Wednesday, June 27, 2012

Configuring Active Active Failover in Cisco ASA firewall







    Failover provides redundancy between the appliances, so if one appliance fails, you can have a redundant appliance take over the failed one.  So most of the companies will implement the failover for network security and redundancy. 


    Failover is a Cisco-proprietary feature unique to the security appliance. Failover provides redundancy between paired appliances: one appliance backs up another appliance.  This section will introduce failover concepts.


    Failover implementations


    There are two implementations that cisco supports for failover. 


    Active/Standby
    Active/Active


    Here we are going to learn about Active/Active failover in the ASA



    In the active/active implementation of failover, both appliances will process the traffic. To implement active/active failover, two contexts are needed. Failover can occur if a context is fails or if the entire appliance fails.

    Configuration of Active/Active failover is some simple steps. But when you are doing it in GNS3, you must be careful about the switch configurations.

    Here in the picture you can see both switches are connected with ASA. The connected ports must be in the same vlan (example: vlan 1) and must be in trunk (example: dot1q).

    Now the following steps are the configuration of Active/Active Failover




    ASA1



    Ciscoasa(config)#hostname   asa1
    Asa1(config)#int     e0/0
    Asa1(config-if)#no   shut
    Asa1(config-if)#int   e0/1
    Asa1(config-if)#no   shut
    Asa1(config-if)#int  e0/2
    Asa1(config-if)#no   shut
    Asa1(config-if)#int   e0/3
    Asa1(config-if)#no   shut

    Creating virtual interfaces for contexts

    Asa1(config)#int   e0/0.1
    Asa1(config-if)#vlan   3
    Asa1(config-if)#no    shut
    Asa1(config-if)#int   e0/0.2
    Asa1(config-if)#vlan  5
    Asa1(config-if)#no   shut
    Asa1(config-if)#int   e0/1.1
    Asa1(config-if)#vlan    2
    Asa1(config-if)#no   shut
    Asa1(config-if)#int  e0/1.2
    Asa1(config-if)#vlan   4
    Asa1(config-if)#no   shut
    Asa1(config-if)#exit

    Create two failover groups for adding the contexts

    Asa1(config)#failover   group    1
    Asa1(config-fover-group)#exit
    Asa1(config)#failover   group   2
    Asa1(config-fover-group)#exit


    Creating contexts and allocating interfaces to contexts

    Asa1(config)#admin-context   admin
    Asa1(config)#context   admin
    Asa1(config-ctx)#config-url     disk0:/.private/admin.cfg

    Creating context c1

    Asa1(config-ctx)#context   c1
    Asa1(config-ctx)#allocate-interface   e0/0.1
    Asa1(config-ctx)#allocate-interface   e0/1.1
    Asa1(config-ctx)#join-failover-group   1
    Asa1(config-ctx)#config-url   disk0:/.private/c1.cfg

    Creating context c2


    Asa1(config-ctx)#context   c2
    Asa1(config-ctx)#allocate-interface   e0/0.2
    Asa1(config-ctx)#allocate-interface   e0/1.2
    Asa1(config-ctx)#join-failover-group   2
    Asa1(config-ctx)#config-url     disk0:/.private/c2.cfg

    Setting IP for the virtual interfaces in contexts


    Asa1(config-ctx)#changeto   context   c1
    Asa1/c1(config)#int   e0/0.1
    Asa1/c1(config-if)#nameif    inside
    Asa1/c1(config-if)#ip   add    172.16.1.1   255.255.255.0   standby   172.16.1.2
    Asa1/c1(config-if)#no   shut
    Asa1/c1(config-if)#int   e0/1.1
    Asa1/c1(config-if)#nameif   outside
    Asa1/c1(config-if)#ip   add   172.16.2.1   255.255.255.0   standby   172.16.2.2
    Asa1/c1(config-if)#no   shut

    Asa1/c1(config-if)#changeto    context    c2
    Asa1/c2(config)#interface    e0/0.2
    Asa1/c2(config-if)#nameif   inside
    Asa1/c2(config-if)#ip    add   192.168.1.1    255.255.255.0   standby   192.168.1.2
    Asa1/c2(config-if)#no    shut
    Asa1/c2(config-if)#int   e0/1.2
    Asa1/c2(config-if)#nameif     outside
    Asa1/c2(config-if)#ip  add   192.168.2.1   255.255.255.0   standby   192.168.2.2
    Asa1/c2(config-if)#no  shut
    Asa1/c2(config-if)#exit
    Asa1/c2(config)#exit


    Asa1(config)#failover   lan  interface   LANFO    e0/2
    Asa1(config)#failover   link   LANFO
    Asa1(config)#failover  interface ip  LANFO  192.168.20.1     255.255.255.0   standby    192.168.20.2
    Asa1(config)#failover   lan   unit   primary
    Asa1(config)#failover   polltime   msec  500


    ASA2


    Asa2(config)#int  e0/0
    Asa2(config-if)#no shut
    Asa2(config-if)#int e0/1
    Asa2(config-if)#no shut
    Asa2(config-if)#int e0/2
    Asa2(config-if)#no shut
    Asa2(config-if)#int e0/3
    Asa2(config-if)#no shut


    Asa2(config)#failover   lan  unit  secondary
    Asa2(config)#failover  lan   interface  LANFO   e0/2
    Asa2(config)#failover   interface   ip   LANFO   192.168.20.1   255.255.255.0   standby   192.168.20.2

    Create an Admin Context

    Asa2(config)#admin-context    admin
    Asa2(config)#context   admin
    Asa2(config-ctx)#config-url  disk0:/.private/admin.cfg


    After the configuration, to make the failover working, you have to use the command   failover    in both appliances.




    For the correct working of Active/active failover, you have to enter some more commands in the primary ASA

    Asa1(config)# failover  group  1
    Asa2(config-fover-group)#primary
    Asa2(config-fover-group)#preempt
    Asa2(config-fover-group)#exit

    Asa2(config)#failover group 2
    Asa2(config-fover-group)#secondary
    Asa2(config-fover-group)#preempt
    Asa2(config-fover-group)#exit














Posted by at

8 comments:

  1. cisco-techFebruary 3, 2013 at 11:58 PM

    Thanks, yours is the first web site that actually spells out exactly how to get a pair of Active/Active ASAs up and running.

    ReplyDelete
  2. AnonymousSeptember 23, 2013 at 10:39 PM

    Well,, thank you for the post. It is all that I needed to know, but i guess, in the last few line, there is a mistake, pls correct it, i am guessing.

    ASA2 : failover group 2
    instead of #secondary, shouldn't it be #primary ?
    that is the point right? for grp1 asa1 is primary, for grp2 asa2 is primary..

    ReplyDelete
    Replies
    1. UnknownDecember 16, 2013 at 10:50 PM

      The config is right.....this config will be replicated to sandby box so by looking that the ASA is standby so he will become active for secondary context

      Delete
    2. ARUNFebruary 11, 2014 at 2:46 AM

      Yes that is correct

      Delete
  3. AnonymousJanuary 4, 2014 at 2:27 AM

    Hi,

    I am trying to configure this in GNS3 also, however I can't ping out from or to the ASA. I am using the GNS3 Ethernet switch and have set the ports as dot1q.

    Was you able to ping? I want to be able to use ASDM to manage the ASAs.

    Thanks,

    ReplyDelete
  4. mkMarch 8, 2014 at 11:57 AM

    Hi Arun,
    First of all I would like to say thanks for this wonderful job which you have done. I did it but I am facing a problem that first boot device is became active for both context and second boot device became secondary for both context. How to resolve this issue please suggest.
    One more thing I want to know that where I'll put the static route? will it put in system context or use exact route for respective context which we created?

    Thanks,
    Chandan.

    ReplyDelete
  5. AnonymousSeptember 27, 2024 at 1:53 PM

    Thanks and I have a neat present: Where To Remodel House cost to renovate entire house

    ReplyDelete

Subscribe to: Post Comments (Atom)