Saturday, September 26, 2015

Cisco ASA Active/Standby Failover LAB

In this article will demonstrate on how to configure Active Standby failover on cisco ASA 5520 ASA firewall and how to verify and troubleshoot configuration step by step. This article is useful if you understand the theoretical part of the failover.

ASA1 Primary Configuration
ciscoasa(config)# int e2
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# no shu
ciscoasa(config-if)# ip address 192.168.0.254 255.255.255.0 standby 192.168.0.253
ciscoasa(config-if)# int e3
ciscoasa(config-if)# nameif dmz
INFO: Security level for "dmz" set to 0 by default.
ciscoasa(config-if)# security-level 50
ciscoasa(config-if)# no shu
ciscoasa(config-if)# ip address 192.168.2.254 255.255.255.0 standby 192.168.2.253
ciscoasa(config-if)# no shu
ciscoasa(config-if)# in e4
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# no shu
ciscoasa(config-if)# ip address 192.168.1.254 255.255.255.0 standby 192.168.1.253
ciscoasa(config)# int e0               ! failover lan interface for configuration replication
ciscoasa(config-if)# no sh
ciscoasa(config-if)# int e1        ! stateful link interface for stateful information replication
ciscoasa(config-if)# no sh
ciscoasa(config)# failover lan interface fail-1 e0
ciscoasa(config)# failover interface ip fail-1 10.10.10.1 255.255.255.252 standby 10.10.10.2
ciscoasa(config)# failover link fail-1 e0   
Note that it’s recommended to use another interface for stateful replication, but here we use the same interface for config replication and stateful replication.
ciscoasa(config)# failover interface ip fail-1 10.10.10.1 255.255.255.252 standby 10.10.10.2
ciscoasa(config)# failover replication http
ciscoasa(config)# failover lan unit primary
ciscoasa(config)# failover key cisco
ciscoasa(config)# prompt hostname priority state
ciscoasa/pri/actNoFailover(config)# failover
ciscoasa/pri/act(config)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: fail-1 Ethernet0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 60 maximum
failover replication http
Version: Ours 9.1(5)16, Mate Unknown
Last Failover at: 14:44:50 UTC Sep 21 2019
        This host: Primary - Negotiation
                Active time: 0 (sec)
                  Interface inside (192.168.0.254): No Link (Waiting)
                  Interface dmz (192.168.2.254): No Link (Waiting)
                  Interface outside (192.168.1.254): No Link (Waiting)
        Other host: Secondary - Not Detected
                Active time: 0 (sec)
                  Interface inside (192.168.0.253): Unknown (Waiting)
                  Interface dmz (192.168.2.253): Unknown (Waiting)
                  Interface outside (192.168.1.253): Unknown (Waiting)

Stateful Failover Logical Update Statistics
        ……….
                 No Active mate detected

ciscoasa/pri/act(config)# sh failover state

               State          Last Failure Reason      Date/Time
This host  -   Primary
               Active         None
Other host -   Secondary
               Failed         Comm Failure             15:02:31 UTC Sep 21 2019

ciscoasa/pri/act(config)# sh ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Ethernet0                fail-1                 10.10.10.1      255.255.255.252 unset
Ethernet2                inside                 192.168.0.254   255.255.255.0   manual
Ethernet3                dmz                    192.168.2.254   255.255.255.0   manual
Ethernet4                outside                192.168.1.254   255.255.255.0   manual
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Ethernet0                fail-1                 10.10.10.1      255.255.255.252 unset
Ethernet2                inside                 192.168.0.254   255.255.255.0   manual
Ethernet3                dmz                    192.168.2.254   255.255.255.0   manual
Ethernet4                outside                192.168.1.254   255.255.255.0   manual


ASA 2 –Secondary ASA Firewall Configuration
ciscoasa(config)# failover interface ip fail-1 10.10.10.1 255.255.255.252 standby 10.10.10.2
ciscoasa(config)# failover key cisco
ciscoasa(config)# failover lan unit secondary
ciscoasa(config)# failover

        Detected an Active mate
Beginning configuration replication from mate.
ERROR: Password recovery was not changed, unable to access
the configuration register.
Crashinfo is NOT enabled on Full Distribution Environment
End configuration replication from mate.

ciscoasa/sec/stby(config)#
ciscoasa/sec/stby(config)# show ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask              Method
Ethernet0                fail-1                 10.10.10.1      255.255.255.252          unset
Ethernet2                inside                 192.168.0.254   255.255.255.0            CONFIG
Ethernet3                dmz                    192.168.2.254   255.255.255.0            CONFIG
Ethernet4                outside                192.168.1.254   255.255.255.0            CONFIG
Current IP Addresses:
Interface                Name                   IP address      Subnet mask              Method
Ethernet0                fail-1                 10.10.10.2      255.255.255.252          unset
Ethernet2                inside                 192.168.0.253   255.255.255.0            CONFIG
Ethernet3                dmz                    192.168.2.253   255.255.255.0            CONFIG
Ethernet4                outside                192.168.1.253   255.255.255.0            CONFIG

ciscoasa/pri/act# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: fail-1 Ethernet0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 60 maximum
failover replication http
Version: Ours 9.1(5)16, Mate 9.1(5)16
Last Failover at: 17:01:41 UTC Sep 21 2019
        This host: Primary - Active
                Active time: 98 (sec)
                  Interface inside (192.168.0.254): Normal (Monitored)
                  Interface dmz (192.168.2.254): Unknown (Waiting)
                  Interface outside (192.168.1.254): Unknown (Waiting)
        Other host: Secondary - Standby Ready
                Active time: 0 (sec)
                  Interface inside (192.168.0.253): Normal (Monitored)
                  Interface dmz (192.168.2.253): Unknown (Waiting)
                  Interface outside (192.168.1.253): Unknown (Waiting)       
ciscoasa/sec/stby# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: fail-1 Ethernet0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 60 maximum
failover replication http
Version: Ours 9.1(5)16, Mate 9.1(5)16
Last Failover at: 17:01:20 UTC Sep 21 2019
        This host: Secondary - Standby Ready
                Active time: 0 (sec)
                  Interface inside (192.168.0.253): Normal (Monitored)
                  Interface dmz (192.168.2.253): Unknown (Waiting)
                  Interface outside (192.168.1.253): Unknown (Waiting)
        Other host: Primary - Active
                Active time: 145 (sec)
                  Interface inside (192.168.0.254): Normal (Monitored)
                  Interface dmz (192.168.2.254): Unknown (Waiting)
                  Interface outside (192.168.1.254): Unknown (Waiting)
Now NATING the inside network to the outside
ciscoasa/pri/act(config)# object network inside-net
ciscoasa/pri/act(config-network-object)# subn
ciscoasa/pri/act(config-network-object)# subnet 192.168.0.0 255.255.255.0
ciscoasa/pri/act(config-network-object)# nat (inside,outside) dynamic interface
ciscoasa/pri/act(config)# policy-map global_policy
ciscoasa/pri/act(config-pmap)#  class inspection_default
ciscoasa/pri/act(config-pmap-c)# inspect icmp
ciscoasa/pri/act(config)# ip route 0.0.0.0 0.0.0.0 192.168.1.1
NOW inside network can reach the internet and he did ping successfully to www.google.com
When cpmare the asa firewalls active and standby now, u will be sure that the stateful information replication happened successfully. See the tcp and udp connections on both of the asa firewalls.
ciscoasa/pri/act# show failover
Failover On
Failover unit Primary
….
Stateful Failover Logical Update Statistics
        Link : fail-2 Ethernet1 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         95         0          33         0
        sys cmd         33         0          33         0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        12         0          0          0
        UDP conn        28         0          0          0
        ARP tbl         21         0          0          0
        Xlate_Timeout   0          0          0          0
        IPv6 ND tbl     0          0          0          0
        VPN IKEv1 SA    0          0          0          0
        ……
ciscoasa/sec/stby# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: fail-1 Ethernet0 (up)
…….
        TCP conn        0          0          12         0
        UDP conn        0          0          28         0
        ARP tbl         0          0          21         0
        ……
Now I want to stop the active firewall manually using the command no failover active
ciscoasa/pri/act(config)# no failover active
ciscoasa/pri/act(config)# Waiting for the earlier webvpn instance to terminate...
Previous instance shut down. Starting a new one.
        Switching to Standby
ciscoasa/pri/stby(config)#


Posted by at
Labels:

1 comment:

  1. UnknownOctober 27, 2021 at 1:41 AM

    This is a totally impressive story that everyone needs to inspect with gratefulness for sharing. Have you at any point searched for the online counter application for click counts and scores additionally visit the mouse click counter profile. singularities who concentrate on mantras and tasbih can utilize the application as a tasbih or mantra counter. The wash factor you need to do is to open the tool and click the counter button after each measuring meeting. utilizing this application, you may be sure music and keep your ordinary serenades.

    ReplyDelete

Subscribe to: Post Comments (Atom)