Scribd Logo
Importer

Bienvenue sur Scribd !

  • Cisco ASA Active, Active Failover Configuration

    Transféré par

    Ciscohere-HKYEJIAN
    58 vues8 pages
    Cisco ASA Active,Active Failover Configuration.

    Titre original

    Cisco ASA Active,Active Failover Configuration

    Copyright

    © © All Rights Reserved

    Formats disponibles

    DOCX, PDF, TXT ou lisez en ligne sur Scribd

    Avez-vous trouvé ce document utile ?

    Ce contenu est-il inapproprié ?

    Signaler ce document
    Cisco ASA Active,Active Failover Configuration.

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme DOCX, PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    58 vues8 pages

    Cisco ASA Active, Active Failover Configuration

    Transféré par

    Ciscohere-HKYEJIAN
    Cisco ASA Active,Active Failover Configuration.

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme DOCX, PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    sur 8

    The Cisco ASA failover configuration requires two identical security appliances

    connected to each other through a dedicated failover link and, optionally, a stateful
    failover link. The health of the active interfaces and units is monitored to determine
    if specific failover conditions are met. If those conditions are met, failover occurs. In
    case of Active/active configuration both Units carry traffic. For creating active/active
    Failover, configuring both ASA devices in Multiple context mode is required.
    For ASA redundancy scenario the two devices must be the same models, must have
    the same number and type of interfaces and the same license is required. ASA 5505
    and 5510 do not support active/active failover without license upgrade.
    For active/active configuration, Failover Contexts and Failover groups need to be
    created. The Failover group is then applied to Primary or Secondary physical ASA unit.
    After this, the particular Failover group is applied to a Context. For example, primary
    unit is active ASA of Failover group1, but Secondary unit is Standby ASA of Failover
    group1. If primary ASA is out of order, Secondary ASA will become Active of Failover
    group1.
    For explaining Active/Active Failover configuration in details, lets do the following
    LAB.

    Click on the image above for larger size diagram


    Configuration
    !Switch both ASA devices to multiple context mode.
    asa(config)#mode multiple
    !When ASAs are reloaded, connect them to each other with Ge0/2 and Ge0/3 ports.
    First start with the Primary Unit configuration. Before starting configuration, all
    interfaces must be in the up state.
    !enable LAN Failover.
    asa(config)#failover lan enable
    !set this unit as primary.
    asa(config)#failover lan unit primary

    Determine Failover and State interfaces. These two interfaces can be the same
    physical interface if you dont need to consume one extra port. In our example here
    we use two separate physical interfaces.
    In this article, the failover (interface name for GigabitEthernet0/2) is used as a
    failover
    interface.
    !Define Failover Interface
    asa(config)#failover lan interface failover Ge0/2
    !assign IP address on Failover Interface. MUST be in same Subnet as the standby on
    the other unit.
    asa(config)#failover interface ip failover 192.168.3.1 255.255.255.0 standby
    192.168.3.2
    In this documentation, the state (interface name for GigabitEthernet0/3) is used as
    a state
    interface.
    !Define stateful Failover interface
    asa(config)#failover link state Ge0/3
    !assign IP address on Stateful Failover interface
    asa(config)#failover interface ip state 192.168.4.1
    192.168.4.2

    255.255.255.0 standby

    !Create Failover groups, where Failover group1 will be the Primary, i.e. active on
    Primary Unit and Failover group2 will be the Standby on Primary Unit. Configure also
    HTTP Replication, after which occurs HTTP Connection state replication between
    active and Standby ASAs. Also determine Preempt Delay. Preempt Delay means in
    what time to regain role of Active after Fail Recovery.
    asa(config)#failover group 1
    asa(config-fover-group)#primary
    asa(config-fover-group)#preempt 120
    asa(config-fover-group)# replication http
    asa(config)#failover group 2
    asa(config-fover-group)#secondary
    asa(config-fover-group)#preempt 120
    asa(config-fover-group)# replication http
    Now lets start creating Contexts and assigning interfaces in each Context.
    !Configure the admin context
    asa(config)# admin-context admin

    asa(config)# context admin


    asa(config-ctx)# allocate-interface Management0/0
    asa(config-ctx)# config-url disk0:/admin.cfg
    !configure the Sub-interfaces
    interface GigabitEthernet0/0.10
    vlan 10
    interface GigabitEthernet0/0.11
    vlan 11
    interface GigabitEthernet0/1.20
    vlan 20
    interface GigabitEthernet0/1.21
    vlan 21
    ! Configure the contexts
    asa(config)# context c1
    asa(config-ctx)# allocate-interface gigabitethernet0/0.10
    asa(config-ctx)# allocate-interface gigabitethernet0/1.20
    asa(config-ctx)# config-url disk0:/c1.cfg
    asa(config)# context c2
    asa(config-ctx)# allocate-interface gigabitethernet0/0.11
    asa(config-ctx)# allocate-interface gigabitethernet0/1.21
    asa(config-ctx)# config-url disk0:/c2.cfg
    !Snap each Context to Failover Groups. If we dont indicate Contexts to Failover
    Groups, each context will be in Group1 by default.
    asa(config)# context c1
    asa(config-ctx)# join-failover-group 1
    asa(config)# context c2
    asa(config-ctx)# join-failover-group 2
    !Configure IP addresses on Context1.
    asa#changeto context c1
    asa/c1# show running-config interface
    !
    interface GigabitEthernet0/0.10
    nameif outside
    security-level 0
    ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2
    !
    interface GigabitEthernet0/1.20
    nameif inside
    security-level 100

    ip address 192.168.20.1 255.255.255.0 standby 192.168.20.2


    !Configure IP addresses on Context2.
    asa#changeto context c2
    asa/c2# show running-config interface
    !
    interface GigabitEthernet0/0.11
    nameif outside
    security-level 0
    ip address 192.168.11.1 255.255.255.0 standby 192.168.11.2
    !
    interface GigabitEthernet0/1.21
    nameif inside
    security-level 100
    ip address 192.168.21.1 255.255.255.0 standby 192.168.21.2
    !
    Now lets start Secondary Unit configuration.
    !Define Failover Interface
    asa(config)#failover lan interface failover Ge0/2
    !assign IP address on Failover Interface. MUST be in same Subnet as other unit.
    asa(config)#failover interface ip failover 192.168.3.1 255.255.255.0 standby
    192.168.3.2
    !enable LAN Failover.
    asa(config)#failover lan enable
    !set this unit as secondary
    asa(config)#failover lan unit secondary
    With the above piece of configuration commands everything is completed and now
    lets start checking.
    Verification:
    !verify Primary UNIT
    asa# show failover
    Failover On
    Failover unit Primary
    Failover LAN Interface: failover GigabitEthernet0/2 (up)
    Unit Poll frequency 1 seconds, holdtime 15 seconds
    Interface Poll frequency 5 seconds, holdtime 25 seconds
    Interface Policy 1

    Monitored Interfaces 4 of 250 maximum


    Version: Ours 8.2(1), Mate 8.2(1)
    Group 1 last failover at: 05:12:14 tbilisi Dec 7 2010
    Group 2 last failover at: 10:13:04 tbilisi Oct 24 2010
    This host: Primary
    Group 1
    State:
    Active
    Active time: 14536379 (sec)
    Group 2
    State:
    Standby Ready
    Active time: 0 (sec)
    slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
    c1 Interface outside (192.168.10.1): Normal
    c1 Interface inside (192.168.20.1): Normal
    c2 Interface outside (192.168.11.1): Normal
    c2 Interface inside (192.168.21.1): Normal
    slot 1: empty
    Other host: Secondary
    Group 1
    State:
    Standby Ready
    Active time: 1104 (sec)
    Group 2
    State:
    Active
    Active time: 14537266 (sec)
    slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
    c1 Interface outside (192.168.10.2): Normal
    c1 Interface inside (192.168.20.2): Normal
    c2 Interface outside (192.168.11.2): Normal
    c2 Interface inside (192.168.22.2): Normal
    slot 1: empty
    Stateful Failover Logical Update Statistics
    Link : state GigabitEthernet0/3.2 (up)
    Stateful Obj xmit
    xerr
    rcv
    rerr
    General
    2405585244 0
    75798262 188
    sys cmd
    1938317 0
    1938317 0
    up time
    0
    0
    0
    0
    RPC services 0
    0
    0
    0
    TCP conn
    1241561564 0
    43443406 91
    UDP conn
    1157379296 0
    28582971 84
    ARP tbl
    3799402 0
    1833568 13
    Xlate_Timeout 0
    0
    0
    0
    SIP Session 906665 0
    0
    0
    Logical Update Queue Information
    Cur Max Total

    Recv Q:
    Xmit Q:

    0
    0

    49
    7

    90335543
    2405585244

    !verify Secondary unit


    ASA# show failover
    Failover On
    Failover unit Secondary
    Failover LAN Interface: failover GigabitEthernet0/2
    Unit Poll frequency 1 seconds, holdtime 15 seconds
    Interface Poll frequency 5 seconds, holdtime 25 seconds
    Interface Policy 1
    Monitored Interfaces 4 of 250 maximum
    Version: Ours 8.2(1), Mate 8.2(1)
    Group 1 last failover at: 05:12:14 tbilisi Dec 7 2010
    Group 2 last failover at: 10:13:03 tbilisi Oct 24 2010
    This host: Secondary
    Group 1
    State:
    Standby Ready
    Active time: 1104 (sec)
    Group 2
    State:
    Active
    Active time: 14537372 (sec)
    slot 0: ASA5540 hw/sw rev (2.0/8.2(1)) status (Up Sys)
    c1 Interface outside (192.168.10.2): Normal
    c1 Interface inside (192.168.20.2): Normal
    c2 Interface outside (192.168.11.2): Normal
    c2 Interface inside (192.168.21.2): Normal
    slot 1: empty
    Other host: Primary
    Group 1
    State:
    Active
    Active time: 14536486 (sec)
    Group 2
    State:
    Standby Ready
    Active time: 0 (sec)
    slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
    c1 Interface outside (192.168.10.1): Normal
    c1 Interface inside (192.168.20.1): Normal
    c2 Interface outside (192.168.11.1): Normal
    c2 Interface inside (192.168.21.1): Normal
    slot 1: empty
    Stateful Failover Logical Update Statistics

    Link : state GigabitEthernet0/3.2 (up)


    Stateful Obj xmit
    xerr
    rcv
    rerr
    General
    111758344 0
    1089580597 1046
    sys cmd
    1938331 0
    1938331 0
    up time
    0
    0
    0
    0
    RPC services 0
    0
    0
    0
    TCP conn
    73801356 0
    581933209 113
    UDP conn
    34185062 0
    501003000 886
    ARP tbl
    1833595 0
    3799403 36
    Xlate_Timeout 0
    0
    0
    0
    SIP Session 0
    0
    906654 11
    Logical Update Queue Information
    Cur Max Total
    Recv Q:
    0
    7
    1104118240
    Xmit Q:
    0
    1
    111758344
    As we observed from above, active/active Failover is working and everything is as
    expected.
    More Related Cisco and Networking Tips:
    How to Configure Dual ISP on Cisco ASA 5505?
    How to Configure a Cisco ASA 5540 for Video Conferencing for Polycom Device?
    New Cisco ASA Clustering Feature Enables 320 Gbps Firewall

    Vous aimerez peut-être aussi