Recently took delivery of 2 x Cisco 5515 ASA’s for one of my clients.

Simple configuration guide

for setting these up in an Active/Passive design.
Brief Overview:
Port0 = LAN
Port1-3 = NOT USED
Port 4 – Failover Link
Port 5 – WAN
Assumptions:
Hardware on both ASA firewalls are identical
The same software versions are installed on both firewalls.
PRIMARY firewall is setup (not massively important as I did this project from scratch)
IP Address:
LAN
Main – 10.20.0.254
Standby – 10.20.0.250
WAN
Main – 77.22.22.6
Standby – 77.22.22.5
Cable directly connected on G0/4 on both ASA’s
LAN cable goes into our core switches and the WAN link is a dual link supplied by our supplier at
the Datacentre.
Take backup of the Main firewall running config if you do not already. (copy run flash)
Primary Firewall
CiscoASA(config)# clear configure interface G0/4
CiscoASA(config)# int g0/4
CiscoASA(config-if)# no shut
CiscoASA(config)# interface g0/5
CiscoASA(config-if)# speed 100
CiscoASA(config-if)# duplex full
CiscoASA(config-if)# nameif Outside
CiscoASA(config-if)# security-level 0
CiscoASA(config-if)# ip address 77.22.22.6 255.255.255.0 standby 77.22.22.5
CiscoASA(config-if)# interface g0/0
CiscoASA(config-if)# speed 100
CiscoASA(config-if)# duplex full
CiscoASA(config-if)# speed 100
CiscoASA(config-if)# duplex full
CiscoASA(config-if)# nameif Inside
CiscoASA(config-if)# security-level 100
CiscoASA(config-if)# ip address 10.20.0.254 255.255.255.0 standby 10.20.0.250
CiscoASA(config)# failover lan interface LANFAIL GigabitEthernet0/4
CiscoASA(config)# failover interface ip LANFAIL 192.168.6.250 255.255.255.0 standby
192.168.6.252
CiscoASA(config)# failover key 222333444
SETS FIREWALL AS PRIMARY
CiscoASA(config)# failover lan unit primary
TURN ON FAILOVER
CiscoASA(config)# failover
ENABLE STATEFUL FAILOVER
CiscoASA(config)# failover link failover GigabitEthernet0/4
SAVE CONFIG
CiscoASA(config)# wr
Secondary Firewall
Ensure Cabling correct on primary and secondary firewall
CiscoASA(config)# clear configure interface G0/4
CiscoASA(config)# int g0/4
CiscoASA(config-if)# no shut
ENABLE STATEFUL FAILOVER
CiscoASA(config)# failover lan interface LANFAIL GigabitEthernet0/4
CiscoASA(config)# failover interface ip LANFAIL 192.168.6.250 255.255.255.0 standby
192.168.6.252
CiscoASA(config)# failover key 222333444
SETS FIREWALL AS SECONDARY
CiscoASA(config)# failover lan unit secondary
TURN ON FAILOVER
CiscoASA(config)# failover
You should see this on the console:
Detected an Active mate
Beginning configuration replication from mate.
CiscoASA# show failover
CiscoASA5515# show failover
Failover On
Failover unit Primary
Failover LAN Interface: LANFAIL GigabitEthernet0/4 (up)
Unit Poll frequency 1 seconds, holdtime 3 seconds
Interface Poll frequency 3 seconds, holdtime 15 seconds
Interface Policy 1
Monitored Interfaces 2 of 114 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.2(2)4, Mate 9.2(2)4
Last Failover at: 05:54:13 GMT Sep 2 2014
FINE TUNE
The failover timers can be played with as they are a bit too safe so here is my recommendation:
CiscoASA(config)# failover poll 1 hol 3
CiscoASA(config)# failover poll interface 3
CiscoASA(config)# int g0/4
CiscoASA(config-if)# failover poll interface 3