ASA - Failover - ACTIVE/STANDBY


Hardware requirements:

Two units in failover must:

  • the same model
  • have the same number and type of interfaces
  • have the same modules installed(if any)
  • have the same RAM installed

Flash memory size does not have to be equal however the smaller one has to have enough space for firmware and configuration file. This is extremally important because config synchronization can fail if there is no enough space.

 

Limitation:

  • You cannot enable failover when CA server is up and running.

"ERROR: Failover cannot be configured while the local CA server
is configured. Please remove the local CA server configuration
before configuring failover."

command to remove CA server:

(config)# clear configure crypto ca server

  • firmware version should be the same on both units but it is not mandatory.

 

 

FIREWALLS:

ASA1 - Primary unit

ethernet 0/0 - 81.223.184.146/28  ( Internet - ISP1)

ethernet0/1 - 77.204.202.4/29      (Internet - ISP2)

ethernet 0/2 - 10.10.231.254/24   (LAN)

Ethernet 0/3 - failover interface

Management0/0 - Statefull interface

ASA2 - Secondary unit

ethernet 0/0 - 81.223.184.147/28  ( Internet - ISP1)

ethernet0/1 - 77.204.202.7/29      (Internet - ISP2)

ethernet 0/2 - 10.10.231.253/24   (LAN)

Ethernet 0/3 - failover interface

Management0/0 - Statefull interface

 

Statefull and Failover interface can be on the same physical interface. They can be connected together via cable or via switch.

When you connect via switch be carefull do not keep those interfaces on shared(data) network.

 

STATELESS FAILOVER(HARDWARE)

 Stateless failover does not handle session state so in case of switching to standby unit sessions will be lost and has to be reestablished. In stateless failover we do not need Statefull interface.

ASA1

(config)# failover lan unit primary

Enable this appliance as a primary unit.


 (config)# failover lan interface FAILOVER ethernet0/3
INFO: Non-failover interface config is cleared on Ethernet0/3 and its sub-interfaces

Specify ethernet0/3 as a failover interface.The name of this interface is FAILOVER but can be any name.


(config)# failover interface ip FAILOVER 192.168.250.1 255.255.255.0 standby 192.168.250.2

Assign active and standby IP to FAILOVER interface.


(config)# failover key cisco

Encrypt and authenticate traffic.

(config)# failover

Enable failover on primary unit.

 

Check current status of Failover on primary unit.

asa-failover-1.PNG

 

ASA2

(config)# failover lan unit secondary

Configure second asa as a secondary unit in failover pair.

 

(config)# failover lan interface FAILOVER ethernet0/3
INFO: Non-failover interface config is cleared on Ethernet0/3 and its sub-interfaces

Configure ethernet0/3 interface as a failover interface

 

(config)# failover interface ip FAILOVER 192.168.250.1 255.255.255.0 standby 192.168.250.2

Assign ip to failover interface.

 

 (config)# failover key cisco

Encrypt and authenticate traffic.


(config)# failover

Enable failover on standby unit.

 

 Check failover status on standby unit.

asa-failover-2.PNG

Note that firmware version is different  on both ASA. It is possible on firmware 7.0 and higher but  I stronglyrecommend to keep the same version on both unit.

Below warning on both unit if there is mismatch with firmware version.

asa-failover-3.PNG

Check failover status on primary unit.

 asa-failover-4.PNG

 

 Failover is configured properly and working fine

 

STATEFULL FAILOVER


The difference between statefull and stateless failover is:

  - in statefull failover all session states are exchange so case of hardware failure users will not loose their session and standby unit will still be able to keep active connections.(no sessions drop)

 - in stateless failover in case of failure all  sessions has to be reestablished and users will see short breaks.

 

Because our failover is up all changes we have to do on active unit only!

If you try to configure standby unit you will get:

# conf t


                                        **** WARNING ****
        Configuration Replication is NOT performed from Standby unit to Active unit.
        Configurations are no longer synchronized.

 

ASA1

(config)# failover link STATEFULL management0/0
INFO: Non-failover interface config is cleared on Management0/0 and its sub-interfaces

Configure management0/0 interface as a statefull interface.

 

(config)# failover interface ip STATEFULL 192.168.255.1 255.255.255.0 standby 192.168.255.2

Assign ip for statefull interface.


 (config)# failover replication http

Enable http replication.

 

 

As we see above statefull failover started to work.

 

SIMULATE HARDWARE FAILURE

First simulation is reload primary unit because I upgraded image to the same version as standby unit.

See output from standby unit.

 ASA2#
        Switching to Active

asa-failover-5.PNG

Above output from secondary unit which now is primary.

When Primary unit is up after failute secondary still will be active unit his failure or until we change the role by hand(see output below).

 asa-failover-6.PNG

 

 

MANULY CHANGE ROLE TO ACTIVE ON STANDBY UNIT

 

# failover active

This command has to be typed on STANDBY unit!

Check failover status

asa-failover-7.PNG

 

 FAILOVER MONITORING

 

Descriptors

When failover is working properly descriptors on interfaces have to be the same.

#show failover descriptors

asa-failover-9.PNG

State

This command show current state of failover. Here you can also see if and when last failure happened.

#show failover state

asa-failover-10.PNG

 

History

This command shows you history of  states changes.

#show failover history

asa-failover-11.PNG

 

 Statefull configuration and statefull stats

asa-failover-12.PNG

 

Interfaces configuration

This command shows you failover intefaces configuration

#show failover interface

asa-failover-13.PNG

 

 

 WORK WITH PRIMARY AND STANDBY UNIT

 

In most cases you will manage failover from primary unit(configuration always) however you can also manage standby unit from primary unit,e.g. to reload switch.

 

example 1

Reload standy unit from active unit

# failover reload-standby

example 2

Run command on standby unit and display on primary unit,e.g. show ip

asa-failover-14.PNG

 

 

dzbanek 2013-04-18

This site uses cookies. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.