--> Active/Standby failover allows you to use a standby ASA, In case of Active ASA fails.
--> When the active ASA fails, it changes to the standby state while the standby unit changes to the active state.
--> Now the Standby ASA that becomes active assumes the IP addresses (or, for transparent firewall, the management IP address) and MAC addresses of the failed unit and begins passing traffic.
--> The Active ASA that is now in standby state takes over the standby IP addresses and MAC addresses. Because network devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere on the network.
Failover Interface
--> Uses a dedicated physical interface for implementing failover between two ASA's.
--> To implement configuration replication between two ASA.
--> Forwards KeepAlives to check whether the Second ASA is working or not.
--> Uses IP Address to implement between two ASA.
--> Forwards state information as well as Translation information between two ASA's.
--> It is recommended to use the fastest interface on the ASA device to implement Failover as it forwards data traffic, state info and other things.
--> In Active/Standby failover, ASA either can be active or standby.
--> All the traffic goes through in Active ASA, if the active device goes down Standby ASA becomes Active.
--> Priority is used to determine which ASA is active and standby.
--> All the configuration is done on the Active ASA.
--> There is no preemption in ASA Active/Standby Failover, once Standby ASA becomes Active, it does not become standby again if active ASA comes back.
Configuration Synchronization
--> Configuration synchronization occurs when one or both devices in the failover pair boot.
--> Configurations are always synchronized from the active unit to the standby unit.
--> When the standby unit completes its initial startup, it clears its running configuration (except for the failover commands needed to communicate with the active unit), and the active unit sends its entire configuration to the standby unit.
Command Replication
--> Command replication always flows from the active unit to the standby unit. As commands are entered on the active unit, they are sent across the failover link to the standby unit.
--> You do not have to save the active configuration to Flash memory to replicate the commands.
--> If you enter the write standby command on the active ASA device, the standby ASA clears its running configuration (except for the failover commands used to communicate with the active unit), and the active ASA sends its entire configuration to the standby ASA.
--> Replicated commands are stored in the running configuration. To save the replicated commands to the Flash memory on the standby ASA execute write memory on Active ASA.
Configuration:
ASA1
1) Configure Which interface should be the Failover Interface and assign the name to Failover interface.
ASA1(config)# Failover lan interface failover G0/0
2) Assign the IP Address on Failover Interface of ASA1.
ASA1(config)# Failover Interface ip failover 192.168.254.1 255.255.255.0 standby 192.168.254.2
3) Configure the ASA1 as Active ASA.
ASA1(config)# Failover lan unit primary
4) Configure stateful failover on the state interface to forward state configuration between two ASA.
ASA1(config)# failover link state G0/0
ASA1(config)# failover interface ip state 192.168.253.1 255.255.255.0 standby 192.168.253.2
5) Implement Failover
ASA1(config)# Failover
Note: Standby IP Addresses are used in failover for sending keepalives from one ASA to other. Active ASA is assigned with 10.0.0.1 and Standby ASA is assigned with 10.0.0.2 IP Address.
ASA2
1) Configure Which interface should be the Failover Interface and assign the name to Failover interface.
ASA2(config)# Failover lan interface Failover G0/0
2) Assign the IP Address on Failover Interface of ASA2.
ASA2(config)# Failover Interface ip Failover 10.0.0.1 255.255.255.0 standby 10.0.0.2
3) Configure the ASA2 as Standby ASA.
ASA2(config)# Failover lan unit Secondary
4) Configure stateful failover on the state interface to forward state configuration between two ASA.
ASA2(config)# failover link state G0/0
ASA2(config)# failover interface ip state 192.168.253.1 255.255.255.0 standby 192.168.253.2
5) Implement Failover
ASA2(config)# Failover
HTTP Replication
--> In order to configure Http replication in Active/Standby Mode, execute the following command on Active Asa
ASA1(config)# failover replication http
Interface Monitoring
--> Interface Monitoring allows you to interfaces to be monitored before failover occurs.
--> You can monitor up to 250 interfaces on a unit.
--> By default, monitoring physical interfaces is enabled and monitoring subinterfaces are disabled.
--> The ASA sends hello packets out of each data interface to monitor interface health.
--> If the ASA does not receive a hello packet from the corresponding interface on the peer unit for over half of the hold time, then the additional interface testing begins.
--> If a hello packet or a successful test result is not received within the specified hold time, the interface is marked as failed. Failover occurs if the number of failed interfaces meets the failover criteria.
failover interface State can have the following status:
•Unknown—Initial status. This status can also mean the status cannot be determined.
•Normal—The interface is receiving traffic.
•Testing—Hello messages are not heard on the interface for five poll times.
•Link Down—The interface or VLAN is administratively down.
•No Link—The physical link for the interface is down.
•Failed—No traffic is received on the interface, yet traffic is heard on the peer interface.
Configuration:
Step1: Configure which interfaces need to be monitored on the failover.
ASA1(config)# monitor interface Inside
ASA1(config)# monitor interface Outside
Step2: Configure the hello and hold down timers for interface monitoring
ASA1 (config): failover polltime interface msec 500 holdtime 5
Step3: Configure how many interfaces need to go down in order to failover occur.Here I am configuring if one interface goes down failover should occur.
ASA1 (config)# # failover interface-policy 1
4) To make standby ASA as active ASA.
ASA2(config)# failover active
Ref: Cisco.com
Md.Kareemoddin
CCIE # 54759
--> When the active ASA fails, it changes to the standby state while the standby unit changes to the active state.
--> Now the Standby ASA that becomes active assumes the IP addresses (or, for transparent firewall, the management IP address) and MAC addresses of the failed unit and begins passing traffic.
--> The Active ASA that is now in standby state takes over the standby IP addresses and MAC addresses. Because network devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere on the network.
Failover Interface
--> Uses a dedicated physical interface for implementing failover between two ASA's.
--> To implement configuration replication between two ASA.
--> Forwards KeepAlives to check whether the Second ASA is working or not.
--> Uses IP Address to implement between two ASA.
--> Forwards state information as well as Translation information between two ASA's.
--> It is recommended to use the fastest interface on the ASA device to implement Failover as it forwards data traffic, state info and other things.
--> In Active/Standby failover, ASA either can be active or standby.
--> All the traffic goes through in Active ASA, if the active device goes down Standby ASA becomes Active.
--> Priority is used to determine which ASA is active and standby.
--> All the configuration is done on the Active ASA.
--> There is no preemption in ASA Active/Standby Failover, once Standby ASA becomes Active, it does not become standby again if active ASA comes back.
Configuration Synchronization
--> Configuration synchronization occurs when one or both devices in the failover pair boot.
--> Configurations are always synchronized from the active unit to the standby unit.
--> When the standby unit completes its initial startup, it clears its running configuration (except for the failover commands needed to communicate with the active unit), and the active unit sends its entire configuration to the standby unit.
Command Replication
--> Command replication always flows from the active unit to the standby unit. As commands are entered on the active unit, they are sent across the failover link to the standby unit.
--> You do not have to save the active configuration to Flash memory to replicate the commands.
--> If you enter the write standby command on the active ASA device, the standby ASA clears its running configuration (except for the failover commands used to communicate with the active unit), and the active ASA sends its entire configuration to the standby ASA.
--> Replicated commands are stored in the running configuration. To save the replicated commands to the Flash memory on the standby ASA execute write memory on Active ASA.
Configuration:
ASA1
1) Configure Which interface should be the Failover Interface and assign the name to Failover interface.
ASA1(config)# Failover lan interface failover G0/0
2) Assign the IP Address on Failover Interface of ASA1.
ASA1(config)# Failover Interface ip failover 192.168.254.1 255.255.255.0 standby 192.168.254.2
3) Configure the ASA1 as Active ASA.
ASA1(config)# Failover lan unit primary
4) Configure stateful failover on the state interface to forward state configuration between two ASA.
ASA1(config)# failover link state G0/0
ASA1(config)# failover interface ip state 192.168.253.1 255.255.255.0 standby 192.168.253.2
5) Implement Failover
ASA1(config)# Failover
Note: Standby IP Addresses are used in failover for sending keepalives from one ASA to other. Active ASA is assigned with 10.0.0.1 and Standby ASA is assigned with 10.0.0.2 IP Address.
ASA2
1) Configure Which interface should be the Failover Interface and assign the name to Failover interface.
ASA2(config)# Failover lan interface Failover G0/0
2) Assign the IP Address on Failover Interface of ASA2.
ASA2(config)# Failover Interface ip Failover 10.0.0.1 255.255.255.0 standby 10.0.0.2
3) Configure the ASA2 as Standby ASA.
ASA2(config)# Failover lan unit Secondary
4) Configure stateful failover on the state interface to forward state configuration between two ASA.
ASA2(config)# failover link state G0/0
ASA2(config)# failover interface ip state 192.168.253.1 255.255.255.0 standby 192.168.253.2
5) Implement Failover
ASA2(config)# Failover
HTTP Replication
--> By default http replication does not work by default between two different ASA in Active/Standby mode.
--> In order to configure Http replication in Active/Standby Mode, execute the following command on Active Asa
ASA1(config)# failover replication http
Interface Monitoring
--> Interface Monitoring allows you to interfaces to be monitored before failover occurs.
--> You can monitor up to 250 interfaces on a unit.
--> By default, monitoring physical interfaces is enabled and monitoring subinterfaces are disabled.
--> The ASA sends hello packets out of each data interface to monitor interface health.
--> If the ASA does not receive a hello packet from the corresponding interface on the peer unit for over half of the hold time, then the additional interface testing begins.
--> If a hello packet or a successful test result is not received within the specified hold time, the interface is marked as failed. Failover occurs if the number of failed interfaces meets the failover criteria.
failover interface State can have the following status:
•Unknown—Initial status. This status can also mean the status cannot be determined.
•Normal—The interface is receiving traffic.
•Testing—Hello messages are not heard on the interface for five poll times.
•Link Down—The interface or VLAN is administratively down.
•No Link—The physical link for the interface is down.
•Failed—No traffic is received on the interface, yet traffic is heard on the peer interface.
Configuration:
Step1: Configure which interfaces need to be monitored on the failover.
ASA1(config)# monitor interface Inside
ASA1(config)# monitor interface Outside
Step2: Configure the hello and hold down timers for interface monitoring
ASA1 (config): failover polltime interface msec 500 holdtime 5
Step3: Configure how many interfaces need to go down in order to failover occur.Here I am configuring if one interface goes down failover should occur.
ASA1 (config)# # failover interface-policy 1
4) To make standby ASA as active ASA.
ASA2(config)# failover active
Ref: Cisco.com
Md.Kareemoddin
CCIE # 54759
No comments:
Post a Comment