you need two asa appliances if your are looking for redundancy.
if its just failover incase primary isp goes down then you just need one
appliance - the asa uses ip sla just like a cisco router where it pings an
external host via the primary link and if it timesout switches gw to secondary
link. it continues pings via primary link and when it get replies it switches
back to primary link. A license is however required.
attached linux script with below guide will also do the trick.
#mkdir /root/failover
copy the three tarred files into the directory
Change the files permissions
chmod 750 *
Ensure to change the Primary and Secondary gateway on the
file gwfailover
There is nothing else to change
Add the commands in the /etc/rc.local file in the order provided.
{Order is super important}
route add default gw [primary link gw ip] metric 0
route add default gw [secondary
link gw ip] metric 10
route add -net [external
host ip] netmask 255.255.255.255 gw [primary link gw ip]
sh /root/failover/kubafu
The logs will be placed in
cat /var/log/failover.log
Regards,
Tony G.
From:
skunkworks-bounces@lists.my.co.ke [mailto:skunkworks-bounces@lists.my.co.ke] On
Behalf Of Alex Kamiru
Sent: Friday, July 16, 2010 8:23 AM
To: Skunkworks Mailing List
Subject: Re: [Skunkworks] Local Cisco Vendors
1. Why I'd need failover license for two ASA appliances?
Wouldn't those just work independently, or does one ASA have to autosense that
it's workmate lost the Internet link
and thus ask it to "failover to me"? :-)
The failover works by having the two units in either active/active or
active/standby. Incase of active/standby the standby unit become active on
sensing the failure of an interface eg via shutdown or unplugging on the active
unit, this would therefore not work for lost Internet link since these would not
necessarily be a physical failure of the interface. Active/Active load balances
traffic across the two units but it must be setup with multiple context.
2. How do I enable those two features? I have two ISPs (DSL and SDSL). I'd like
to terminate both on the ASA and let the device handle cases where one link
goes down.
You'd need BGP to have this, a feature not available on ASA.
3. I think requiring a Cisco Router for my situation would be an overkill when
I already have ASA. Am I just being an anti-nyita, guys?
You could do it on freeBSD with Quagga.
Not sure about the Dual
ISPs
: Disabled. I have not seen it on the ASA I have worked with.
-----Original Message-----
From: Odhiambo Washington <odhiambo@gmail.com>
Reply-to: Skunkworks Mailing List <skunkworks@lists.my.co.ke>
To: Skunkworks forum <skunkworks@lists.my.co.ke>
Subject: [Skunkworks] Local Cisco Vendors
Date: Thu, 15 Jul 2010 18:11:08 +0300
Are there Cisco vendors in KE who will not ask a novice like me funny
questions, or is it my amateurish knowledge that makes me feel this way??
I have the following output from one of the Cisco ASA I manage:
<cut>
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs
: 3, DMZ Restricted
Inside
Hosts
: Unlimited
Failover
: Disabled
VPN-DES
: Enabled
VPN-3DES-AES :
Enabled
VPN
Peers
: 10
WebVPN Peers
: 2
Dual
ISPs
: Disabled
VLAN Trunk Ports : 0
This platform has a Base license.
</cut>
So, I have two Internet links which I'd like to terminate into the ASA (5505)
and configure fail-over. From the little I've read, I require an enhanced
license so that I can have the "Failover" and "Dual ISPs"
features enabled, no?
I have contacted a local vendor, who is telling me that
<quote>
Hi Odhiambo,
The failover license is only applicable when you have two ASA appliance and you
need High Availability on the appliance not links.
If you have two internet links and you want to load balance, then you might need
a Cisco router.
</quote>
Now, can someone tell me:
1. Why I'd need failover license for two ASA appliances? Wouldn't those just
work independently, or does one ASA have to autosense that it's workmate lost
the Internet link
and thus ask it to "failover to me"? :-)
2. How do I enable those two features? I have two ISPs (DSL and SDSL). I'd like
to terminate both on the ASA and let the device handle cases where one link
goes down.
3. I think requiring a Cisco Router for my situation would be an overkill when
I already have ASA. Am I just being an anti-nyita, guys?
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
"If you have nothing good to say about someone, just shut up!."
-- Lucky Dube