The ASA pair must also share identical sets of interfaces. For example, each unit has an inside and an outside interface, and the similar interfaces must be connected together. This is for two reasons:
* The standby unit must be ready to take over handling traffic at any time, so its interfaces must be connected and ready to use.
* The two ASAs monitor each other's health by communicating over each of their interfaces.
If a failure is detected on the active unit, the two ASAs effectively swap roles. The ASA previously in the standby mode has now moved into the active role.
If an ASA moves into the standby role, it is not permitted to preempt its peer and take over the active role again - unless the active ASA has a failure of its own. This creates a stable mechanism where the ASAs toggle roles only when failures occur.
State Information Replicated
NAT table entries
ARP table entries
MAC address table entries
UDP connections
TCP connections
H.323 and SIP signaling sessions
MGCP connections
HTTP connections (if explicitly enabled)
Dynamic routing table entries (beginning software release 8.4)
State Information Not Replicated
User authentication Cut-through Proxy
DHCP server address leases
Phone proxy information
Security Services Module activity
We start by verifying the license support for the failover feature and performing a no shutdown command on the interfaces to be used.
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 5000 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 0 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5520 VPN Plus license.
ASA1# show interface | include Interface
Interface GigabitEthernet0 "inside", is up, line protocol is up
Interface GigabitEthernet1 "outside", is up, line protocol is up
Interface GigabitEthernet2 "", is administratively down, line protocol is up
Interface GigabitEthernet3 "", is administratively down, line protocol is up
Interface GigabitEthernet4 "", is administratively down, line protocol is up
Interface GigabitEthernet5 "", is administratively down, line protocol is up
ASA1# configure terminal
ASA1(config)# interface gigabitethernet3 // LAN-BASED FAILVOER
ASA1(config-if)# no shutdown
ASA1(config-if)# interface gigabitethernet4 // STATEFUL FAILOVER
ASA1(config-if)# no shutdown
ASA1(config-if)# interface gigabitethernet0
ASA1(config-if)# ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
Waiting for the earlier webvpn instance to terminate...
Previous instance shut down. Starting a new one.
ASA1(config-if)# interface gigabitethernet1
ASA1(config-if)# ip address 100.1.1.1 255.255.255.0 standby 100.1.1.2
ASA1(config-if)# exit
ASA1(config)# failover ?
configure mode commands/options:
interface Configure the IP address to be used for failover and/or
stateful update information
interface-policy Set the policy for failover due to interface failures
key Configure the failover shared secret or key
lan Specify the unit as primary or secondary or configure the
interface and vlan to be used for failover communication
link Configure the interface and vlan to be used as a link for
stateful update information
mac Specify the virtual mac address for a physical interface
polltime Configure failover poll interval
replication Enable HTTP (port 80) connection replication
timeout Specify the failover reconnect timeout value for
asymmetrically routed sessions
<cr>
exec mode commands/options:
active Make this system to be the active unit of the failover pair
exec Execute command on the designated unit
reload-standby Force standby unit to reboot
reset Force an unit or failover group to an unfailed state
ASA1(config)# failover lan ?
configure mode commands/options:
interface Configure the interface and vlan to be used for failover
communication
unit Configure the unit as primary or secondary
ASA1(config)# failover lan interface ?
configure mode commands/options:
WORD Specify the interface name
ASA1(config)# failover lan interface LAN-FAILOVER ?
configure mode commands/options:
WORD Specify physical or sub interface
<cr>
ASA1(config)# failover lan interface LAN-FAILOVER gigabitethernet4
INFO: Non-failover interface config is cleared on GigabitEthernet4 and its sub-interfaces
ASA1(config)# failover interface ?
configure mode commands/options:
ip Configure the IP address and mask after this keyword
ASA1(config)# failover interface ip ?
configure mode commands/options:
Current available interface(s):
LAN-FAILOVER Name of interface GigabitEthernet4
ASA1(config)# failover interface ip LAN-FAILOVER ?
configure mode commands/options:
Hostname or A.B.C.D Specify the IP address
X:X:X:X::X/<0-128> Specify the IPv6 prefix
ASA1(config)# failover interface ip LAN-FAILOVER 10.1.1.1 255.255.255.252 standby 10.1.1.2
ASA1(config)# failover key ?
configure mode commands/options:
0 Specifies an UNENCRYPTED password will follow
8 Specifies an ENCRYPTED password will follow
WORD Failover shared secret
hex Enter 32-character key in hexadecimal format
ASA1(config)# failover key cisco
ASA1(config)# failover link ?
configure mode commands/options:
WORD Specify the interface name
ASA1(config)# failover link STATEFUL-FAILOVER ?
configure mode commands/options:
WORD Specify physical or sub interface
<cr>
ASA1(config)# failover link STATEFUL-FAILOVER gigabitethernet5
INFO: Non-failover interface config is cleared on GigabitEthernet5 and its sub-interfaces
ASA1(config)# failover interface ip ?
configure mode commands/options:
Current available interface(s):
LAN-FAILOVER Name of interface GigabitEthernet4
STATEFUL-FAILOVER Name of interface GigabitEthernet5
ASA1(config)# failover interface ip STATEFUL-FAILOVER ?
configure mode commands/options:
Hostname or A.B.C.D Specify the IP address
X:X:X:X::X/<0-128> Specify the IPv6 prefix
ASA1(config)# failover interface ip STATEFUL-FAILOVER 10.2.2.1 255.255.255.252 standby 10.2.2.2
ASA1(config)# failover replication ?
configure mode commands/options:
http Enable HTTP (port 80) connection replication
ASA1(config)# failover replication http
ASA1(config)# failover lan unit ?
configure mode commands/options:
primary Configure the unit as primary
secondary Configure the unit as secondary
ASA1(config)# failover lan unit primary
ASA1(config)# prompt ?
configure mode commands/options:
context Display the context in the session prompt (multimode only)
domain Display the domain in the session prompt
hostname Display the hostname in the session prompt
priority Display the priority in the session prompt
state Display the traffic passing state in the session prompt
ASA1(config)# prompt hostname priority state // THIS COMMAND IS USEFUL TO LET US KNOW WHICH ASA DEVICE WE'RE CURRENTLY AT
ASA1/pri/actNoFailover(config)# failover // PRIMARY ASA AND ACTIVE FIREWALL. WE ENABLE THE FAILOVER FEATURE BY ISSUING THE failover COMMAND
ASA1/pri/act# show failover
Failover On
Failover unit Primary
Failover LAN Interface: LAN-FAILOVER GigabitEthernet4 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 60 maximum
failover replication http
Version: Ours 8.4(2), Mate Unknown
Last Failover at: 09:05:24 UTC Nov 2 2013
This host: Primary - Active
Active time: 120 (sec)
Interface inside (192.168.1.1): Normal (Waiting)
Interface outside (100.1.1.1): Normal (Waiting)
Other host: Secondary - Failed
Active time: 0 (sec)
Interface inside (192.168.1.2): Unknown (Waiting)
Interface outside (100.1.1.2): Unknown (Waiting)
Stateful Failover Logical Update Statistics
Link : STATEFUL-FAILOVER GigabitEthernet5 (up)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0
ASA1/pri/act# .
No Response from Mate // WE HAVEN'T CONFIGURED ASA2 YET
----
ASA2# show interface ip brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0 unassigned YES unset administratively down up
GigabitEthernet1 unassigned YES unset administratively down up
GigabitEthernet2 unassigned YES unset administratively down up
GigabitEthernet3 unassigned YES unset administratively down up
GigabitEthernet4 unassigned YES unset administratively down up
GigabitEthernet5 unassigned YES unset administratively down up
ASA2# configure terminal
ASA2(config)# interface gigabitethernet4 // LAN-BASED FAILOVER
ASA2(config-if)# no shutdown
ASA2(config-if)# interface gigabitethernet5 // STATEFUL FAILOVER
ASA2(config-if)# no shutdown
ASA2(config-if)# exit
ASA2(config)# failover lan interface LAN-FAILOVER gigabitethernet4 // WE JUST NEED TO CONFIGURE THE LAN-BASED FAILOVER INTERFACE ON ASA2
INFO: Non-failover interface config is cleared on GigabitEthernet4 and its sub-interfaces
ASA2(config)# failover interface ip LAN-FAILOVER 10.1.1.1 255.255.255.252 standby 10.1.1.2
ASA2(config)# failover key cisco
ASA2(config)# failover lan unit secondary
ASA2(config)# failover
ASA2(config)# .
Detected an Active mate
Beginning configuration replication from mate.
ERROR: Password recovery was not changed, unable to access
the configuration register.
COREDUMP UPDATE: open message queue fail: No such file or directory/2
Crashinfo is NOT enabled on Full Distribution Environment
End configuration replication from mate.
INFO: Issuing "tls-proxy maximum-sessions 10000" command due to license change
INFO: "tls-proxy maximum-sessions" config is changed, please save the running-config before system
reboot
ASA1/sec/stby(config)# show failover // HOSTNAME IS RETAINED, ASA2 IS ACTING AS SECONDARY FIREWALL AND CURRENTLY IN STANDBY MODE
Failover On
Failover unit Secondary
Failover LAN Interface: LAN-FAILOVER GigabitEthernet4 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 60 maximum
failover replication http
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 08:31:23 UTC Nov 2 2013
This host: Secondary - Standby Ready
Active time: 0 (sec)
Interface inside (192.168.1.2): Normal (Monitored)
Interface outside (100.1.1.2): Unknown (Waiting)
Other host: Primary - Active
Active time: 618 (sec)
Interface inside (192.168.1.1): Normal (Monitored)
Interface outside (100.1.1.1): Unknown (Waiting)
Stateful Failover Logical Update Statistics
Link : STATEFUL-FAILOVER GigabitEthernet5 (up)
Stateful Obj xmit xerr rcv rerr
General 17 0 20 0
sys cmd 17 0 17 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 2 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 0 0 1 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 18 335
Xmit Q: 0 1 18
ASA1/sec/stby(config)#
----
ASA1/pri/act# Beginning configuration replication: Sending to mate. // AFTER ASA2 WAS SUCCESSFULLY CONFIGURED, ASA1 SYNCHRONIZED ITS RUNNING CONFIG WITH ASA2
INFO: Issuing "tls-proxy maximum-sessions 10000" command due to license change
INFO: "tls-proxy maximum-sessions" config is changed, please save the running-config before system
reboot
End Configuration Replication to mate
ASA1/pri/act# show failover
Failover On
Failover unit Primary
Failover LAN Interface: LAN-FAILOVER GigabitEthernet4 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 60 maximum
failover replication http
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 09:05:24 UTC Nov 2 2013
This host: Primary - Active
Active time: 604 (sec)
Interface inside (192.168.1.1): Normal (Monitored)
Interface outside (100.1.1.1): Unknown (Waiting)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
Interface inside (192.168.1.2): Normal (Monitored)
Interface outside (100.1.1.2): Unknown (Waiting)
Stateful Failover Logical Update Statistics
Link : STATEFUL-FAILOVER GigabitEthernet5 (up)
Stateful Obj xmit xerr rcv rerr
General 18 0 15 0
sys cmd 15 0 15 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 2 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 1 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 12 144
Xmit Q: 0 29 190
ASA1/pri/act# configure terminal
ASA1/pri/act(config)# no failover ?
configure mode commands/options:
interface Configure the IP address to be used for failover and/or
stateful update information
interface-policy Set the policy for failover due to interface failures
key Configure the failover shared secret or key
lan Specify the unit as primary or secondary or configure the
interface and vlan to be used for failover communication
link Configure the interface and vlan to be used as a link for
stateful update information
mac Specify the virtual mac address for a physical interface
polltime Configure failover poll interval
replication Enable HTTP (port 80) connection replication
timeout Specify the failover reconnect timeout value for
asymmetrically routed sessions
<cr>
exec mode commands/options:
active Make this system to be the active unit of the failover pair
ASA1/pri/act(config)# no failover active // WE FORCE FAILOVER TO ASA2
ASA1/pri/act(config)# Waiting for the earlier webvpn instance to terminate...
Previous instance shut down. Starting a new one.
Switching to Standby
ASA1/pri/stby(config)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: LAN-FAILOVER GigabitEthernet4 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 60 maximum
failover replication http
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 09:18:41 UTC Nov 2 2013
This host: Primary - Standby Ready
Active time: 796 (sec)
Interface inside (192.168.1.2): Normal (Waiting)
Interface outside (100.1.1.2): Unknown (Waiting)
Other host: Secondary - Active
Active time: 10 (sec)
Interface inside (192.168.1.1): Normal (Waiting)
Interface outside (100.1.1.1): Unknown (Waiting)
Stateful Failover Logical Update Statistics
Link : STATEFUL-FAILOVER GigabitEthernet5 (up)
Stateful Obj xmit xerr rcv rerr
General 45 0 42 0
sys cmd 42 0 42 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 2 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 1 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 12 395
Xmit Q: 0 29 428
----
ASA1/sec/stby(config)# Waiting for the earlier webvpn instance to terminate...
Previous instance shut down. Starting a new one.
Switching to Active // ASA2 TOOK OVER AND BECAME THE ACTIVE FIREWALL
ASA1/sec/act(config)# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: LAN-FAILOVER GigabitEthernet4 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 60 maximum
failover replication http
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 09:18:38 UTC Nov 2 2013
This host: Secondary - Active
Active time: 29 (sec)
Interface inside (192.168.1.1): Normal (Monitored)
Interface outside (100.1.1.1): Unknown (Waiting)
Other host: Primary - Standby Ready
Active time: 796 (sec)
Interface inside (192.168.1.2): Normal (Monitored)
Interface outside (100.1.1.2): Unknown (Waiting)
Stateful Failover Logical Update Statistics
Link : STATEFUL-FAILOVER GigabitEthernet5 (up)
Stateful Obj xmit xerr rcv rerr
General 45 0 48 0
sys cmd 45 0 45 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 2 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 0 0 1 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 18 776
Xmit Q: 0 1 88
----
ASA1/sec/act# write memory // WHENEVER a write memory IS ISSUED ON THE ACTIVE FIREWALL, THE SAME IS DONE ON THE STANDBY FIREWALL
Building configuration...
Cryptochecksum: f1122c95 641fe674 f46d69ff c66b305e
2668 bytes copied in 2.20 secs (1334 bytes/sec)
[OK]
ASA1/pri/stby# Cryptochecksum: d854c471 4c772f39 6db68042 8fceddf0
2665 bytes copied in 1.250 secs (2665 bytes/sec)
Here are some useful show commands and configuring the active-standby failover using ASDM.
ASA1/sec/act# show failover ?
descriptor Show failover interface descriptors. Two numbers are shown for
each interface. When exchanging information regarding a
particular interface, this unit uses the first number in messages
it sends to its peer. And it expects the second number in
messages it receives from its peer. For trouble shooting, collect
the show output from both units and verify that the numbers
match.
exec Show failover command execution information
history Show failover switching history
interface Show failover command interface information
state Show failover internal state information
statistics Show failover command interface statistics information
| Output modifiers
<cr>
ASA1/sec/act# show failover history
==========================================================================
From State To State Reason
==========================================================================
08:31:23 UTC Nov 2 2013
Not Detected Disabled No Error
09:12:52 UTC Nov 2 2013
Disabled Negotiation Set by the config command
09:12:57 UTC Nov 2 2013
Negotiation Cold Standby Detected an Active mate
09:12:58 UTC Nov 2 2013
Cold Standby Sync Config Detected an Active mate
09:13:24 UTC Nov 2 2013
Sync Config Sync File System Detected an Active mate
09:13:24 UTC Nov 2 2013
Sync File System Bulk Sync Detected an Active mate
09:13:38 UTC Nov 2 2013
Bulk Sync Standby Ready Detected an Active mate
09:18:35 UTC Nov 2 2013
Standby Ready Just Active Other unit wants me Active
09:18:38 UTC Nov 2 2013
Just Active Active Drain Other unit wants me Active
09:18:38 UTC Nov 2 2013
Active Drain Active Applying Config Other unit wants me Active
09:18:38 UTC Nov 2 2013
Active Applying Config Active Config Applied Other unit wants me Active
09:18:38 UTC Nov 2 2013
Active Config Applied Active Other unit wants me Active
==========================================================================
ASA1/sec/act# show failover interface
interface LAN-FAILOVER GigabitEthernet4
System IP Address: 10.1.1.1 255.255.255.252
My IP Address : 10.1.1.2
Other IP Address : 10.1.1.1
interface STATEFUL-FAILOVER GigabitEthernet5
System IP Address: 10.2.2.1 255.255.255.252
My IP Address : 10.2.2.2
Other IP Address : 10.2.2.1
ASA1/sec/act# show failover state
State Last Failure Reason Date/Time
This host - Secondary
Active None
Other host - Primary
Standby Ready None
====Configuration State===
Sync Done - STANDBY
====Communication State===
Mac set
ASA1/sec/act# show failover statistics
tx:1488
rx:1352
No comments:
Post a Comment