Cisco asa active,active failover configuration

4,734 views
4,332 views

Published on

Cisco asa active,active failover configuration

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,734
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
122
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Cisco asa active,active failover configuration

  1. 1. Cisco ASA Active/Active Failover ConfigurationThe Cisco ASA failover configuration requires two identical security appliancesconnected to each other through a dedicated failover link and, optionally, a statefulfailover link. The health of the active interfaces and units is monitored to determineif specific failover conditions are met. If those conditions are met, failover occurs. Incase of Active/active configuration both Units carry traffic. For creating active/activeFailover, configuring both ASA devices in Multiple context mode is required.For ASA redundancy scenario the two devices must be the same models, must havethe same number and type of interfaces and the same license is required. ASA 5505and 5510 do not support active/active failover without license upgrade.For active/active configuration, Failover Contexts and Failover groups need to becreated. The Failover group is then applied to Primary or Secondary physical ASA unit.After this, the particular Failover group is applied to a Context. For example, primaryunit is active ASA of Failover group1, but Secondary unit is Standby ASA of Failovergroup1. If primary ASA is out of order, Secondary ASA will become Active of Failovergroup1.For explaining Active/Active Failover configuration in details, let’s do the followingLAB.HTTP://WWW.ROUTER-SWITCH.COM/
  2. 2. Click on the image above for larger size diagramConfiguration!Switch both ASA devices to multiple context mode.asa(config)#mode multiple!When ASAs are reloaded, connect them to each other with Ge0/2 and Ge0/3 ports.First start with the Primary Unit configuration. Before starting configuration, allinterfaces must be in the up state.!enable LAN Failover.asa(config)#failover lan enable!set this unit as primary.asa(config)#failover lan unit primaryHTTP://WWW.ROUTER-SWITCH.COM/
  3. 3. Determine Failover and State interfaces. These two interfaces can be the samephysical interface if you don’t need to consume one extra port. In our example herewe use two separate physical interfaces.In this article, the “failover” (interface name for GigabitEthernet0/2) is used as afailoverinterface.!Define Failover Interfaceasa(config)#failover lan interface failover Ge0/2!assign IP address on Failover Interface. MUST be in same Subnet as the standby onthe other unit.asa(config)#failover interface ip failover 192.168.3.1 255.255.255.0 standby192.168.3.2In this documentation, the “state” (interface name for GigabitEthernet0/3) is used asa stateinterface.!Definestateful Failover interfaceasa(config)#failover link state Ge0/3!assign IP address on Stateful Failover interfaceasa(config)#failover interface ip state 192.168.4.1 255.255.255.0 standby192.168.4.2!Create Failover groups, where Failover group1 will be the Primary, i.e. active onPrimary Unit and Failover group2 will be the Standby on Primary Unit. Configure alsoHTTP Replication, after which occurs HTTP Connection state replication betweenactive and Standby ASAs. Also determine Preempt Delay. Preempt Delay means inwhat time to regain role of Active after Fail Recovery.asa(config)#failover group 1asa(config-fover-group)#primaryasa(config-fover-group)#preempt 120asa(config-fover-group)# replication httpasa(config)#failover group 2asa(config-fover-group)#secondaryasa(config-fover-group)#preempt 120asa(config-fover-group)# replication httpNow let’s start creating Contexts and assigning interfaces in each Context.!Configure the admin contextasa(config)# admin-context adminHTTP://WWW.ROUTER-SWITCH.COM/
  4. 4. asa(config)# context adminasa(config-ctx)# allocate-interface Management0/0asa(config-ctx)# config-url disk0:/admin.cfg!configure the Sub-interfacesinterface GigabitEthernet0/0.10vlan 10interface GigabitEthernet0/0.11vlan 11interface GigabitEthernet0/1.20vlan 20interface GigabitEthernet0/1.21vlan 21! Configure the contextsasa(config)# context c1asa(config-ctx)# allocate-interface gigabitethernet0/0.10asa(config-ctx)# allocate-interface gigabitethernet0/1.20asa(config-ctx)# config-url disk0:/c1.cfgasa(config)# context c2asa(config-ctx)# allocate-interface gigabitethernet0/0.11asa(config-ctx)# allocate-interface gigabitethernet0/1.21asa(config-ctx)# config-url disk0:/c2.cfg!Snap each Context to Failover Groups. If we don’t indicate Contexts to FailoverGroups, each context will be in Group1 by default.asa(config)# context c1asa(config-ctx)# join-failover-group 1asa(config)# context c2asa(config-ctx)# join-failover-group 2!Configure IP addresses on Context1.asa#changeto context c1asa/c1# show running-config interface!interface GigabitEthernet0/0.10nameif outsidesecurity-level 0ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2!interface GigabitEthernet0/1.20nameif insidesecurity-level 100HTTP://WWW.ROUTER-SWITCH.COM/
  5. 5. ip address 192.168.20.1 255.255.255.0 standby 192.168.20.2!Configure IP addresses on Context2.asa#changeto context c2asa/c2# show running-config interface!interface GigabitEthernet0/0.11nameif outsidesecurity-level 0ip address 192.168.11.1 255.255.255.0 standby 192.168.11.2!interface GigabitEthernet0/1.21nameif insidesecurity-level 100ip address 192.168.21.1 255.255.255.0 standby 192.168.21.2!Now let’s start Secondary Unit configuration.!Define Failover Interfaceasa(config)#failover lan interface failover Ge0/2!assign IP address on Failover Interface. MUST be in same Subnet as other unit.asa(config)#failover interface ip failover 192.168.3.1 255.255.255.0 standby192.168.3.2!enable LAN Failover.asa(config)#failover lan enable!set this unit as secondaryasa(config)#failover lan unit secondaryWith the above piece of configuration commands everything is completed and nowlet’s start checking.Verification:!verify Primary UNITasa# show failoverFailover OnFailover unit PrimaryFailover LAN Interface: failover GigabitEthernet0/2 (up)Unit Poll frequency 1 seconds, holdtime 15 secondsInterface Poll frequency 5 seconds, holdtime 25 secondsInterface Policy 1HTTP://WWW.ROUTER-SWITCH.COM/
  6. 6. Monitored Interfaces 4 of 250 maximumVersion: Ours 8.2(1), Mate 8.2(1)Group 1 last failover at: 05:12:14 tbilisi Dec 7 2010Group 2 last failover at: 10:13:04 tbilisi Oct 24 2010This host: PrimaryGroup 1 State: ActiveActive time: 14536379 (sec)Group 2 State: Standby ReadyActive time: 0 (sec)slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)c1 Interface outside (192.168.10.1): Normalc1 Interface inside (192.168.20.1): Normalc2 Interface outside (192.168.11.1): Normalc2 Interface inside (192.168.21.1): Normalslot 1: emptyOther host: SecondaryGroup 1 State: Standby ReadyActive time: 1104 (sec)Group 2 State: ActiveActive time: 14537266 (sec)slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)c1 Interface outside (192.168.10.2): Normalc1 Interface inside (192.168.20.2): Normalc2 Interface outside (192.168.11.2): Normalc2 Interface inside (192.168.22.2): Normalslot 1: emptyStateful Failover Logical Update StatisticsLink : state GigabitEthernet0/3.2 (up)StatefulObj xmit xerr rcv rerrGeneral 2405585244 0 75798262 188sys cmd 1938317 0 1938317 0up time 0 0 0 0RPC services 0 0 0 0TCP conn 1241561564 0 43443406 91UDP conn 1157379296 0 28582971 84ARP tbl 3799402 0 1833568 13Xlate_Timeout 0 0 0 0SIP Session 906665 0 0 0Logical Update Queue InformationCur Max TotalHTTP://WWW.ROUTER-SWITCH.COM/
  7. 7. Recv Q: 0 49 90335543Xmit Q: 0 7 2405585244!verify Secondary unitASA# show failoverFailover OnFailover unit SecondaryFailover LAN Interface: failover GigabitEthernet0/2Unit Poll frequency 1 seconds, holdtime 15 secondsInterface Poll frequency 5 seconds, holdtime 25 secondsInterface Policy 1Monitored Interfaces 4 of 250 maximumVersion: Ours 8.2(1), Mate 8.2(1)Group 1 last failover at: 05:12:14 tbilisi Dec 7 2010Group 2 last failover at: 10:13:03 tbilisi Oct 24 2010This host: SecondaryGroup 1 State: Standby ReadyActive time: 1104 (sec)Group 2 State: ActiveActive time: 14537372 (sec)slot 0: ASA5540 hw/sw rev (2.0/8.2(1)) status (Up Sys)c1 Interface outside (192.168.10.2): Normalc1 Interface inside (192.168.20.2): Normalc2 Interface outside (192.168.11.2): Normalc2 Interface inside (192.168.21.2): Normalslot 1: emptyOther host: PrimaryGroup 1 State: ActiveActive time: 14536486 (sec)Group 2 State: Standby ReadyActive time: 0 (sec)slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)c1 Interface outside (192.168.10.1): Normalc1 Interface inside (192.168.20.1): Normalc2 Interface outside (192.168.11.1): Normalc2 Interface inside (192.168.21.1): Normalslot 1: emptyStateful Failover Logical Update StatisticsHTTP://WWW.ROUTER-SWITCH.COM/
  8. 8. Link : state GigabitEthernet0/3.2 (up)StatefulObj xmit xerr rcv rerrGeneral 111758344 0 1089580597 1046sys cmd 1938331 0 1938331 0up time 0 0 0 0RPC services 0 0 0 0TCP conn 73801356 0 581933209 113UDP conn 34185062 0 501003000 886ARP tbl 1833595 0 3799403 36Xlate_Timeout 0 0 0 0SIP Session 0 0 906654 11Logical Update Queue InformationCur Max TotalRecv Q: 0 7 1104118240Xmit Q: 0 1 111758344As we observed from above, active/active Failover is working and everything is asexpected.More Related Cisco and Networking Tips:How to Configure Dual ISP on Cisco ASA 5505?How to Configure a Cisco ASA 5540 for Video Conferencing for Polycom Device?New Cisco ASA Clustering Feature Enables 320 Gbps FirewallHTTP://WWW.ROUTER-SWITCH.COM/

×