Thursday, February 5, 2015

How to Setup Cisco ASA High Availability Failover Configuration


On a production environment, it is highly recommended to deploy and configure a high availability infrastructure for WAN or LAN Backbone structure.

In this post we will discuss about security level involved when building edge layer for enterprise network.

I will explain how to configure two ASA firewalls in high availability mode. In this way, if the primary ASA fails, the secondary becomes active automatically without downtime for your network.


ASA HA Failover example
Fig1: ASA HA configuration example

ASA configuration example:


After you configured failover successfully it will be easier for you because you only need to set up primary firewall and all changes will get replicated to secondary box. 


Log on the primary ASA firewall and do the following configuration:


1. Enter global configuration mode

ASA1# conf t
ASA1(config)#

2.  Configure inside and outside interface with necessary ip addresses

ASA1(config)# interface gigabitEthernet 0
ASA1(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA1(config-if)# ip address 172.16.1.1 255.255.255.248 standby 172.16.1.2
ASA1(config-if)# no shut

ASA1(config)# interface gigabitEthernet 1
ASA1(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA1(config-if)# ip address 10.10.10.1 255.255.255.248 standby 10.10.10.2
ASA1(config-if)# no shut

3. Designate the ASA as the primary unit

ASA1(config)# failover lan unit primary

4. Configure the ASA link that will be used as the failover link (Note: The interface_id can be a physical interface, subinterface, or redundant interface; or an EtherChannel interface ID)

ASA1(config)# failover lan interface failover-link gigabitethernet3
INFO: Non-failover interface config is cleared on GigabitEthernet3 and its sub-interfaces

5. Configure the primary and secondary IP addresses (Note: Both the primary and secondary IP addresses must be in the same subnet)

ASA1(config)# failover interface ip failover-link 192.168.10.1 255.255.255.252 standby 192.168.10.2

6. Configure the ASA link that will be used as the stateful failover link (Notes: This command is optional and is required only if stateful failover is being configured)

ASA1(config)# failover link failover-link gigabitethernet3

7. Optional, available from version 9.1(2): Configure the use of IPsec on the LAN-to-LAN failover links (failover and stateful failover, if configured) (Notes: The key parameter can be up to 128 characters in length. This is recommended when the failover link is not a direct link between ASA devices. For security reasons this should be implemented.)

ASA1(config)# failover ipsec pre-shared-key yourkey


Log on the secondary ASA firewall and do the following configuration:


1. Enter global configuration mode

ASA2# conf t
ASA2(config)#

2.  Configure inside and outside interface with necessary ip addresses

ASA2(config)# interface gigabitEthernet 0
ASA2(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA2(config-if)# ip address 172.16.1.1 255.255.255.248 standby 172.16.1.2
ASA2(config-if)# no shut

ASA2(config)# interface gigabitEthernet 1
ASA2(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA2(config-if)# ip address 10.10.10.1 255.255.255.248 standby 10.10.10.2
ASA2(config-if)# no shut

3. Designate the ASA as the secondary unit

ASA2(config)# failover lan unit secondary

4. Configure the ASA link that will be used as the failover link (Note: The interface_id can be a physical interface, subinterface, or redundant interface; or an EtherChannel interface ID)

ASA2(config)# failover lan interface failover-link gigabitethernet3
INFO: Non-failover interface config is cleared on GigabitEthernet3 and its sub-interfaces

5. Configure the primary and secondary IP addresses (Note: Both the primary and secondary IP addresses must be in the same subnet)

ASA2(config)# failover interface ip failover-link 192.168.10.1 255.255.255.252 standby 192.168.10.2

6. Configure the ASA link that will be used as the stateful failover link (Notes: This command is optional and is required only if stateful failover is being configured)

ASA2(config)# failover link failover-link gigabitethernet3

7. Optional, available from version 9.1(2): Configure the use of IPsec on the LAN-to-LAN failover links (failover and stateful failover, if configured) (Notes: The key parameter can be up to 128 characters in length. This is recommended when the failover link is not a direct link between ASA devices. For security reasons this should be implemented.)

ASA2(config)# failover ipsec pre-shared-key yourkey


Enable the failover mechanism and check if synchronization was done:


1. Enable failover on ASA1 and ASA2

ASA1(config)#failover
ASA1(config)#

ASA2(config)#failover
ASA2(config)#

2. Verify status of failover mechanism

ASA1# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover-link GigabitEthernet3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 15:18:01 UTC Feb 6 2015
        This host: Primary - Active
                Active time: 62 (sec)
                  Interface outside (172.16.1.1): Normal (Monitored)
                  Interface inside (10.10.10.1): Normal (Monitored)
        Other host: Secondary - Standby Ready
                Active time: 156 (sec)
                  Interface outside (172.16.1.2): Normal (Monitored)
                  Interface inside (10.10.10.2): Normal (Monitored)

Stateful Failover Logical Update Statistics
        Link : failover-link GigabitEthernet3 (up)
        Stateful Obj       xmit       xerr       rcv        rerr
        General                 21         0          22         0
       
Note: Because of configuration replication on secondary unit you will see the same hostname on ASA2

ASA1# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: failover-link GigabitEthernet3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 15:18:02 UTC Feb 6 2015
        This host: Secondary - Standby Ready
                Active time: 156 (sec)
                  Interface outside (172.16.1.2): Normal (Monitored)
                  Interface inside (10.10.10.2): Normal (Monitored)
        Other host: Primary - Active
                Active time: 372 (sec)
                  Interface outside (172.16.1.1): Normal (Monitored)
                  Interface inside (10.10.10.1): Normal (Monitored)

Stateful Failover Logical Update Statistics
        Link : failover-link GigabitEthernet3 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General              64         0          63         0
       
ASA1#


Tweaking and troubleshooting info:


To be more easy for you to check on which unit you are logged you need to do following configuration

ASA1# conf t
ASA1(config)# prompt hostname state
ASA1/act(config)# exit
ASA1/act# write mem

Prompt from secondary firewall

ASA1/stby#

This will help you to know on which box you have logged.

If you need to execute a command on peer firewall you can do that from actual firewall using this command

ASA1/act# failover exec ?

  active   Execute command on the active unit
  mate     Execute command on the peer unit
  standby  Execute command on the standby unit
ASA1/act# failover exec mate show failover
Failover On
Failover unit Secondary
Failover LAN Interface: failover-link GigabitEthernet3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 15:18:02 UTC Feb 6 2015
        This host: Secondary - Standby Ready
                Active time: 156 (sec)
                  Interface outside (172.16.1.2): Normal (Monitored)
                  Interface inside (10.10.10.2): Normal (Monitored)
        Other host: Primary - Active
                Active time: 1688 (sec)
                  Interface outside (172.16.1.1): Normal (Monitored)
                  Interface inside (10.10.10.1): Normal (Monitored)

ASA1/act#


If you need to move traffic on secondary firewall then you need to use this command

ASA1/act(config)# no failover active
ASA1/act(config)#
        Switching to Standby

ASA1/stby(config)#

Also if you need to make the secondary firewall active you can use this command

ASA1/stby# failover active

        Switching to Active
ASA1/act#

From privileged EXEC mode you have this option which could be helpful

ASA1/act# failover ?

  active                     Make this system to be the active unit of the failover pair
  exec                       Execute command on the designated unit
  reload-standby       Force standby unit to reboot
  reset                       Force an unit or failover group to an unfailed state


If you have any questions please leave a comment and i will reply with necessary information.
Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)