·
Two ASAs have identical hardware specs
·
From "Show version" compare the
licenses installed. Licenses must match on both ASAs. If you are running ASA
IOS 8.3 and above, licenses don't need to match. Before upgrading to 8.3 (in
case you want to but you don't have to), study well! Access Lists and NAT are
different so you need to do manual clean up and re-configuration. Also 8.3
needs 1G of memory.
·
After failover is configured, configuration from
primary will replicate to standby. Important: If you have AnyConnect or
VPN images loaded on the primary, you need to copy them into the secondary
because again that will not replicate - ONLY configuration will replicate (Anyconnect
images, AutoReconnect.xml, boot images all need to copied to both ASAs - upload
everything before you start the config below). SSL Certificates and config, if
installed on the primary, will replicate as well.
·
Connect the two ASAs through a cat5 cable for
fail-over link (Heartbeat). You could use the Management interface
management0/0 for that. Pick a network and IP address for that interface like
192.168.150.1. The standby will have 192.168.150.2
Primary ASA:
For each interface with IP address and Subnet Mask pick an ip address for the standby from the same network. For instance for inside network with IP address 192.168.99.1 255.255.255.0, pick an ip address for the standby like 192.168.99.2 (no mask needed) and configure that interface: ip address 192.168.99.1 255.255.255.0 standby 192.168.99.2
Do the same thing for all other interfaces that you are going to use like the Outside and DMZ (of course with different ip addresses). Make sure they are in "no shutdown". Interfaces need to be on different networks.
For management interface, do a no shutdown. Make sure interface has no interface name "no nameif". Don't configure ip address for it.
Type the following commands ASA(config)# failover lan unit primary
ASA(config)# failover lan interface failover Management0/0
When you type this command the ASA will say "INFO: Non-failover interface config is cleared on Management0/0 and its sub-interfaces" and it will give a description to that interface as "description LAN Failover Interface"
ASA(config)# failover interface ip failover 192.168.150.1 255.255.255.0 standby 192.168.150.2
ASA(config)# failover link failover Management0/0 If you do show running-config you will see that the description of interface Management 0/0 has changed to "description LAN/STATE Failover Interface".
ASA(config)# failover replication http
ASA(config)# Failover
For each interface with IP address and Subnet Mask pick an ip address for the standby from the same network. For instance for inside network with IP address 192.168.99.1 255.255.255.0, pick an ip address for the standby like 192.168.99.2 (no mask needed) and configure that interface: ip address 192.168.99.1 255.255.255.0 standby 192.168.99.2
Do the same thing for all other interfaces that you are going to use like the Outside and DMZ (of course with different ip addresses). Make sure they are in "no shutdown". Interfaces need to be on different networks.
For management interface, do a no shutdown. Make sure interface has no interface name "no nameif". Don't configure ip address for it.
Type the following commands ASA(config)# failover lan unit primary
ASA(config)# failover lan interface failover Management0/0
When you type this command the ASA will say "INFO: Non-failover interface config is cleared on Management0/0 and its sub-interfaces" and it will give a description to that interface as "description LAN Failover Interface"
ASA(config)# failover interface ip failover 192.168.150.1 255.255.255.0 standby 192.168.150.2
ASA(config)# failover link failover Management0/0 If you do show running-config you will see that the description of interface Management 0/0 has changed to "description LAN/STATE Failover Interface".
ASA(config)# failover replication http
ASA(config)# Failover
Secondary/Standby ASA: Connect
all interfaces to the respective network (at least the inside interface to the
inside network and outside interface to the outside network. The Management 0/0
interfaces on both ASAs are connected together through a Cat5 or crossover
network cable). Connect to the ASA through a consol.
Go to all interfaces that you are going to use (just like the Primary ASA) and do a no shutdown. Don't forget the Management Interface that will be used as a failover interface - Make sure interface has no interface name "no nameif". ASA configuration including IP addresses will replicate from the Primary ASA when replication starts.
Following is the minimum configuration that you need to do on the standby. No more!
Type the following: ASA(config)# failover lan interface failover Management0/0
ASA(config)# failover interface ip failover 192.168.150.1 255.255.255.0 standby 192.168.150.2 (this is the same exact command you typed on the Primary).
ASA(config)# failover link failover Management0/0
ASA(config)# failover lan unit secondary
ASA(config)# failover replication http
ASA(config)# failover (This is the last command that you need to do and as soon as you do that the replication of configuration will start)
You will see messages similar to the following: "Detected an Active mate
Beginning configuration replication from mate.... Jul 12 2013 23:37:14: %ASA-6-720037: (VPN-Secondary) HA progression callback: id
=3,seq=200,grp=0,event=101,op=15,my=Sync Config,peer=Active.
Jul 12 2013 23:37:14: %ASA-6-721003: (WebVPN-Secondary) HA progression change:
event HA_PROG_STANDBY_CONFIG, my state Sync Config, peer state Active.
Jul 12 2013 23:37:14: %ASA-1-709006: (Secondary) End Configuration Replication (STB)"
Give some time (a minute or so) for replication to finish before you proceed with the following
After that, go back to the primary ASA (not standby) and save config on it and that will save it on both ASAs: ASA#Wr mem
You can use the following two commands to see the state of failover ASA# show failover
ASA# show failover state
Down the road, if standy configuration is out of sync with the active asa, go the active asa and do: wr standby
That will wipe out the whole config of the standby and the config will replicate from active to standby.
Go to all interfaces that you are going to use (just like the Primary ASA) and do a no shutdown. Don't forget the Management Interface that will be used as a failover interface - Make sure interface has no interface name "no nameif". ASA configuration including IP addresses will replicate from the Primary ASA when replication starts.
Following is the minimum configuration that you need to do on the standby. No more!
Type the following: ASA(config)# failover lan interface failover Management0/0
ASA(config)# failover interface ip failover 192.168.150.1 255.255.255.0 standby 192.168.150.2 (this is the same exact command you typed on the Primary).
ASA(config)# failover link failover Management0/0
ASA(config)# failover lan unit secondary
ASA(config)# failover replication http
ASA(config)# failover (This is the last command that you need to do and as soon as you do that the replication of configuration will start)
You will see messages similar to the following: "Detected an Active mate
Beginning configuration replication from mate.... Jul 12 2013 23:37:14: %ASA-6-720037: (VPN-Secondary) HA progression callback: id
=3,seq=200,grp=0,event=101,op=15,my=Sync Config,peer=Active.
Jul 12 2013 23:37:14: %ASA-6-721003: (WebVPN-Secondary) HA progression change:
event HA_PROG_STANDBY_CONFIG, my state Sync Config, peer state Active.
Jul 12 2013 23:37:14: %ASA-1-709006: (Secondary) End Configuration Replication (STB)"
Give some time (a minute or so) for replication to finish before you proceed with the following
After that, go back to the primary ASA (not standby) and save config on it and that will save it on both ASAs: ASA#Wr mem
You can use the following two commands to see the state of failover ASA# show failover
ASA# show failover state
Down the road, if standy configuration is out of sync with the active asa, go the active asa and do: wr standby
That will wipe out the whole config of the standby and the config will replicate from active to standby.
Manual failover on Cisco ASA via CLI:
You can force failover on the standby via the primary using “failover exec”.CiscoASA# failover exec standby failover active
On the active
firewall you can perform the following command: infowall-external# no failover active
On the standby
firewall you can perform the following command:infowall-external# failover active
It is recommended
that you use the “sh fail” command to determine which device you are connected
to. The output will list this Host (Primary) or (Secondary) to indicate which
devices the commands are being executed on.
infowall-external/act# sh fail
Failover On
Failover unit Primary
Failover LAN Interface: sync Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 110 maximum
Version: Ours 8.4(4)5, Mate 8.4(4)5
Last Failover at: 14:25:46 UTC Jul 23 2013
This host: Primary - Active
Active time: 23199560 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(4)5) status (Up Sys)
Interface outside (140.0.0.0): Normal (Monitored)
Interface inside (10.0.0.0): Normal (Monitored)
slot 1: ASA-SSM-10 hw/sw rev (1.0/7.1(7)E4) status (Up/Up)
IPS, 7.1(7)E4, Up
Other host: Secondary - Standby Ready
Active time: 2996 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(4)5) status (Up Sys)
Interface outside (140.0.0.1): Normal (Monitored)
Interface inside (10.0.0.1): Normal (Monitored)
slot 1: ASA-SSM-10 hw/sw rev (1.0/7.1(7)E4) status (Up/Up)
IPS, 7.1(7)E4, Up
If the devices share an outside IP and you are connecting from this zone be aware of which device the change is being made on. You can also use “sh fail” or a ping accross the failover interface to monitor the mate until it completes the reboot.
Comments
Post a Comment