ASA Active/Standby failover means connecting two units Cisco ASA firewall over the LAN cable so that when one device or interface fails, the second device takes over the traffic and becomes the active device.
During normal operation, the active ASA synchronizes its configuration with the standby device. The configuration must be changed on the active ASA. If you try to change the configuration on the ASA in standby mode, the following warning will be displayed:
ASA-TGM# configure terminal
**** WARNING ****
Configuration Replication is NOT performed from Standby unit to Active unit.
Configurations are no longer synchronized.
ASA(config)#
During active/standby failover, the Active ASA receives all traffic flows and filters all network traffic while the Secondary ASA is in Ready mode.
ASA failover operates in two modes: Stateful Failover and Regular Failover. During Regular Failover, when a failover occurs, all active connections are disconnected. However, during Stateful Failover, the Active device continuously switches the state of each connection to the Standby device.
When failover occurs both ASA devices will have knowledge of all connections. The active ASA sends status information of the following protocols/tables to the standby ASA:
- NAT Translation Table
- TCP connection Table
- UDP Connection Table
- ARP Table
- Layer2 Bridge Table (if Transparent mode enabled)
- HTTP Connection Table (if HTTP Replication enabled)
- ISAKMP and SA Table
- GTP PDP Connection table
The following are not synchronized:
- HTTP connection Table (unless HTTP Replication Enable)
- Routing Table
- User Authentication (UAUTH) Table
- State Information for Security Service Module.
There are some predefined device requirements to allow two ASAs to operate in Failover mode: both must be the same model, both must be the same type, same amount of RAM and FLASH, same license and version. The IOS of both ASAs must match. If any of these requirements are not met, they cannot operate in failover mode.
Let’s look at an example of a failover configuration active/standby (see diagram below). The External interfaces on the ASA are Ge0/0 and the LAN interfaces are Ge0/1.
For Failover we will use Ge0/2, specifically Ge0/2.1 will be the Failover interface and Ge0/2.2 will be the status interface (through which information about the protocol states will exchanged).
Note that you do not have to use two different connections for Failover and Status. They can share the same connection/interface.
Configure failover with Cisco ASA Firewall
Active device configuration (Active):
Note: Always start with the active ASA first.
!Assign an IP address to the external interface. During failover, the primary IP address will be assigned to the Standby Device.
asa-tgm(config)# interface g0/0
asa-tgm(config-if)# ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
! Assign an IP address to the internal interface. During failover, the primary IP address will be assigned to the Standby Device.
asa-tgm(config)# interface g0/1
asa-tgm(config-if)# ip address 192.168.2.1 255.255.255.0 standby 192.168.2.2
! Enable LAN Failover.
asa-tgm(config)#failover lan enable
! Select device as primary.
asa-tgm(config)#failover lan unit primary
! Determine the failover interface. In this document, “failover” (GigabitEthernet0/2.1 interface) is used as the failover interface.
asa-tgm(config)#failover lan interface failover Ge0/2.1
! Assign IP addresses to failover interfaces.
asa-tgm(config)#failover interface ip failover 192.168.3.1 255.255.255.0 standby 192.168.3.2
In this article, “state” (interface GigabitEthernet0/2.2) is used as the interface state.
! Identify stateful failover interfaces
asa-tgm(config)#failover link state Ge0/2.2
! Assign IP addresses to failover interfaces
asa-tgm(config)#failover interface ip state 192.168.4.1 255.255.255.0 standby 192.168.4.2
! Enable failover
asa-tgm(config)#failover
Note: Issue a failover command on the primary device first, then issue the command on the secondary device. After you issue a failover command on the secondary device, the secondary device immediately takes the configuration from the primary device and puts itself in standby mode.
The primary ASA remains active and passes traffic normally and marks itself as an active device. From that point on, whenever an error occurs on the active device, the standby device becomes active.
Standby device configuration (Standby):
! Enables LAN failover
asa-tgm(config)#failover lan enable
! Determine the failover interface
asa-tgm(config)#failover lan interface failover Ge0/2.1
! assign an IP address to the failover interface
asa-tgm(config)#failover interface ip failover 192.168.3.1 255.255.255.0 standby 192.168.3.2
! Set this unit as secondary
asa-tgm(config)#failover lan unit secondary
! Enable failover.
asa-tgm(config)#failover
After completing the above, the configuration copy process will start with the following message:
“Beginning configuration replication: Sending to mate” ……….
“End Configuration Replication to mate.”
All configuration commands will be performed on the Master device from now on. Connect to the main device and issue the “write memory” command to save the configuration. Then automatically run the “write standby” command to save the configuration to the slave device.
Verification and troubleshooting command:
! show failover on primary ASA
asa-tgm # show failover
Failover On
Last Failover at: 05:12:14 tbilisi Dec 7 2010
This context: Active
Active time: 14228860 (sec)
Interface outside (192.168.1.1): Normal
Interface inside (192.168.2.1): Normal
Peer context: Standby Ready
Active time: 1104 (sec)
Interface outside (192.168.1.2): Normal
Interface inside (192.168.2.2): Normal
Stateful Failover Logical Update Statistics
Status: Configured.
Stateful Obj xmit xerr rcv rerr
RPC services 0 0 0 0
TCP conn 1217633001 31648 2774 0
UDP conn 1128592801 0 15204 0
ARP tbl 2435313 0 420 10
Xlate_Timeout 0 0 0 0
SIP Session 885790 0 0 0
! show failover on secondary device.
asa-tgm# show failover
Failover On
Last Failover at: 05:12:14 tbilisi Dec 7 2010
This context: Standby Ready
Active time: 1104 (sec)
Interface outside (192.168.1.2): Normal
Interface inside (192.168.2.2): Normal
Peer context: Active
Active time: 14228965 (sec)
Interface outside (192.168.1.1): Normal
Interface inside (192.168.1.2 ): Normal
Stateful Failover Logical Update Statistics
Status: Configured.
Stateful Obj xmit xerr rcv rerr
RPC services 0 0 0 0
TCP conn 7349 638711328 571031340 112
UDP conn 45152 0 1136400282 886
ARP tbl 430 0 2435305 36
Xlate_Timeout 0 0 0 0
SIP Session 0 0 885779 11
Configure Cisco ASA redundant interfaces
In addition to device-level failover as we discussed above, you can also configure interface redundancy on the same Cisco ASA Firewall.
Essentially, you can create a package of logical interface pairs (called “interface redundant”) where you include two physical interfaces.
If one of the interfaces fails, the second interface in the redundant pair takes over and begins transferring traffic.
You can configure up to 8 redundant interface pairs. After you configure a redundant interface pair, all security device configurations refer to this logical redundant interface pair instead of the member physical interfaces.
The following guidelines should be followed for the backup interface and its members:
- You must first remove the name of the physical interface (using the no nameif command) before adding it to the logical redundant interface.
- Both member interfaces must have the same physical type. That is they must be both GigabitEthernet or both Ethernet.
- The only configuration available for physical interfaces that are part of a redundant interface pair are physical parameters (i.e. shutdown and description commands).
Configure redundant interfaces:
ASA-TGM(config)# redundant interface 1
ASA-TGM(config-if)# member-interface gigabitethernet 0/0
ASA-TGM(config-if)# member-interface gigabitethernet 0/1
From now on, all commands related to the interface must refer to ” redundant interfaces 1 “.
Set Active/Standby on Firewall Cisco ASA there are many use cases and a very common one is described above. You can place one ASA physical device in one building and a second device in another building, thus also providing geographic redundancy.
The only requirement is both devices Cisco ASA must be connected to a Layer 2 connection so that they can replicate states and connections between each other.
Good luck!
Related articles:
– Introducing Failover on Firewall ASA
– Configure redundant interfaces on Cisco ASA
Xem tiếp...