Saturday, December 28, 2013

Using Packet Tracer on an ASA

You can use the Packet Tracer feature to verify many of the ASA security mechanisms as a packet moves from one ASA interface to another. A typical series of security features tested might look like the following:

* Flow lookup: Checks for existing xlate and conn entries.

* UN-NAT: Checks for address translation entries.

* Access list lookup: Checks for any applicable ACL entries.

* IP options lookup: Checks handling of IP options in the ingress packet.

* NAT: Checks the Reverse Path Forwarding (RPF) information.

* NAT: Checks for host connection limits.

* IP options lookup: Checks handling of IP options in egress packet.

* Flow creation: Creates new xlate and conn entries, if needed.

* Route lookup: Checks for a router to the destination address.


Packet Tracer uses a virtual or synthetic packet that is injected into the data stream on an ingress interface. The virtual packet is passed through each of the ASA functions, as if a real packet were being handled. This means that you will even see actual syslog information being generated on the ASA as the tracer progresses. The ASA will remove the virtual packet once it is queued in the egress interface buffer for transmission so that it neve appears on the network.

You can use Packet Tracer from ASDM by selecting Tools > Packet Tracer.


A new Packet Tracer window will appear, containing a string of symbols representing each ASA function that will be tested. Enter the following information to define the test packet:

* Choose the ingress interface, where the packet will enter the firewall; at the upper-left corner of

the window, select an interface name from the drop-down menu.

* Select the Packet Type, either TCP, UDP, ICMP, or IP, from the list across the top of the window.

* Enter the Source IP Address and Source Port.

* Enter the Destination IP address and Destination Port.


Click the Start button. Packet Tracer will animate a packet as it moves from function to function. When the trace is complete, the results will be shown in the bottom half of the window. Be aware that the animation causes the step-by-step progression to appear rather slowly. You can speed up the trace by unchecking the Show Animation check box.



Notice the virtual packet was denied or drop due to an implicit deny rule under the "global" access list. We correct it by adding a rule allowing HTTP traffic/TCP port 80 from the Internet (any) going towards the inside network 192.168.1.0/24 coming in from the outside interface.




You can also use Packet Tracer from the command-line interface (CLI) by entering the following command:

ciscoasa# packet-tracer ?

  input  Ingress interface on which to trace packet
ciscoasa# packet-tracer input ?

Current available interface(s):
  inside   Name of interface GigabitEthernet0
  outside  Name of interface GigabitEthernet1
ciscoasa# packet-tracer input outside ?

  icmp   Enter this keyword if the trace packet is ICMP
  rawip  Enter this keyword if the trace packet is RAW IP
  tcp    Enter this keyword if the trace packet is TCP
  udp    Enter this keyword if the trace packet is UDP
ciscoasa# packet-tracer input outside tcp ?

  A.B.C.D     Enter the Source address if ipv4
  X:X:X:X::X  Enter the Source address if ipv6
  fqdn        Enter this keyword if an FQDN is specified as source address
  user        Enter this keyword if a user is specified as source address
ciscoasa# packet-tracer input outside tcp 8.8.8.8 ?

  <0-65535>        Enter port number (0 - 65535)
  aol
  bgp
  chargen
  cifs
  citrix-ica
  cmd
  ctiqbe
  daytime
  discard
  domain
  echo
  exec
  finger
  ftp
  ftp-data
  gopher
  h323
  hostname
  http
  https
  ident
  imap4
  irc
ciscoasa# packet-tracer input outside tcp 8.8.8.8 12345 ?

  A.B.C.D  Enter the destination ipv4 address
  fqdn     Enter this keyword if an FQDN is specified as destination address
ciscoasa# packet-tracer input outside tcp 8.8.8.8 12345 192.168.1.50 ?

  <0-65535>        Enter port number (0 - 65535)
  aol
  bgp
  chargen
  cifs
  citrix-ica
  cmd
  ctiqbe
  daytime
  discard
  domain
  echo
  exec
  finger
  ftp
  ftp-data
  gopher
  h323
  hostname
  http
  https
  ident
  imap4
  irc
ciscoasa# packet-tracer input outside tcp 8.8.8.8 12345 192.168.1.50 http ?

  detailed  Dump more detailed information
  xml       Output in xml format
  <cr>
ciscoasa# packet-tracer input outside tcp 8.8.8.8 12345 192.168.1.50 http

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.1.0     255.255.255.0   inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any 192.168.1.0 255.255.255.0 eq www
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 100, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Posted by at No comments:

Saturday, December 21, 2013

Active-Active Failover on an ASA

When the ASAs are running multiple security contexts, the contexts can be organized into groups. Both ASAs are actively involved in providing security functions, but not in the same security context simultaneously. The active-active failover mode provides both device redundancy and load balancing across contexts.

Configuring active-active failover is similar to configuring active-standby mode. The two failover units need the same LAN failover and stateful failover link configurations, and the same active and standby addresses on each interface. However, each ASA must be assigned its primary and secondary role in each of the two failover groups. As well, each security context must be assigned to a failover group.

ASA1# show mode
Security context mode: multiple

ASA1# show context    // ALL CONTEXTS NEEDS TO BE DONE IN ASA1
Context Name      Class      Interfaces           URL
*admin            default    GigabitEthernet0     disk0:/admin.cfg
 CONTEXT-A        default    GigabitEthernet1,    disk0:/CONTEXT-A.cfg  
                             GigabitEthernet2
 CONTEXT-B        default    GigabitEthernet1,    disk0:/CONTEXT-B.cfg
                             GigabitEthernet2

Total active Security Contexts: 3

ASA1# configure terminal
ASA1(config)# failover ?

configure mode commands/options:
  group             Configure/Enable failover group
  interface         Configure the IP address to be used for failover and/or
                    stateful update information
  interface-policy  Set the policy for failover due to interface failures
  key               Configure the failover shared secret or key
  lan               Specify the unit as primary or secondary or configure the
                    interface and vlan to be used for failover communication
  link              Configure the interface and vlan to be used as a link for
                    stateful update information
  mac               Specify the virtual mac address for a physical interface
  polltime          Configure failover poll interval
  replication       Enable HTTP (port 80) connection replication
  timeout           Specify the failover reconnect timeout value for
                    asymmetrically routed sessions
  <cr>

exec mode commands/options:
  active          Make this system to be the active unit of the failover pair
  exec            Execute command on the designated unit
  reload-standby  Force standby unit to reboot
  reset           Force an unit or failover group to an unfailed state
ASA1(config)# failover group ?

configure mode commands/options:
  <1-2>  group number
ASA1(config)# failover group 1   // CONFIGURE FAILOVER GROUP UNDER SYSTEM CONTEXT
ASA1(config-fover-group)# ?

Failover User Group configuration mode:
  help              Help for user Failover Group configuration commands
  interface-policy  Set the policy for failover due to interface failures
  mac               Specify the virtual mac address for a physical interface
  no                Remove user failover group configuration
  polltime          Configure failover interface polling interval
  preempt           Allow preemption of lower priority active unit
  primary           Primary unit has higher priority
  replication       Configure the replication option
  secondary         Secondary unit has higher priority
  <cr>
ASA1(config-fover-group)# primary
ASA1(config-fover-group)# preempt ?

fover-group mode commands/options:
  <1-1200>  Preemption hold-down delay in seconds
  <cr>
ASA1(config-fover-group)# preempt 120
ASA1(config-fover-group)# exit
ASA1(config)# failover group 2
ASA1(config-fover-group)# secondary
ASA1(config-fover-group)# preempt 120
ASA1(config-fover-group)# exit
ASA1(config)# context ?

configure mode commands/options:
  WORD  Symbolic name of the context
ASA1(config)# context admin
ASA1(config-ctx)# ?

Context configuration commands:
  allocate-interface   Allocate interface to context
  allocate-ips         Allocate IPS virtual sensor to context
  config-url           Configure URL for a context configuration
  description          Provide a description of the context
  exit                 Exit from context configuration mode
  help                 Interactive help for context subcommands
  join-failover-group  Join a context to a failover group
  member               Configure class membership for a context
  no                   Negate a command
ASA1(config-ctx)# join-failover-group ?

context mode commands/options:
  <1-2>  Failover group number
ASA1(config-ctx)# join-failover-group 1   // ALL CONTEXTS ARE UNDER FAILOVER GROUP 1 BY DEFAULT
ASA1(config-ctx)# exit
ASA1(config)# context CONTEXT-A
ASA1(config-ctx)# join-failover-group 1
ASA1(config-ctx)# exit
ASA1(config)# context CONTEXT-B
ASA1(config-ctx)# join-failover-group 2
ASA1(config-ctx)# exit
ASA1(config)# failover lan unit primary
ASA1(config)# failover lan interface LAN-FAILOVER gigabitethernet4
INFO: Non-failover interface config is cleared on GigabitEthernet4 and its sub-interfaces
ASA1(config)# failover link STATEFUL-FAILOVER gigabitethernet5
INFO: Non-failover interface config is cleared on GigabitEthernet5 and its sub-interfaces
ASA1(config)# failover interface ip LAN-FAILOVER 1.1.1.1 255.255.255.252 standby 1.1.1.2
ASA1(config)# failover interface ip STATEFUL-FAILOVER 2.2.2.1 255.255.255.252 standby 2.2.2.2
ASA1(config)# prompt hostname context
ASA1(config)# changeto context admin
ASA1/admin(config)# interface ?

configure mode commands/options:
  GigabitEthernet  Prefix of interface GigabitEthernet0
ASA1/admin(config)# interface GigabitEthernet0
ASA1/admin(config-if)# ip address 192.168.1.1 255.255.255.0 standby 192.168.1.10
ASA1/admin(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA1(config)# changeto context CONTEXT-A
ASA1/CONTEXT-A(config)# interface ?

configure mode commands/options:
  GigabitEthernet  Prefix of interface GigabitEthernet1, 2
ASA1/CONTEXT-A(config)# interface GigabitEthernet1
ASA1/CONTEXT-A(config-if)# ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2
ASA1/CONTEXT-A(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA1/CONTEXT-A(config-if)# interface GigabitEthernet2
ASA1/CONTEXT-A(config-if)# ip address 100.1.1.1 255.255.255.0 standby 100.1.1.10
ASA1/CONTEXT-A(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA1/CONTEXT-A(config-if)# changeto context CONTEXT-B
ASA1/CONTEXT-B(config)# interface ?

configure mode commands/options:
  GigabitEthernet  Prefix of interface GigabitEthernet1, 2
ASA1/CONTEXT-B(config)# interface GigabitEthernet1
ASA1/CONTEXT-B(config-if)# ip address 10.2.2.1 255.255.255.0 standby 10.2.2.2
ASA1/CONTEXT-B(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA1/CONTEXT-B(config-if)# interface GigabitEthernet2
ASA1/CONTEXT-B(config-if)# ip address 100.1.1.2 255.255.255.0 standby 100.1.1.20
ASA1/CONTEXT-B(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA1/admin(config-if)# changeto system
ASA1(config)# failover   // TURN ON FAILOVER
ASA1(config)# write memory ?

exec mode commands/options:
  all  Save active configuration of all contexts
  <cr>
ASA1(config)# write memory all   // SAVES THE SYSTEM AND ALL CONTEXT CONFIG
Building configuration...
Saving context :           system : (000/003 Contexts saved)
Cryptochecksum: e2069dad 2bdfd7b9 72185fee ec97e572

1676 bytes copied in 2.900 secs (838 bytes/sec)
Saving context :            admin : (001/003 Contexts saved)
Cryptochecksum: 0c6c2cb2 f1e5ef63 2311e990 0e51dd35

1663 bytes copied in 6.60 secs (277 bytes/sec)
Saving context :        CONTEXT-A : (002/003 Contexts saved)
Cryptochecksum: 1f6496fd 95ddb896 1163aca7 84e63309

1716 bytes copied in 2.800 secs (858 bytes/sec)
Saving context :        CONTEXT-B : (003/003 Contexts saved)
Cryptochecksum: adbc43d2 a55eee49 870d28ba 6f058996

1716 bytes copied in 2.220 secs (858 bytes/sec)
[OK]
ASA1(config)# .

        No Response from Mate    // ASA2 ISN'T CONFIGURED YET

        Group 1 No Response from Mate, Switch to Active

        Group 2 No Response from Mate, Switch to Active


ASA1(config)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: LAN-FAILOVER GigabitEthernet4 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 5 of 60 maximum
Version: Ours 8.4(2), Mate Unknown
Group 1 last failover at: 10:11:48 UTC Nov 3 2013
Group 2 last failover at: 10:11:48 UTC Nov 3 2013

  This host:    Primary
  Group 1       State:          Active
                Active time:    106 (sec)
  Group 2       State:          Active
                Active time:    106 (sec)

                  admin Interface inside (192.168.1.1): Normal (Waiting)
                  CONTEXT-A Interface inside (10.1.1.1): Normal (Waiting)
                  CONTEXT-A Interface outside (100.1.1.1): Normal (Waiting)
                  CONTEXT-B Interface inside (10.2.2.1): Normal (Waiting)
                  CONTEXT-B Interface outside (100.1.1.2): Normal (Waiting)

  Other host:   Secondary
  Group 1       State:          Failed
                Active time:    0 (sec)
  Group 2       State:          Failed
                Active time:    0 (sec)

                  admin Interface inside (192.168.1.10): Unknown (Waiting)
                  CONTEXT-A Interface inside (10.1.1.2): Unknown (Waiting)
                  CONTEXT-A Interface outside (100.1.1.10): Unknown (Waiting)
                  CONTEXT-B Interface inside (10.2.2.2): Unknown (Waiting)
                  CONTEXT-B Interface outside (100.1.1.20): Unknown (Waiting)

Stateful Failover Logical Update Statistics
        Link : STATEFUL-FAILOVER GigabitEthernet5 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         0          0          0          0
        sys cmd         0          0          0          0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        0          0          0          0
        UDP conn        0          0          0          0
        ARP tbl         0          0          0          0
        Xlate_Timeout   0          0          0          0
        IPv6 ND tbl     0          0          0          0
        SIP Session     0          0          0          0
        Route Session   0          0          0          0
        User-Identity   0          0          0          0

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       0       0
        Xmit Q:         0       0       0
ASA1(config)# show failover state

               State          Last Failure Reason      Date/Time
This host  -   Primary
    Group 1    Active         None
    Group 2    Active         None
Other host -   Secondary
    Group 1    Failed         Comm Failure             10:12:05 UTC Nov 3 2013
    Group 2    Failed         Comm Failure             10:12:05 UTC Nov 3 2013

====Configuration State===
====Communication State===


----


ASA2# show mode
Security context mode: multiple
ASA2# dir *.cfg

Directory of disk0:/*.cfg

89     -rwx  2146         09:09:26 Nov 03 2013  old_running.cfg
90     -rwx  1417         09:09:28 Nov 03 2013  admin.cfg

268136448 bytes total (267481088 bytes free)
ASA2# delete *.cfg  // DELETE CONFIG FILES BEFORE FAILOVER/REPLICATION FROM ASA1

Delete filename [*.cfg]?

Delete disk0:/old_running.cfg? [confirm]

Delete disk0:/admin.cfg? [confirm]

ASA2(config)# interface gigabitethernet4
ASA2(config-if)# no shutdown
ASA2(config-if)# interface gigabitethernet5
ASA2(config-if)# no shutdown
ASA2(config-if)# exit
ASA2(config)# failover lan interface LAN-FAILOVER gigabitethernet4
INFO: Non-failover interface config is cleared on GigabitEthernet4 and its sub-interfaces
ASA2(config)# failover interface ip LAN-FAILOVER 1.1.1.1 255.255.255.252 standby 1.1.1.2
ASA2(config)# failover
ASA2(config)# .

        Detected an Active mate
Beginning configuration replication from mate.
ERROR: Password recovery was not changed, unable to access
the configuration register.
Removing context 'admin' (1)... Done
COREDUMP UPDATE: open message queue fail: No such file or directory/2
INFO: Admin context is required to get the interfaces
Creating context 'admin'... Done. (2)

WARNING: Skip fetching the URL disk0:/admin.cfg
INFO: Creating context with default config
INFO: Admin context will take some time to come up .... please wait.
Creating context 'CONTEXT-A'... Done. (3)

WARNING: Skip fetching the URL disk0:/CONTEXT-A.cfg
INFO: Creating context with default config
Creating context 'CONTEXT-B'... Done. (4)

WARNING: Skip fetching the URL disk0:/CONTEXT-B.cfg
INFO: Creating context with default config
Crashinfo is NOT enabled on Full Distribution Environment

        Group 1 Detected Active mate

        Group 2 Detected Active mate
End configuration replication from mate.

ASA1(config)# show context
Context Name      Class      Interfaces           URL
*admin            default    GigabitEthernet0     disk0:/admin.cfg
 CONTEXT-A        default    GigabitEthernet1,    disk0:/CONTEXT-A.cfg
                             GigabitEthernet2
 CONTEXT-B        default    GigabitEthernet1,    disk0:/CONTEXT-B.cfg
                             GigabitEthernet2

Total active Security Contexts: 3

ASA1(config)# show failover state

               State          Last Failure Reason      Date/Time
This host  -   Secondary
    Group 1    Standby Ready  None
    Group 2    Standby Ready  None
Other host -   Primary
    Group 1    Active         None
    Group 2    Active         None

====Configuration State===
        Sync Done - STANDBY
====Communication State===
        Mac set

ASA1(config)#
        Group 2 preempt mate   // AFTER 120 SECONDS


ASA1(config)# show failover state

               State          Last Failure Reason      Date/Time
This host  -   Secondary
    Group 1    Standby Ready  None
    Group 2    Active         None
Other host -   Primary
    Group 1    Active         None
    Group 2    Standby Ready  None

====Configuration State===
        Sync Done - STANDBY
====Communication State===
        Mac set



----


ASA1(config)# Beginning configuration replication: Sending to mate.

INFO: Issuing "tls-proxy maximum-sessions 10000" command due to license change

INFO: "tls-proxy maximum-sessions" config is changed, please save the running-config before system

reboot
End Configuration Replication to mate

ASA1(config)# prompt hostname priority context state   // TELL CLI PROMPT TO INDICATE
PRIMARY/SECONDARY, CONTEXT AND ACTIVE/STANDBY STATE
ASA1/pri/act(config)# changeto context admin
ASA1/pri/admin/act(config)# http server enable   // ENABLE ASDM/HTTPS ACCESS
ASA1/pri/admin/act(config)# http 0 0 inside 


----


ASA1/pri/act(config)# no failover active   // ASA2 WILL BE THE ACTIVE FIREWALL FOR BOTH GROUP 1 AND 2
ASA1/pri/stby(config)# show failover state

               State          Last Failure Reason      Date/Time
This host  -   Primary
    Group 1    Standby Ready  None
    Group 2    Standby Ready  None
Other host -   Secondary
    Group 1    Active         Comm Failure             10:12:05 UTC Nov 3 2013
    Group 2    Active         Comm Failure             10:12:05 UTC Nov 3 2013

====Configuration State===
        Sync Done
====Communication State===
        Mac set


As with active-standby failover, you can use the ASDM High Availability and Scalability Wizard to configure both the primary and secondary ASAs from the primary unit. To do that, double-click the System context in the device list. Then navigate to Configuration > Device Management > High Availability and select HA/Scalability Wizard.

Otherwise, you can configure active-active failover on the primary and secondary units manually. On the primary unit, double-click the System context in the device list, and then navigate to Configuration > Device Management > High Availability and select Failover.









Posted by at No comments:

Sunday, December 1, 2013

Active-Standby Failover on an ASA

To coexist as a failover or redundant pair, two ASAs must be identical (in terms of hardware and IOS) and must coordinate their failover roles. In an active-standby failover, one ASA must function as the active unit, handling all traffic inspection at any given time. The other ASA must always sit idle, waiting to take over the active role.

The ASA pair must also share identical sets of interfaces. For example, each unit has an inside and an outside interface, and the similar interfaces must be connected together. This is for two reasons:

* The standby unit must be ready to take over handling traffic at any time, so its interfaces must be connected and ready to use.

* The two ASAs monitor each other's health by communicating over each of their interfaces.

If a failure is detected on the active unit, the two ASAs effectively swap roles. The ASA previously in the standby mode has now moved into the active role.

If an ASA moves into the standby role, it is not permitted to preempt its peer and take over the active role again - unless the active ASA has a failure of its own. This creates a stable mechanism where the ASAs toggle roles only when failures occur.


State Information Replicated

NAT table entries

ARP table entries

MAC address table entries

UDP connections

TCP connections

H.323 and SIP signaling sessions

MGCP connections

HTTP connections (if explicitly enabled)

Dynamic routing table entries (beginning software release 8.4)


State Information Not Replicated

User authentication Cut-through Proxy

DHCP server address leases

Phone proxy information

Security Services Module activity


We start by verifying the license support for the failover feature and performing a no shutdown command on the interfaces to be used.

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual  
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 5000           perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 5000           perpetual
Total VPN Peers                   : 0              perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual

This platform has an ASA 5520 VPN Plus license.

ASA1# show interface | include Interface
Interface GigabitEthernet0 "inside", is up, line protocol is up
Interface GigabitEthernet1 "outside", is up, line protocol is up
Interface GigabitEthernet2 "", is administratively down, line protocol is up
Interface GigabitEthernet3 "", is administratively down, line protocol is up
Interface GigabitEthernet4 "", is administratively down, line protocol is up
Interface GigabitEthernet5 "", is administratively down, line protocol is up
ASA1# configure terminal
ASA1(config)# interface gigabitethernet3    // LAN-BASED FAILVOER
ASA1(config-if)# no shutdown
ASA1(config-if)# interface gigabitethernet4    // STATEFUL FAILOVER
ASA1(config-if)# no shutdown
ASA1(config-if)# interface gigabitethernet0
ASA1(config-if)# ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
Waiting for the earlier webvpn instance to terminate...
Previous instance shut down. Starting a new one.
ASA1(config-if)# interface gigabitethernet1
ASA1(config-if)# ip address 100.1.1.1 255.255.255.0 standby 100.1.1.2
ASA1(config-if)# exit
ASA1(config)# failover ?

configure mode commands/options:
  interface         Configure the IP address to be used for failover and/or
                    stateful update information
  interface-policy  Set the policy for failover due to interface failures
  key               Configure the failover shared secret or key
  lan               Specify the unit as primary or secondary or configure the
                    interface and vlan to be used for failover communication
  link              Configure the interface and vlan to be used as a link for
                    stateful update information
  mac               Specify the virtual mac address for a physical interface
  polltime          Configure failover poll interval
  replication       Enable HTTP (port 80) connection replication
  timeout           Specify the failover reconnect timeout value for
                    asymmetrically routed sessions
  <cr>

exec mode commands/options:
  active          Make this system to be the active unit of the failover pair
  exec            Execute command on the designated unit
  reload-standby  Force standby unit to reboot
  reset           Force an unit or failover group to an unfailed state
ASA1(config)# failover lan ?

configure mode commands/options:
  interface  Configure the interface and vlan to be used for failover
             communication
  unit       Configure the unit as primary or secondary
ASA1(config)# failover lan interface ?

configure mode commands/options:
  WORD  Specify the interface name
ASA1(config)# failover lan interface LAN-FAILOVER ?

configure mode commands/options:
  WORD  Specify physical or sub interface
  <cr>
ASA1(config)# failover lan interface LAN-FAILOVER gigabitethernet4
INFO: Non-failover interface config is cleared on GigabitEthernet4 and its sub-interfaces
ASA1(config)# failover interface ?

configure mode commands/options:
  ip  Configure the IP address and mask after this keyword
ASA1(config)# failover interface ip ?

configure mode commands/options:
Current available interface(s):
  LAN-FAILOVER  Name of interface GigabitEthernet4
ASA1(config)# failover interface ip LAN-FAILOVER ?

configure mode commands/options:
  Hostname or A.B.C.D  Specify the IP address
  X:X:X:X::X/<0-128>   Specify the IPv6 prefix
ASA1(config)# failover interface ip LAN-FAILOVER 10.1.1.1 255.255.255.252 standby 10.1.1.2
ASA1(config)# failover key ?

configure mode commands/options:
  0     Specifies an UNENCRYPTED password will follow
  8     Specifies an ENCRYPTED password will follow
  WORD  Failover shared secret
  hex   Enter 32-character key in hexadecimal format
ASA1(config)# failover key cisco
ASA1(config)# failover link ?

configure mode commands/options:
  WORD  Specify the interface name
ASA1(config)# failover link STATEFUL-FAILOVER ?

configure mode commands/options:
  WORD  Specify physical or sub interface
  <cr>
ASA1(config)# failover link STATEFUL-FAILOVER gigabitethernet5
INFO: Non-failover interface config is cleared on GigabitEthernet5 and its sub-interfaces
ASA1(config)# failover interface ip ?

configure mode commands/options:
Current available interface(s):
  LAN-FAILOVER       Name of interface GigabitEthernet4
  STATEFUL-FAILOVER  Name of interface GigabitEthernet5
ASA1(config)# failover interface ip STATEFUL-FAILOVER ?

configure mode commands/options:
  Hostname or A.B.C.D  Specify the IP address
  X:X:X:X::X/<0-128>   Specify the IPv6 prefix
ASA1(config)# failover interface ip STATEFUL-FAILOVER 10.2.2.1 255.255.255.252 standby 10.2.2.2
ASA1(config)# failover replication ?

configure mode commands/options:
  http  Enable HTTP (port 80) connection replication
ASA1(config)# failover replication http
ASA1(config)# failover lan unit ?

configure mode commands/options:
  primary    Configure the unit as primary
  secondary  Configure the unit as secondary
ASA1(config)# failover lan unit primary
ASA1(config)# prompt ?

configure mode commands/options:
  context   Display the context in the session prompt (multimode only)
  domain    Display the domain in the session prompt
  hostname  Display the hostname in the session prompt
  priority  Display the priority in the session prompt
  state     Display the traffic passing state in the session prompt
ASA1(config)# prompt hostname priority state   // THIS COMMAND IS USEFUL TO LET US KNOW WHICH ASA DEVICE WE'RE CURRENTLY AT
ASA1/pri/actNoFailover(config)# failover    // PRIMARY ASA AND ACTIVE FIREWALL. WE ENABLE THE FAILOVER FEATURE BY ISSUING THE failover COMMAND

ASA1/pri/act# show failover
Failover On
Failover unit Primary
Failover LAN Interface: LAN-FAILOVER GigabitEthernet4 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 60 maximum
failover replication http
Version: Ours 8.4(2), Mate Unknown
Last Failover at: 09:05:24 UTC Nov 2 2013
        This host: Primary - Active
                Active time: 120 (sec)
                  Interface inside (192.168.1.1): Normal (Waiting)
                  Interface outside (100.1.1.1): Normal (Waiting)
        Other host: Secondary - Failed   
                Active time: 0 (sec)
                  Interface inside (192.168.1.2): Unknown (Waiting)
                  Interface outside (100.1.1.2): Unknown (Waiting)

Stateful Failover Logical Update Statistics
        Link : STATEFUL-FAILOVER GigabitEthernet5 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         0          0          0          0
        sys cmd         0          0          0          0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        0          0          0          0
        UDP conn        0          0          0          0
        ARP tbl         0          0          0          0
        Xlate_Timeout   0          0          0          0
        IPv6 ND tbl     0          0          0          0
        VPN IKEv1 SA    0          0          0          0
        VPN IKEv1 P2    0          0          0          0
        VPN IKEv2 SA    0          0          0          0
        VPN IKEv2 P2    0          0          0          0
        VPN CTCP upd    0          0          0          0
        VPN SDI upd     0          0          0          0
        VPN DHCP upd    0          0          0          0
        SIP Session     0          0          0          0
        Route Session   0          0          0          0
        User-Identity   0          0          0          0

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       0       0
        Xmit Q:         0       0       0
ASA1/pri/act# .

        No Response from Mate   // WE HAVEN'T CONFIGURED ASA2 YET


----


ASA2# show interface ip brief
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0           unassigned      YES unset  administratively down up
GigabitEthernet1           unassigned      YES unset  administratively down up
GigabitEthernet2           unassigned      YES unset  administratively down up
GigabitEthernet3           unassigned      YES unset  administratively down up
GigabitEthernet4           unassigned      YES unset  administratively down up
GigabitEthernet5           unassigned      YES unset  administratively down up
ASA2# configure terminal
ASA2(config)# interface gigabitethernet4    // LAN-BASED FAILOVER
ASA2(config-if)# no shutdown
ASA2(config-if)# interface gigabitethernet5    // STATEFUL FAILOVER
ASA2(config-if)# no shutdown
ASA2(config-if)# exit
ASA2(config)# failover lan interface LAN-FAILOVER gigabitethernet4   // WE JUST NEED TO CONFIGURE THE LAN-BASED FAILOVER INTERFACE ON ASA2
INFO: Non-failover interface config is cleared on GigabitEthernet4 and its sub-interfaces
ASA2(config)# failover interface ip LAN-FAILOVER 10.1.1.1 255.255.255.252 standby 10.1.1.2
ASA2(config)# failover key cisco
ASA2(config)# failover lan unit secondary
ASA2(config)# failover
ASA2(config)# .

        Detected an Active mate
Beginning configuration replication from mate.
ERROR: Password recovery was not changed, unable to access
the configuration register.
COREDUMP UPDATE: open message queue fail: No such file or directory/2
Crashinfo is NOT enabled on Full Distribution Environment
End configuration replication from mate.

INFO: Issuing "tls-proxy maximum-sessions 10000" command due to license change

INFO: "tls-proxy maximum-sessions" config is changed, please save the running-config before system

reboot

ASA1/sec/stby(config)# show failover   // HOSTNAME IS RETAINED, ASA2 IS ACTING AS SECONDARY FIREWALL AND CURRENTLY IN STANDBY MODE
Failover On
Failover unit Secondary
Failover LAN Interface: LAN-FAILOVER GigabitEthernet4 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 60 maximum
failover replication http
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 08:31:23 UTC Nov 2 2013
        This host: Secondary - Standby Ready
                Active time: 0 (sec)
                  Interface inside (192.168.1.2): Normal (Monitored)
                  Interface outside (100.1.1.2): Unknown (Waiting)
        Other host: Primary - Active
                Active time: 618 (sec)
                  Interface inside (192.168.1.1): Normal (Monitored)
                  Interface outside (100.1.1.1): Unknown (Waiting)

Stateful Failover Logical Update Statistics
        Link : STATEFUL-FAILOVER GigabitEthernet5 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         17         0          20         0
        sys cmd         17         0          17         0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        0          0          0          0
        UDP conn        0          0          0          0
        ARP tbl         0          0          2          0
        Xlate_Timeout   0          0          0          0
        IPv6 ND tbl     0          0          0          0
        VPN IKEv1 SA    0          0          0          0
        VPN IKEv1 P2    0          0          0          0
        VPN IKEv2 SA    0          0          0          0
        VPN IKEv2 P2    0          0          0          0
        VPN CTCP upd    0          0          0          0
        VPN SDI upd     0          0          0          0
        VPN DHCP upd    0          0          0          0
        SIP Session     0          0          0          0
        Route Session   0          0          0          0
        User-Identity   0          0          1          0

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       18      335
        Xmit Q:         0       1       18
ASA1/sec/stby(config)#


----


ASA1/pri/act# Beginning configuration replication: Sending to mate.   // AFTER ASA2 WAS SUCCESSFULLY CONFIGURED, ASA1 SYNCHRONIZED ITS RUNNING CONFIG WITH ASA2

INFO: Issuing "tls-proxy maximum-sessions 10000" command due to license change

INFO: "tls-proxy maximum-sessions" config is changed, please save the running-config before system

reboot
End Configuration Replication to mate

ASA1/pri/act# show failover
Failover On
Failover unit Primary
Failover LAN Interface: LAN-FAILOVER GigabitEthernet4 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 60 maximum
failover replication http
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 09:05:24 UTC Nov 2 2013
        This host: Primary - Active
                Active time: 604 (sec)
                  Interface inside (192.168.1.1): Normal (Monitored)
                  Interface outside (100.1.1.1): Unknown (Waiting)
        Other host: Secondary - Standby Ready
                Active time: 0 (sec)
                  Interface inside (192.168.1.2): Normal (Monitored)
                  Interface outside (100.1.1.2): Unknown (Waiting)

Stateful Failover Logical Update Statistics
        Link : STATEFUL-FAILOVER GigabitEthernet5 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         18         0          15         0
        sys cmd         15         0          15         0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        0          0          0          0
        UDP conn        0          0          0          0
        ARP tbl         2          0          0          0
        Xlate_Timeout   0          0          0          0
        IPv6 ND tbl     0          0          0          0
        VPN IKEv1 SA    0          0          0          0
        VPN IKEv1 P2    0          0          0          0
        VPN IKEv2 SA    0          0          0          0
        VPN IKEv2 P2    0          0          0          0
        VPN CTCP upd    0          0          0          0
        VPN SDI upd     0          0          0          0
        VPN DHCP upd    0          0          0          0
        SIP Session     0          0          0          0
        Route Session   0          0          0          0
        User-Identity   1          0          0          0

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       12      144
        Xmit Q:         0       29      190
ASA1/pri/act# configure terminal
ASA1/pri/act(config)# no failover ?

configure mode commands/options:
  interface         Configure the IP address to be used for failover and/or
                    stateful update information
  interface-policy  Set the policy for failover due to interface failures
  key               Configure the failover shared secret or key
  lan               Specify the unit as primary or secondary or configure the
                    interface and vlan to be used for failover communication
  link              Configure the interface and vlan to be used as a link for
                    stateful update information
  mac               Specify the virtual mac address for a physical interface
  polltime          Configure failover poll interval
  replication       Enable HTTP (port 80) connection replication
  timeout           Specify the failover reconnect timeout value for
                    asymmetrically routed sessions
  <cr>

exec mode commands/options:
  active  Make this system to be the active unit of the failover pair
ASA1/pri/act(config)# no failover active   // WE FORCE FAILOVER TO ASA2
ASA1/pri/act(config)# Waiting for the earlier webvpn instance to terminate...
Previous instance shut down. Starting a new one.

        Switching to Standby

ASA1/pri/stby(config)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: LAN-FAILOVER GigabitEthernet4 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 60 maximum
failover replication http
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 09:18:41 UTC Nov 2 2013
        This host: Primary - Standby Ready
                Active time: 796 (sec)
                  Interface inside (192.168.1.2): Normal (Waiting)
                  Interface outside (100.1.1.2): Unknown (Waiting)
        Other host: Secondary - Active
                Active time: 10 (sec)
                  Interface inside (192.168.1.1): Normal (Waiting)
                  Interface outside (100.1.1.1): Unknown (Waiting)

Stateful Failover Logical Update Statistics
        Link : STATEFUL-FAILOVER GigabitEthernet5 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         45         0          42         0
        sys cmd         42         0          42         0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        0          0          0          0
        UDP conn        0          0          0          0
        ARP tbl         2          0          0          0
        Xlate_Timeout   0          0          0          0
        IPv6 ND tbl     0          0          0          0
        VPN IKEv1 SA    0          0          0          0
        VPN IKEv1 P2    0          0          0          0
        VPN IKEv2 SA    0          0          0          0
        VPN IKEv2 P2    0          0          0          0
        VPN CTCP upd    0          0          0          0
        VPN SDI upd     0          0          0          0
        VPN DHCP upd    0          0          0          0
        SIP Session     0          0          0          0
        Route Session   0          0          0          0
        User-Identity   1          0          0          0

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       12      395
        Xmit Q:         0       29      428


----


ASA1/sec/stby(config)# Waiting for the earlier webvpn instance to terminate...
Previous instance shut down. Starting a new one.

        Switching to Active    // ASA2 TOOK OVER AND BECAME THE ACTIVE FIREWALL

ASA1/sec/act(config)# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: LAN-FAILOVER GigabitEthernet4 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 60 maximum
failover replication http
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 09:18:38 UTC Nov 2 2013
        This host: Secondary - Active
                Active time: 29 (sec)
                  Interface inside (192.168.1.1): Normal (Monitored)
                  Interface outside (100.1.1.1): Unknown (Waiting)
        Other host: Primary - Standby Ready
                Active time: 796 (sec)
                  Interface inside (192.168.1.2): Normal (Monitored)
                  Interface outside (100.1.1.2): Unknown (Waiting)

Stateful Failover Logical Update Statistics
        Link : STATEFUL-FAILOVER GigabitEthernet5 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         45         0          48         0
        sys cmd         45         0          45         0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        0          0          0          0
        UDP conn        0          0          0          0
        ARP tbl         0          0          2          0
        Xlate_Timeout   0          0          0          0
        IPv6 ND tbl     0          0          0          0
        VPN IKEv1 SA    0          0          0          0
        VPN IKEv1 P2    0          0          0          0
        VPN IKEv2 SA    0          0          0          0
        VPN IKEv2 P2    0          0          0          0
        VPN CTCP upd    0          0          0          0
        VPN SDI upd     0          0          0          0
        VPN DHCP upd    0          0          0          0
        SIP Session     0          0          0          0
        Route Session   0          0          0          0
        User-Identity   0          0          1          0

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       18      776
        Xmit Q:         0       1       88


----


ASA1/sec/act# write memory    // WHENEVER a write memory IS ISSUED ON THE ACTIVE FIREWALL, THE SAME IS DONE ON THE STANDBY FIREWALL
Building configuration...
Cryptochecksum: f1122c95 641fe674 f46d69ff c66b305e

2668 bytes copied in 2.20 secs (1334 bytes/sec)
[OK]


ASA1/pri/stby# Cryptochecksum: d854c471 4c772f39 6db68042 8fceddf0

2665 bytes copied in 1.250 secs (2665 bytes/sec)


Here are some useful show commands and configuring the active-standby failover using ASDM.

ASA1/sec/act# show failover ?

  descriptor  Show failover interface descriptors. Two numbers are shown for
              each interface. When exchanging information regarding a
              particular interface, this unit uses the first number in messages
              it sends to its peer. And it expects the second number in
              messages it receives from its peer. For trouble shooting, collect
              the show output from both units and verify that the numbers
              match.
  exec        Show failover command execution information
  history     Show failover switching history
  interface   Show failover command interface information
  state       Show failover internal state information
  statistics  Show failover command interface statistics information
  |           Output modifiers
  <cr>

ASA1/sec/act# show failover history
==========================================================================
From State                 To State                   Reason
==========================================================================
08:31:23 UTC Nov 2 2013
Not Detected               Disabled                   No Error

09:12:52 UTC Nov 2 2013
Disabled                   Negotiation                Set by the config command

09:12:57 UTC Nov 2 2013
Negotiation                Cold Standby               Detected an Active mate

09:12:58 UTC Nov 2 2013
Cold Standby               Sync Config                Detected an Active mate

09:13:24 UTC Nov 2 2013
Sync Config                Sync File System           Detected an Active mate

09:13:24 UTC Nov 2 2013
Sync File System           Bulk Sync                  Detected an Active mate

09:13:38 UTC Nov 2 2013
Bulk Sync                  Standby Ready              Detected an Active mate

09:18:35 UTC Nov 2 2013
Standby Ready              Just Active                Other unit wants me Active

09:18:38 UTC Nov 2 2013
Just Active                Active Drain               Other unit wants me Active

09:18:38 UTC Nov 2 2013
Active Drain               Active Applying Config     Other unit wants me Active

09:18:38 UTC Nov 2 2013
Active Applying Config     Active Config Applied      Other unit wants me Active

09:18:38 UTC Nov 2 2013
Active Config Applied      Active                     Other unit wants me Active

==========================================================================

ASA1/sec/act# show failover interface
        interface LAN-FAILOVER GigabitEthernet4
                System IP Address: 10.1.1.1 255.255.255.252
                My IP Address    : 10.1.1.2
                Other IP Address : 10.1.1.1
        interface STATEFUL-FAILOVER GigabitEthernet5
                System IP Address: 10.2.2.1 255.255.255.252
                My IP Address    : 10.2.2.2
                Other IP Address : 10.2.2.1

ASA1/sec/act# show failover state

               State          Last Failure Reason      Date/Time
This host  -   Secondary
               Active         None
Other host -   Primary
               Standby Ready  None

====Configuration State===
        Sync Done - STANDBY
====Communication State===
        Mac set

ASA1/sec/act# show failover statistics
        tx:1488
        rx:1352





Posted by at No comments:
Subscribe to: Posts (Atom)