When both firewalls are configured, connect them using the Failover Link and to the network itself. If possible, simply issue the “reload” command on both the firewalls and connect all necessary cables while the firewalls are rebooting.
After the firewalls have started up and found each other, they will begin synchronizing configuration from the Primary firewall to the Secondary firewall. After this process is complete, there are some optional steps to implement to improve the cluster setup.
Enable Smarter Command Prompt
After High Availability is configured, you will always connect to the currently Active firewall when using SSH or ASDM to connect to the firewall’s management IP address. This makes it hard to see if you are connected to the Primary or Secondary firewall since you might not know which one is the current Active firewall, especially in case there’s been an incident that might have caused a Failover between the firewalls.
To combat this issue, you can issue a command to tell the ASA to change the CLI prompt depending on which firewall is currently the Active firewall, and if that firewall was the designated Primary firewall or Secondary firewall in the first place.
prompt hostname priority stateFor example, this command makes the hostname prompt look something like this when the Primary unit is the Active unit.
myASA/pri/act(config)# If your firewall has multiple Contexts (that is, multiple virtual firewalls running on the same hardware), you the following command instead to include the current Context in the hostname as well:
prompt hostname context priority stateAssign IP addresses to the Standby Firewall
If possible, assign IP addresses to all of the Standby firewall’s interfaces to enable proper monitoring of those interfaces between the two firewalls. While some deployments may lack access to multiple public IP addresses to enable monitoring of public-facing interfaces, you should at the very least be able to configure the Standby firewall’s IP address on all internal interfaces.
To further configure Interface Monitoring and which interfaces should be designated as “important”, I think it’s easier to do in ASDM than in the CLI. In ASDM, navigate to Configuration > Device Management > High Availability and Scalability > Failover > Criteria > Interface Policy to configure this.
Enable Logging on the Standby Firewall
Run this command on the Primary firewall to enable the Standby firewall to also send Syslog messages to the configured Syslog server. The complete Syslog configuration is not covered here, only the command that enables this feature.
logging standby
Verification
Use the command “show failover” to see which ASA is currently the Active firewall and which role it was assigned (Primary or Secondary).
Use the command “show failover history” to see a log detailing failover events that have caused the firewalls to switch roles.
