Friday, September 25, 2015

Cisco ASA Active/Active Failover LAB

In this article will demonstrate on how to configure active/active failover. This article is useful if you understand the concepts and the theoretical part of the active/active failover.


ASA1(config)# sho mode
Security context mode: single
ASA1(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
ASA1# show context
Context Name      Class      Interfaces           Mode         URL
*admin            default                         Routed       disk0:/admin.cfg

Total active Security Contexts: 1
ASA1(config)# context ctx-2
ASA1(config-ctx)# allocate-interface e2
ASA1(config-ctx)# allocate-interface e1
ASA1(config-ctx)# config-url ctx2.conf
ASA1(config)# admin-context ctx-2
ASA1(config)# sh context
Context Name      Class      Interfaces           Mode         URL
 admin            default                         Routed       disk0:/admin.cfg
*ctx-2            default    Ethernet1,Ethernet2  Routed       disk0:/ctx2.conf

ASA1(config)# no context admin
WARNING: Removing context 'admin'
Proceed with removing the context? [confirm]
Removing context 'admin' (1)... Done
ASA1(config)# sh context
Context Name      Class      Interfaces           Mode         URL
*ctx-2            default    Ethernet1,Ethernet2  Routed       disk0:/ctx2.conf
ASA1(config)# context ctx-1
ASA1(config-ctx)# allocate-interface e0
ASA1(config-ctx)# allocate-interface e1
ASA1(config-ctx)# config-url ctx1.conf
ASA1(config)# admin-context ctx-1
ASA1(config)# sh context
Context Name      Class      Interfaces           Mode         URL
 ctx-2            default    Ethernet1,Ethernet2  Routed       disk0:/ctx2.conf
*ctx-1            default    Ethernet0,Ethernet1  Routed       disk0:/ctx1.conf

ASA1(config)# changeto context ctx-1
ASA1/ctx-1(config)# int e1
ASA1/ctx-1(config)# no sh
ASA1/ctx-1(config-if)# ip address 192.168.1.5 255.255.255.0 standby 192.168.1.6
ASA1/ctx-1(config-if)# mac-address 0000.0000.0001 standby 0000.0000.0002
ASA1/ctx-1(config-if)# int e0
ASA1/ctx-1(config)# no sh
ASA1/ctx-1(config-if)# ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2

ASA1(config)# failover group 2
ASA1(config-fover-group)# secondary
ASA1(config-fover-group)# preempt 60
ASA1(config)# failover group 1
ASA1(config-fover-group)# primary
ASA1(config-fover-group)# preempt 60
ASA1(config)# context ctx-1
ASA1(config-ctx)# join-failover-group 1
ASA1(config-ctx)# context ctx-2
ASA1(config-ctx)# join-failover-group 2

ASA1/ctx-1(config)# changeto context ctx-2
ASA1/ctx-2(config)# int e2
ASA1/ctx-2(config-if)# no sh
ASA1/ctx-2(config-if)# nameif dmz
ASA1/ctx-2(config-if)# security-level 50
ASA1/ctx-2(config-if)# ip address 10.2.2.1 255.255.255.0 standby 10.2.2.2
ASA1/ctx-2(config-if)# int e1
ASA1/ctx-2(config-if)# nameif outside
ASA1/ctx-2(config-if)# security-level 0
ASA1/ctx-2(config-if)# ip address 192.168.1.7 255.255.255.0 standby 192.168.1.8
ASA1/ctx-2(config-if)# mac-address 0000.0000.0003 standby 0000.0000.0004
ASA1(config)# int e3
ASA1(config-if)# no sh
ASA1(config-if)# int e4
ASA1(config-if)# no sh
ASA1(config)# failover lan interface fail-config e3
ASA1(config)# failover link fail-state e4
ASA1(config)# failover interface ip fail-config 192.168.10.1 255.255.255.0 standby 192.168.10.2
ASA1(config)# failover interface ip fail-state 192.168.20.1 255.255.255.0 standby 192.168.20.2

ASA1/ctx-2(config)# changet system
ASA1(config)# failover lan unit primary
ASA1(config)# failover

ASA1(config)# show failover state

               State          Last Failure Reason      Date/Time
This host  -   Primary
               Negotiation    None
Other host -   Secondary
               Not Detected   None

====Configuration State===
====Communication State===

ASA1(config)# .

        No Active mate detected

        Group 1 No Response from Mate, Switch to Active

        Group 2 No Response from Mate, Switch to Active

ASA1(config)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: fail-config Ethernet3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 60 maximum
Version: Ours 9.1(5)16, Mate Unknown
Group 1 last failover at: 08:09:31 UTC Sep 25 2019
Group 2 last failover at: 08:09:31 UTC Sep 25 2019

  This host:    Primary
  Group 1       State:          Active
                Active time:    21 (sec)
  Group 2       State:          Active
                Active time:    21 (sec)

                  ctx-2 Interface dmz (10.2.2.1): Unknown (Waiting)
                  ctx-2 Interface outside (192.168.1.7): Unknown (Waiting)
                  ctx-1 Interface inside (10.1.1.1): Unknown (Waiting)
                  ctx-1 Interface outside (192.168.1.5): Unknown (Waiting)

  Other host:   Secondary
  Group 1       State:          Failed
                Active time:    0 (sec)
  Group 2       State:          Failed
                Active time:    0 (sec)

                  ctx-2 Interface dmz (10.2.2.2): Unknown (Waiting)
                  ctx-2 Interface outside (192.168.1.8): Unknown (Waiting)
                  ctx-1 Interface inside (10.1.1.2): Unknown (Waiting)
                  ctx-1 Interface outside (192.168.1.6): Unknown (Waiting)

ASA1(config)# prompt hostname priority context state

ASA2 Configuration

ciscoasa(config)#int e3
ciscoasa(config)#no sh
ciscoasa(config)#int e4
ciscoasa(config)#no sh
ciscoasa(config)# failover lan unit secondary
ciscoasa(config)# failover lan interface fail-config e3
ciscoasa(config)# failover interface ip fail-config 192.168.10.1 255.255.255.0 standby 192.168.10.2


ASA1/pri/act# Beginning configuration replication: Sending to mate.
End Configuration Replication to mate

ASA1/pri/act# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: fail-config Ethernet3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 60 maximum
Version: Ours 9.1(5)16, Mate 9.1(5)16
Group 1 last failover at: 08:09:31 UTC Sep 25 2019
Group 2 last failover at: 08:09:31 UTC Sep 25 2019

  This host:    Primary
  Group 1       State:          Active
                Active time:    922 (sec)
  Group 2       State:          Active
                Active time:    922 (sec)

                  ctx-2 Interface dmz (10.2.2.1): Normal (Waiting)
                  ctx-2 Interface outside (192.168.1.7): Normal (Waiting)
                  ctx-1 Interface inside (10.1.1.1): Normal (Waiting)
                  ctx-1 Interface outside (192.168.1.5): Normal (Waiting)

  Other host:   Secondary
  Group 1       State:          Standby Ready
                Active time:    0 (sec)
  Group 2       State:          Standby Ready
                Active time:    0 (sec)

ASA1/sec/stby# sh failover state

               State          Last Failure Reason      Date/Time
This host  -   Secondary
    Group 1    Standby Ready  None
    Group 2    Standby Ready  None
Other host -   Primary
    Group 1    Active         Comm Failure             08:24:32 UTC Sep 25 2019
    Group 2    Active         Comm Failure             08:24:32 UTC Sep 25 2019

After 60 second
ASA1/sec/stby# sh failover state
        Group 2 preempt mate


               State          Last Failure Reason      Date/Time
This host  -   Secondary
    Group 1    Standby Ready  None
    Group 2    Active         None
Other host -   Primary
    Group 1    Active         Comm Failure             08:24:32 UTC Sep 25 2019
    Group 2    Active         Comm Failure             08:24:32 UTC Sep 25 2019
ASA1/pri/act# sh failover state

               State          Last Failure Reason      Date/Time
This host  -   Primary
    Group 1    Active         None
    Group 2    Standby Ready  None
Other host -   Secondary
    Group 1    Standby Ready  Comm Failure             08:09:49 UTC Sep 25 2019
    Group 2    Active         Comm Failure             08:09:49 UTC Sep 25 2019

Router Configuration
ip route 0.0.0.0 0.0.0.0 192.168.1.5
interface Ethernet0/0
 ip address 192.168.1.70 255.255.255.0
ip http server
ip http secure-server

ASA Verifcation when Request come from 10.1.1.211 to 1921.168.1.70 80
nat (inside,outside) source dynamic any interface
ASA1/pri/ctx-1/act(config)# show xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
    flags sIT idle 0:01:15 timeout 0:00:00
TCP PAT from inside:10.1.1.211/1203 to outside:192.168.1.5/1203 flags ri idle 0:00:03 timeout 0:00:30
ASA1/pri/ctx-1/act(config)# sh conn
5 in use, 5 most used
TCP outside  192.168.1.70:80 inside  10.1.1.211:1204, idle 0:00:26, bytes 0, flags Ux


ASA1/pri/act(config)# no failover active group 1
ASA1/pri/stby# sh failover state

               State          Last Failure Reason      Date/Time
This host  -   Primary
    Group 1    Standby Ready  None
    Group 2    Standby Ready  None
Other host -   Secondary
    Group 1    Active         Comm Failure             08:09:49 UTC Sep 25 2019
    Group 2    Active         Comm Failure             08:09:49 UTC Sep 25 2019


ASA1/sec/ctx-1/act# sh xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
    flags sIT idle 0:06:55 timeout 0:00:00
TCP PAT from inside:10.1.1.211/1207 to outside:192.168.1.5/1207 flags ri idle 0:00:29 timeout 0:00:30
ASA1/sec/ctx-1/act#
ASA1/pri/stby#failover active group 1
ASA1/pri/act# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: fail-config Ethernet3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 60 maximum
Version: Ours 9.1(5)16, Mate 9.1(5)16
Group 1 last failover at: 09:11:41 UTC Sep 25 2019
Group 2 last failover at: 08:25:31 UTC Sep 25 2019

  This host:    Primary
  Group 1       State:          Active
                Active time:    2 (sec)
  Group 2       State:          Standby Ready
                Active time:    960 (sec)

                  ctx-2 Interface dmz (10.2.2.2): Normal (Monitored)
                  ctx-2 Interface outside (192.168.1.8): Normal (Monitored)
                  ctx-1 Interface inside (10.1.1.1): Normal (Waiting)
                  ctx-1 Interface outside (192.168.1.5): Normal (Waiting)
ASA1/pri/ctx-1/act# sh xlate
3 in use, 3 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
    flags sIT idle 0:09:44 timeout 0:00:00
TCP PAT from inside:10.1.1.211/1206 to outside:192.168.1.5/1206 flags ri idle 0:04:06 timeout 0:00:30
TCP PAT from inside:10.1.1.211/1205 to outside:192.168.1.5/1205 flags ri idle 0:05:11 timeout 0:00:30

Posted by at
Labels:

2 comments:

  1. AnonymousOctober 27, 2021 at 1:59 AM

    That is an absolutely captivating story that everybody needs to check out with thankfulness for sharing. Furthermore, explore the electronic mouse clicker counter profile. The people who examine mantras and tasbih can use the application as a tasbih or mantra counter. The wash perspective you truly needed to do is to open the record and snap the counter button after each focusing on gathering. using this application, you could without a doubt track and hold you're day drones.

    ReplyDelete
  2. Mark WoodJuly 5, 2023 at 3:14 AM

    This is very well written and your blog points are great! If you are a students and looking for assignment on your Sports Science then you can visit: Sports Science Assignment Help

    ReplyDelete

Subscribe to: Post Comments (Atom)