Active Applying Config     HELLO not heard from mate

22:29:46 UTC Apr 25 2016
Active Applying Config     Active Config Applied      HELLO not heard from mate

22:29:46 UTC Apr 25 2016
Active Config Applied      Active                     HELLO not heard from mate

22:50:51 UTC Apr 25 2016
Active                     Standby Ready              Set by the config command

==========================================================================

ASA01/sec/stby# show failover interface
    interface LANFO GigabitEthernet0/6
        System IP Address: 172.27.24.237 255.255.255.252
        My IP Address    : 172.27.24.238
        Other IP Address : 172.27.24.237
    interface STATEFO GigabitEthernet0/7
        System IP Address: 172.27.24.241 255.255.255.252
        My IP Address    : 172.27.24.242
        Other IP Address : 172.27.24.241

ASA01/sec/stby# show failover state

               State          Last Failure Reason      Date/Time
This host  -   Secondary
               Standby Ready  None
Other host -   Primary
               Active         Comm Failure             22:29:46 UTC Apr 25 2016

====Configuration State===
    Sync Done
    Sync Done - STANDBY
====Communication State===
    Mac set

No comments:

Post a Comment