you need two asa appliances if your are looking for redundancy. if its just failover incase primary isp goes down then you just need one appliance - the asa uses ip sla just like a cisco router where it pings an external host via the primary link and if it timesout switches gw to secondary link. it continues pings via primary link and when it get replies it switches back to primary link. A license is however required. attached linux script with below guide will also do the trick. #mkdir /root/failover copy the three tarred files into the directory Change the files permissions chmod 750 * Ensure to change the Primary and Secondary gateway on the file gwfailover There is nothing else to change Add the commands in the /etc/rc.local file in the order provided. {Order is super important} route add default gw [primary link gw ip] metric 0 route add default gw [secondary link gw ip] metric 10 route add -net [external host ip] netmask 255.255.255.255 gw [primary link gw ip] sh /root/failover/kubafu The logs will be placed in cat /var/log/failover.log Regards, Tony G. From: skunkworks-bounces@lists.my.co.ke [mailto:skunkworks-bounces@lists.my.co.ke] On Behalf Of Alex Kamiru Sent: Friday, July 16, 2010 8:23 AM To: Skunkworks Mailing List Subject: Re: [Skunkworks] Local Cisco Vendors 1. Why I'd need failover license for two ASA appliances? Wouldn't those just work independently, or does one ASA have to autosense that it's workmate lost the Internet link and thus ask it to "failover to me"? :-) The failover works by having the two units in either active/active or active/standby. Incase of active/standby the standby unit become active on sensing the failure of an interface eg via shutdown or unplugging on the active unit, this would therefore not work for lost Internet link since these would not necessarily be a physical failure of the interface. Active/Active load balances traffic across the two units but it must be setup with multiple context. 2. How do I enable those two features? I have two ISPs (DSL and SDSL). I'd like to terminate both on the ASA and let the device handle cases where one link goes down. You'd need BGP to have this, a feature not available on ASA. 3. I think requiring a Cisco Router for my situation would be an overkill when I already have ASA. Am I just being an anti-nyita, guys? You could do it on freeBSD with Quagga. Not sure about the Dual ISPs : Disabled. I have not seen it on the ASA I have worked with. -----Original Message----- From: Odhiambo Washington <odhiambo@gmail.com <mailto:Odhiambo%20Washington%20%3codhiambo@gmail.com%3e> > Reply-to: Skunkworks Mailing List <skunkworks@lists.my.co.ke> To: Skunkworks forum <skunkworks@lists.my.co.ke <mailto:Skunkworks%20forum%20%3cskunkworks@lists.my.co.ke%3e> > Subject: [Skunkworks] Local Cisco Vendors Date: Thu, 15 Jul 2010 18:11:08 +0300 Are there Cisco vendors in KE who will not ask a novice like me funny questions, or is it my amateurish knowledge that makes me feel this way?? I have the following output from one of the Cisco ASA I manage: <cut> Licensed features for this platform: Maximum Physical Interfaces : 8 VLANs : 3, DMZ Restricted Inside Hosts : Unlimited Failover : Disabled VPN-DES : Enabled VPN-3DES-AES : Enabled VPN Peers : 10 WebVPN Peers : 2 Dual ISPs : Disabled VLAN Trunk Ports : 0 This platform has a Base license. </cut> So, I have two Internet links which I'd like to terminate into the ASA (5505) and configure fail-over. From the little I've read, I require an enhanced license so that I can have the "Failover" and "Dual ISPs" features enabled, no? I have contacted a local vendor, who is telling me that <quote> Hi Odhiambo, The failover license is only applicable when you have two ASA appliance and you need High Availability on the appliance not links. If you have two internet links and you want to load balance, then you might need a Cisco router. </quote> Now, can someone tell me: 1. Why I'd need failover license for two ASA appliances? Wouldn't those just work independently, or does one ASA have to autosense that it's workmate lost the Internet link and thus ask it to "failover to me"? :-) 2. How do I enable those two features? I have two ISPs (DSL and SDSL). I'd like to terminate both on the ASA and let the device handle cases where one link goes down. 3. I think requiring a Cisco Router for my situation would be an overkill when I already have ASA. Am I just being an anti-nyita, guys? -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ "If you have nothing good to say about someone, just shut up!." -- Lucky Dube _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... <http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1fbjAwOUE&hl=en> &hl=en ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24 <http://my.co.ke/phpbb/viewtopic.php?f=24&t=94> &t=94 ------------ Other services @ http://my.co.ke --