Configuring Active/Standby Failover in cisco ASA

Failover provides redundancy between the appliances, so if one appliance fails, you can have a redundant appliance take over the failed one.  So most of the companies will implement the failover for network security and redundancy. 

Failover is a Cisco-proprietary feature unique to the security appliance. Failover provides redundancy between paired appliances: one appliance backs up another appliance.  This section will introduce failover concepts.

Failover implementations

There are two implementations that cisco supports for failover. 

Active/Standby

Active/Active

Active/ Standby

The active/standby implementation of failover needs two appliances: primary and Secondary. By default primary unit performs the active role, and the secondary the standby role. Only one appliance will process the traffic. If anything happened to the primary appliance, then the secondary appliance will take place the role of active.

The following is the configuration of Active/Standby failover in cisco ASA.

ASA1

Ciscoasa(config)#hostname   asa1

Asa1(config)#int e0/0

Asa1(config-if)#nameif   inside

Asa1(config-if)#ip add   192.168.2.1    255.255.255.0   standby   192.168.2.2

Asa1(config-if)#no shut

Asa1(config)#int e0/1

Asa1(config-if)#nameif   outside

Asa1(config-if)#ip add   192.168.1.1   255.255.255.0   standby   192.168.1.2

Asa1(config-if)#no shut

Asa1(config)#int e0/2

Asa1(config-if)#no shut

Asa1(config)#int e0/3

Asa1(config-if)#no shut

Asa1(config-if)#exit

Asa1(config)#failover   lan   unit   primary

Asa1(config)#failover   lan   interface   FOControl e0/2

Asa1(config)#failover   interface   ip   FOControl   192.168.20.1   255.255.255.0   standby   192.168.20.2

Asa1(config)#failover   link   FOState   e0/3

Asa1(config)#failover   interface   ip   FOState   192.168.21.1   255.255.255.0   standby   192.168.21.2

Asa1(config)#failover   key   cisco

Asa1(config)#failover   polltime   msec   200   holdtime   msec   800

Asa1(config)#

ASA2

ciscoasa(config)#hostname  asa2

Asa2(config)#int e0/0

Asa2(config-if)#no shut

Asa2(config-if)#int e0/1

Asa2(config-if)#no shut

Asa2(config-if)#int e0/2

Asa2(config-if)#no shut

Asa2(config-if)#int e0/3

Asa2(config-if)#no shut

Asa2(config)#failover   lan   unit   secondary

Asa2(config)#failover   key   cisco

Asa2(config)#failover   lan   interface   FOControl   e0/2

Asa2(config)#failover   interface   ip   FOControl   192.168.20.1   255.255.255.0   standby   192.168.20.2

To verify the failover is working or not…

Use the command   failover    in both appliances

Configuring Active Active Failover in Cisco ASA firewall

Failover provides redundancy between the appliances, so if one appliance fails, you can have a redundant appliance take over the failed one.  So most of the companies will implement the failover for network security and redundancy. 


Failover is a Cisco-proprietary feature unique to the security appliance. Failover provides redundancy between paired appliances: one appliance backs up another appliance.  This section will introduce failover concepts.


Failover implementations


There are two implementations that cisco supports for failover. 


Active/Standby
Active/Active


Here we are going to learn about Active/Active failover in the ASA




In the active/active implementation of failover, both appliances will process the traffic. To implement active/active failover, two contexts are needed. Failover can occur if a context is fails or if the entire appliance fails.


Configuration of Active/Active failover is some simple steps. But when you are doing it in GNS3, you must be careful about the switch configurations.


Here in the picture you can see both switches are connected with ASA. The connected ports must be in the same vlan (example: vlan 1) and must be in trunk (example: dot1q).


Now the following steps are the configuration of Active/Active Failover








ASA1






Ciscoasa(config)#hostname   asa1
Asa1(config)#int     e0/0
Asa1(config-if)#no   shut
Asa1(config-if)#int   e0/1
Asa1(config-if)#no   shut
Asa1(config-if)#int  e0/2
Asa1(config-if)#no   shut
Asa1(config-if)#int   e0/3
Asa1(config-if)#no   shut


Creating virtual interfaces for contexts


Asa1(config)#int   e0/0.1
Asa1(config-if)#vlan   3
Asa1(config-if)#no    shut
Asa1(config-if)#int   e0/0.2
Asa1(config-if)#vlan  5
Asa1(config-if)#no   shut
Asa1(config-if)#int   e0/1.1
Asa1(config-if)#vlan    2
Asa1(config-if)#no   shut
Asa1(config-if)#int  e0/1.2
Asa1(config-if)#vlan   4
Asa1(config-if)#no   shut
Asa1(config-if)#exit


Create two failover groups for adding the contexts


Asa1(config)#failover   group    1
Asa1(config-fover-group)#exit
Asa1(config)#failover   group   2
Asa1(config-fover-group)#exit




Creating contexts and allocating interfaces to contexts


Asa1(config)#admin-context   admin
Asa1(config)#context   admin
Asa1(config-ctx)#config-url     disk0:/.private/admin.cfg


Creating context c1


Asa1(config-ctx)#context   c1
Asa1(config-ctx)#allocate-interface   e0/0.1
Asa1(config-ctx)#allocate-interface   e0/1.1
Asa1(config-ctx)#join-failover-group   1
Asa1(config-ctx)#config-url   disk0:/.private/c1.cfg


Creating context c2




Asa1(config-ctx)#context   c2
Asa1(config-ctx)#allocate-interface   e0/0.2
Asa1(config-ctx)#allocate-interface   e0/1.2
Asa1(config-ctx)#join-failover-group   2
Asa1(config-ctx)#config-url     disk0:/.private/c2.cfg


Setting IP for the virtual interfaces in contexts




Asa1(config-ctx)#changeto   context   c1
Asa1/c1(config)#int   e0/0.1
Asa1/c1(config-if)#nameif    inside
Asa1/c1(config-if)#ip   add    172.16.1.1   255.255.255.0   standby   172.16.1.2
Asa1/c1(config-if)#no   shut
Asa1/c1(config-if)#int   e0/1.1
Asa1/c1(config-if)#nameif   outside
Asa1/c1(config-if)#ip   add   172.16.2.1   255.255.255.0   standby   172.16.2.2
Asa1/c1(config-if)#no   shut


Asa1/c1(config-if)#changeto    context    c2
Asa1/c2(config)#interface    e0/0.2
Asa1/c2(config-if)#nameif   inside
Asa1/c2(config-if)#ip    add   192.168.1.1    255.255.255.0   standby   192.168.1.2
Asa1/c2(config-if)#no    shut
Asa1/c2(config-if)#int   e0/1.2
Asa1/c2(config-if)#nameif     outside
Asa1/c2(config-if)#ip  add   192.168.2.1   255.255.255.0   standby   192.168.2.2
Asa1/c2(config-if)#no  shut
Asa1/c2(config-if)#exit
Asa1/c2(config)#exit




Asa1(config)#failover   lan  interface   LANFO    e0/2
Asa1(config)#failover   link   LANFO
Asa1(config)#failover  interface ip  LANFO  192.168.20.1     255.255.255.0   standby    192.168.20.2
Asa1(config)#failover   lan   unit   primary
Asa1(config)#failover   polltime   msec  500




ASA2




Asa2(config)#int  e0/0
Asa2(config-if)#no shut
Asa2(config-if)#int e0/1
Asa2(config-if)#no shut
Asa2(config-if)#int e0/2
Asa2(config-if)#no shut
Asa2(config-if)#int e0/3
Asa2(config-if)#no shut




Asa2(config)#failover   lan  unit  secondary
Asa2(config)#failover  lan   interface  LANFO   e0/2
Asa2(config)#failover   interface   ip   LANFO   192.168.20.1   255.255.255.0   standby   192.168.20.2


Create an Admin Context


Asa2(config)#admin-context    admin
Asa2(config)#context   admin
Asa2(config-ctx)#config-url  disk0:/.private/admin.cfg




After the configuration, to make the failover working, you have to use the command   failover    in both appliances.








For the correct working of Active/active failover, you have to enter some more commands in the primary ASA


Asa1(config)# failover  group  1
Asa2(config-fover-group)#primary
Asa2(config-fover-group)#preempt
Asa2(config-fover-group)#exit


Asa2(config)#failover group 2
Asa2(config-fover-group)#secondary
Asa2(config-fover-group)#preempt
Asa2(config-fover-group)#exit