This is a post in a series of “stream-of-study” content where I post loosely-structured notes taken while labbing various scenarios and technologies.
!------------------------------------------!
! Basic Active-Active ASA HA Pair Config !
!------------------------------------------!
!
!we can take the concept of Active/Standby hardware HA as well as multiple contexts and create, effectively, multiple logical HA pairs where some contexts are active on the primary ASA and some are active on the secondary. Will expand on more config and shared interface considerations in another post.
!
!good community post - https://community.cisco.com/t5/network-security/asa-multi-context-shared-interface-packet-classifier/td-p/1559639
!
!----------
! ASA1
!----------
!
!enable all the tinerfaces needed
!
int eth0
no shut
int eth1
no shut
int eth2
no shut
int eth3
no shut
int eth4
no shut
int eth5
no shut
!
!set the config prompt
!
prompt hostname priority state context
!
!configure contexts
!
context admin
allocate-interface eth5 MGMT
config-url flash:admin.cfg
!
context ConA
allocate-interface eth0
allocate-interface eth2
config-url flash:ConA.cfg
!
context ConB
allocate-interface eth1
allocate-interface eth4
config-url flash:ConB.cfg
!
!create failover groups which specify primary or secondary for which failover lan unit should take the active role for that context, as well as preemption saying the secondary should take over active for the context if the primary is dead - also have an interface policy here saying 1 interface down is enough to warrant failover
!
failover group 1
primary
interface-policy 1
preempt
!
failover group 2
secondary
interface-policy 1
preempt
!
!add the groups to the contexts
!
context ConA
join-failover-group 1
!
context ConB
join-failover-group 2
!
!finally configure and enable failover - failover cannot be enabled earlier since you need failover not enabled/not configured in order to create and assign the failover groups
!
failover lan unit primary
failover lan interface FAILOVER eth3
failover interface ip FAILOVER 198.18.100.1 255.255.255.252 standby 198.18.100.2
failover link FAILOVER eth3
failover key password12345
failover
!
!----------
! ASA2
!----------
!
!enabled interfaces and failover on the peer
!
int eth0
no shut
int eth1
no shut
int eth2
no shut
int eth3
no shut
int eth4
no shut
int eth5
no shut
!
failover lan unit secondary
failover lan interface FAILOVER eth3
failover interface ip FAILOVER 198.18.100.1 255.255.255.252 standby 198.18.100.2
failover link FAILOVER eth3
failover key password12345
failover
!
!-------------------
! Verifications
!-------------------
!
show context
show failover
CCIE #TBD 