Configuring active-active failover is similar to configuring active-standby mode. The two failover units need the same LAN failover and stateful failover link configurations, and the same active and standby addresses on each interface. However, each ASA must be assigned its primary and secondary role in each of the two failover groups. As well, each security context must be assigned to a failover group.
ASA1# show mode
Security context mode: multiple
ASA1# show context // ALL CONTEXTS NEEDS TO BE DONE IN ASA1
Context Name Class Interfaces URL
*admin default GigabitEthernet0 disk0:/admin.cfg
CONTEXT-A default GigabitEthernet1, disk0:/CONTEXT-A.cfg
GigabitEthernet2
CONTEXT-B default GigabitEthernet1, disk0:/CONTEXT-B.cfg
GigabitEthernet2
Total active Security Contexts: 3
ASA1# configure terminal
ASA1(config)# failover ?
configure mode commands/options:
group Configure/Enable failover group
interface Configure the IP address to be used for failover and/or
stateful update information
interface-policy Set the policy for failover due to interface failures
key Configure the failover shared secret or key
lan Specify the unit as primary or secondary or configure the
interface and vlan to be used for failover communication
link Configure the interface and vlan to be used as a link for
stateful update information
mac Specify the virtual mac address for a physical interface
polltime Configure failover poll interval
replication Enable HTTP (port 80) connection replication
timeout Specify the failover reconnect timeout value for
asymmetrically routed sessions
<cr>
exec mode commands/options:
active Make this system to be the active unit of the failover pair
exec Execute command on the designated unit
reload-standby Force standby unit to reboot
reset Force an unit or failover group to an unfailed state
ASA1(config)# failover group ?
configure mode commands/options:
<1-2> group number
ASA1(config)# failover group 1 // CONFIGURE FAILOVER GROUP UNDER SYSTEM CONTEXT
ASA1(config-fover-group)# ?
Failover User Group configuration mode:
help Help for user Failover Group configuration commands
interface-policy Set the policy for failover due to interface failures
mac Specify the virtual mac address for a physical interface
no Remove user failover group configuration
polltime Configure failover interface polling interval
preempt Allow preemption of lower priority active unit
primary Primary unit has higher priority
replication Configure the replication option
secondary Secondary unit has higher priority
<cr>
ASA1(config-fover-group)# primary
ASA1(config-fover-group)# preempt ?
fover-group mode commands/options:
<1-1200> Preemption hold-down delay in seconds
<cr>
ASA1(config-fover-group)# preempt 120
ASA1(config-fover-group)# exit
ASA1(config)# failover group 2
ASA1(config-fover-group)# secondary
ASA1(config-fover-group)# preempt 120
ASA1(config-fover-group)# exit
ASA1(config)# context ?
configure mode commands/options:
WORD Symbolic name of the context
ASA1(config)# context admin
ASA1(config-ctx)# ?
Context configuration commands:
allocate-interface Allocate interface to context
allocate-ips Allocate IPS virtual sensor to context
config-url Configure URL for a context configuration
description Provide a description of the context
exit Exit from context configuration mode
help Interactive help for context subcommands
join-failover-group Join a context to a failover group
member Configure class membership for a context
no Negate a command
ASA1(config-ctx)# join-failover-group ?
context mode commands/options:
<1-2> Failover group number
ASA1(config-ctx)# join-failover-group 1 // ALL CONTEXTS ARE UNDER FAILOVER GROUP 1 BY DEFAULT
ASA1(config-ctx)# exit
ASA1(config)# context CONTEXT-A
ASA1(config-ctx)# join-failover-group 1
ASA1(config-ctx)# exit
ASA1(config)# context CONTEXT-B
ASA1(config-ctx)# join-failover-group 2
ASA1(config-ctx)# exit
ASA1(config)# failover lan unit primary
ASA1(config)# failover lan interface LAN-FAILOVER gigabitethernet4
INFO: Non-failover interface config is cleared on GigabitEthernet4 and its sub-interfaces
ASA1(config)# failover link STATEFUL-FAILOVER gigabitethernet5
INFO: Non-failover interface config is cleared on GigabitEthernet5 and its sub-interfaces
ASA1(config)# failover interface ip LAN-FAILOVER 1.1.1.1 255.255.255.252 standby 1.1.1.2
ASA1(config)# failover interface ip STATEFUL-FAILOVER 2.2.2.1 255.255.255.252 standby 2.2.2.2
ASA1(config)# prompt hostname context
ASA1(config)# changeto context admin
ASA1/admin(config)# interface ?
configure mode commands/options:
GigabitEthernet Prefix of interface GigabitEthernet0
ASA1/admin(config)# interface GigabitEthernet0
ASA1/admin(config-if)# ip address 192.168.1.1 255.255.255.0 standby 192.168.1.10
ASA1/admin(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA1(config)# changeto context CONTEXT-A
ASA1/CONTEXT-A(config)# interface ?
configure mode commands/options:
GigabitEthernet Prefix of interface GigabitEthernet1, 2
ASA1/CONTEXT-A(config)# interface GigabitEthernet1
ASA1/CONTEXT-A(config-if)# ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2
ASA1/CONTEXT-A(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA1/CONTEXT-A(config-if)# interface GigabitEthernet2
ASA1/CONTEXT-A(config-if)# ip address 100.1.1.1 255.255.255.0 standby 100.1.1.10
ASA1/CONTEXT-A(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA1/CONTEXT-A(config-if)# changeto context CONTEXT-B
ASA1/CONTEXT-B(config)# interface ?
configure mode commands/options:
GigabitEthernet Prefix of interface GigabitEthernet1, 2
ASA1/CONTEXT-B(config)# interface GigabitEthernet1
ASA1/CONTEXT-B(config-if)# ip address 10.2.2.1 255.255.255.0 standby 10.2.2.2
ASA1/CONTEXT-B(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA1/CONTEXT-B(config-if)# interface GigabitEthernet2
ASA1/CONTEXT-B(config-if)# ip address 100.1.1.2 255.255.255.0 standby 100.1.1.20
ASA1/CONTEXT-B(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA1/admin(config-if)# changeto system
ASA1(config)# failover // TURN ON FAILOVER
ASA1(config)# write memory ?
exec mode commands/options:
all Save active configuration of all contexts
<cr>
ASA1(config)# write memory all // SAVES THE SYSTEM AND ALL CONTEXT CONFIG
Building configuration...
Saving context : system : (000/003 Contexts saved)
Cryptochecksum: e2069dad 2bdfd7b9 72185fee ec97e572
1676 bytes copied in 2.900 secs (838 bytes/sec)
Saving context : admin : (001/003 Contexts saved)
Cryptochecksum: 0c6c2cb2 f1e5ef63 2311e990 0e51dd35
1663 bytes copied in 6.60 secs (277 bytes/sec)
Saving context : CONTEXT-A : (002/003 Contexts saved)
Cryptochecksum: 1f6496fd 95ddb896 1163aca7 84e63309
1716 bytes copied in 2.800 secs (858 bytes/sec)
Saving context : CONTEXT-B : (003/003 Contexts saved)
Cryptochecksum: adbc43d2 a55eee49 870d28ba 6f058996
1716 bytes copied in 2.220 secs (858 bytes/sec)
[OK]
ASA1(config)# .
No Response from Mate // ASA2 ISN'T CONFIGURED YET
Group 1 No Response from Mate, Switch to Active
Group 2 No Response from Mate, Switch to Active
ASA1(config)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: LAN-FAILOVER GigabitEthernet4 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 5 of 60 maximum
Version: Ours 8.4(2), Mate Unknown
Group 1 last failover at: 10:11:48 UTC Nov 3 2013
Group 2 last failover at: 10:11:48 UTC Nov 3 2013
This host: Primary
Group 1 State: Active
Active time: 106 (sec)
Group 2 State: Active
Active time: 106 (sec)
admin Interface inside (192.168.1.1): Normal (Waiting)
CONTEXT-A Interface inside (10.1.1.1): Normal (Waiting)
CONTEXT-A Interface outside (100.1.1.1): Normal (Waiting)
CONTEXT-B Interface inside (10.2.2.1): Normal (Waiting)
CONTEXT-B Interface outside (100.1.1.2): Normal (Waiting)
Other host: Secondary
Group 1 State: Failed
Active time: 0 (sec)
Group 2 State: Failed
Active time: 0 (sec)
admin Interface inside (192.168.1.10): Unknown (Waiting)
CONTEXT-A Interface inside (10.1.1.2): Unknown (Waiting)
CONTEXT-A Interface outside (100.1.1.10): Unknown (Waiting)
CONTEXT-B Interface inside (10.2.2.2): Unknown (Waiting)
CONTEXT-B Interface outside (100.1.1.20): Unknown (Waiting)
Stateful Failover Logical Update Statistics
Link : STATEFUL-FAILOVER GigabitEthernet5 (up)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0
ASA1(config)# show failover state
State Last Failure Reason Date/Time
This host - Primary
Group 1 Active None
Group 2 Active None
Other host - Secondary
Group 1 Failed Comm Failure 10:12:05 UTC Nov 3 2013
Group 2 Failed Comm Failure 10:12:05 UTC Nov 3 2013
====Configuration State===
====Communication State===
----
ASA2# show mode
Security context mode: multiple
ASA2# dir *.cfg
Directory of disk0:/*.cfg
89 -rwx 2146 09:09:26 Nov 03 2013 old_running.cfg
90 -rwx 1417 09:09:28 Nov 03 2013 admin.cfg
268136448 bytes total (267481088 bytes free)
ASA2# delete *.cfg // DELETE CONFIG FILES BEFORE FAILOVER/REPLICATION FROM ASA1
Delete filename [*.cfg]?
Delete disk0:/old_running.cfg? [confirm]
Delete disk0:/admin.cfg? [confirm]
ASA2(config)# interface gigabitethernet4
ASA2(config-if)# no shutdown
ASA2(config-if)# interface gigabitethernet5
ASA2(config-if)# no shutdown
ASA2(config-if)# exit
ASA2(config)# failover lan interface LAN-FAILOVER gigabitethernet4
INFO: Non-failover interface config is cleared on GigabitEthernet4 and its sub-interfaces
ASA2(config)# failover interface ip LAN-FAILOVER 1.1.1.1 255.255.255.252 standby 1.1.1.2
ASA2(config)# failover
ASA2(config)# .
Detected an Active mate
Beginning configuration replication from mate.
ERROR: Password recovery was not changed, unable to access
the configuration register.
Removing context 'admin' (1)... Done
COREDUMP UPDATE: open message queue fail: No such file or directory/2
INFO: Admin context is required to get the interfaces
Creating context 'admin'... Done. (2)
WARNING: Skip fetching the URL disk0:/admin.cfg
INFO: Creating context with default config
INFO: Admin context will take some time to come up .... please wait.
Creating context 'CONTEXT-A'... Done. (3)
WARNING: Skip fetching the URL disk0:/CONTEXT-A.cfg
INFO: Creating context with default config
Creating context 'CONTEXT-B'... Done. (4)
WARNING: Skip fetching the URL disk0:/CONTEXT-B.cfg
INFO: Creating context with default config
Crashinfo is NOT enabled on Full Distribution Environment
Group 1 Detected Active mate
Group 2 Detected Active mate
End configuration replication from mate.
ASA1(config)# show context
Context Name Class Interfaces URL
*admin default GigabitEthernet0 disk0:/admin.cfg
CONTEXT-A default GigabitEthernet1, disk0:/CONTEXT-A.cfg
GigabitEthernet2
CONTEXT-B default GigabitEthernet1, disk0:/CONTEXT-B.cfg
GigabitEthernet2
Total active Security Contexts: 3
ASA1(config)# show failover state
State Last Failure Reason Date/Time
This host - Secondary
Group 1 Standby Ready None
Group 2 Standby Ready None
Other host - Primary
Group 1 Active None
Group 2 Active None
====Configuration State===
Sync Done - STANDBY
====Communication State===
Mac set
ASA1(config)#
Group 2 preempt mate // AFTER 120 SECONDS
ASA1(config)# show failover state
State Last Failure Reason Date/Time
This host - Secondary
Group 1 Standby Ready None
Group 2 Active None
Other host - Primary
Group 1 Active None
Group 2 Standby Ready None
====Configuration State===
Sync Done - STANDBY
====Communication State===
Mac set
----
ASA1(config)# Beginning configuration replication: Sending to mate.
INFO: Issuing "tls-proxy maximum-sessions 10000" command due to license change
INFO: "tls-proxy maximum-sessions" config is changed, please save the running-config before system
reboot
End Configuration Replication to mate
ASA1(config)# prompt hostname priority context state // TELL CLI PROMPT TO INDICATE
PRIMARY/SECONDARY, CONTEXT AND ACTIVE/STANDBY STATE
ASA1/pri/act(config)# changeto context admin
ASA1/pri/admin/act(config)# http server enable // ENABLE ASDM/HTTPS ACCESS
ASA1/pri/admin/act(config)# http 0 0 inside
----
ASA1/pri/act(config)# no failover active // ASA2 WILL BE THE ACTIVE FIREWALL FOR BOTH GROUP 1 AND 2
ASA1/pri/stby(config)# show failover state
State Last Failure Reason Date/Time
This host - Primary
Group 1 Standby Ready None
Group 2 Standby Ready None
Other host - Secondary
Group 1 Active Comm Failure 10:12:05 UTC Nov 3 2013
Group 2 Active Comm Failure 10:12:05 UTC Nov 3 2013
====Configuration State===
Sync Done
====Communication State===
Mac set
As with active-standby failover, you can use the ASDM High Availability and Scalability Wizard to configure both the primary and secondary ASAs from the primary unit. To do that, double-click the System context in the device list. Then navigate to Configuration > Device Management > High Availability and select HA/Scalability Wizard.
Otherwise, you can configure active-active failover on the primary and secondary units manually. On the primary unit, double-click the System context in the device list, and then navigate to Configuration > Device Management > High Availability and select Failover.
No comments:
Post a Comment