Cisco ASA Active/Standby failover in 5 minutes

You don’t believe me? Here it goes…

First we need to know some facts about failover. ASA can run an Active/Standby or Active/Active failover.

In A/S, only one box is passing traffic while the other sits and waits for active to die, so it can take over. This A/S mode is good because we can run VPN and routing protocols across ASA cluster, and it’s bad because we have one ASA doing nothing.

A/A mode on the other hand, gives us an opportunity to use both ASAs. One ASA is active for one context or virtual firewall, while is standby for another. The other ASA is standby for one context and active for another one. This is good because we utilize both boxes, but we lack the VPN and routing protocols functionality. D’oh!

Now because we need both VPN and dynamic routing, we are going to set up A/S cluster. This is done in several easy steps…

Step one: the switch

We need to create a separate VLAN for each segment we use, plus one VLAN for a failover itself. So if we have inside and outside interfaces, we need three VLANs. Our port can be access or trunks and should be in spanning tree port fast mode for faster failover:

Switch(config)#
Switch(config)#
Switch(config)#int range f0/1 – 4
Switch(config-if-range)#macro apply SWITCHPORT
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled

Switch(config)#
Switch(config)#vlan 11
Switch(config-vlan)#name ASAsINSIDE
Switch(config-vlan)#
Switch(config-vlan)#vlan 21
Switch(config-vlan)#name FAILOVER
Switch(config-vlan)#exit
Switch(config)#

Switch(config)#
Switch(config)#int f0/1
Switch(config-if)#desc ASA Primary Inside
Switch(config-if)#switchpor access vlan 11
Switch(config-if)#
Switch(config-if)#int f0/2
Switch(config-if)#desc ASA Secondary Inside
Switch(config-if)#switchpor access vlan 11
Switch(config-if)#
Switch(config-if)#
Switch(config-if)#int f0/3
Switch(config-if)#desc ASA Primary Failover
Switch(config-if)#switchpor access vlan 21
Switch(config-if)#
Switch(config-if)#int f0/4
Switch(config-if)#desc ASA Secondary Failover
Switch(config-if)#switchpor access vlan 21
Switch(config-if)#
Switch(config-if)#exit
Switch(config)#

Step 2: primary ASA

We connect to a console port of first ASA, give it a name so we can differentiate two boxes. Then we enable Ethernet0/1, give it an IP address and set up a security level. The IP address is in the form active IP address, subnet mask, followed by a standby IP address:

ciscoasa#
ciscoasa# conf t
ciscoasa(config)# hostname ASAPRI
ASAPRI(config)#
ASAPRI(config)# int e0/1
ASAPRI(config-if)# ip addr 10.0.0.1 255.255.255.0 standby 10.0.0.2
ASAPRI(config-if)# nameif inside
INFO: Security level for “inside” set to 100 by default.
ASAPRI(config-if)# no shut
ASAPRI(config-if)# exit
ASAPRI(config)#

Now goes a failover part. We declare this box as a primary unit. Then we specify that we are going to use Management0/0 interface for failover. Who uses this interface for management anyways Smile The traffic between two boxes can be encrypted and we use this given key. Failover need to replicate connection and NAT states, VPN connections and additional data from active to standby unit. We can use another link for this, or use a single link for cluster messages as well as for states replication. We don’t have a port to spare, so we use Management0/0 for both. Cluster messages interface is given with “failover lan interface” and states interface is given with “failover link” command. Finally we give this failover link primary and secondary IP addresses. We don’t turn on failover just yet.

ASAPRI(config)#
ASAPRI(config)# failover lan unit primary
ASAPRI(config)# failover lan interface FAILOVER Management0/0
INFO: Non-failover interface config is cleared on Management0/0 and its sub-interfaces
ASAPRI(config)# failover key spop123
ASAPRI(config)# failover link FAILOVER Management0/0
ASAPRI(config)# failover interface ip FAILOVER 1.1.1.1 255.255.255.252 standby 1.1.1.2
ASAPRI(config)# exit
ASAPRI#

Step 3: secondary ASA

Secondary ASA. You can copy/paste almost everything from primary ASA, except for host name and the unit role:

ciscoasa#
ciscoasa# conf t
ciscoasa(config)# hostname ASASEC
ASASEC(config)#
ASASEC(config)# int e0/1
ASASEC(config-if)# ip addr 10.0.0.1 255.255.255.0 standby 10.0.0.2
ASASEC(config-if)# nameif inside
INFO: Security level for “inside” set to 100 by default.
ASASEC(config-if)# no shut
ASASEC(config-if)# exit
ASASEC(config)#

ASASEC(config)#
ASASEC(config)#
ASASEC(config)# failover lan unit secondary
ASASEC(config)# failover lan interface FAILOVER Management0/0
INFO: Non-failover interface config is cleared on Management0/0 and its sub-interfaces
ASASEC(config)# failover key spop123
ASASEC(config)# failover link FAILOVER Management0/0
ASASEC(config)# failover interface ip FAILOVER 1.1.1.1 255.255.255.252
standby 1.1.1.2
ASASEC(config)# exit
ASASEC#

Step 4: bring up failover interfaces and initiate failover

We bring up Management0/0 on primary ASA and activate failover:

ASAPRI(config)#
ASAPRI(config)# int m0/0
ASAPRI(config-if)# no sh
ASAPRI(config-if)# exit
ASAPRI(config)#
ASAPRI(config)# failover
ASAPRI(config)#

Finally we bring up Management0/0 on secondary ASA and activate failover:

ASASEC#
ASASEC# conf t
ASASEC(config)# int m0/0
ASASEC(config-if)# no sh
ASASEC(config-if)#
ASASEC(config-if)# exit
ASASEC(config)#
ASASEC(config)# failover
ASASEC(config)#
ASASEC(config)# end
ASASEC# ..

Detected an Active mate
Beginning configuration replication from mate.
End configuration replication from mate.

ASAPRI#

As we can see, the secondary box detected primary and copied the running configuration from it.

Step 5: adding other interfaces

This is easier because we only set up a primary box and all changes get replicated to secondary box. This step assumes that VLAN and switch ports are configured on the switch:

ASAPRI/act#
ASAPRI/act# conf t
ASAPRI/act(config)#
ASAPRI/act(config)# int e0/0
ASAPRI/act(config-if)# ip addr 192.168.1.1 255.255.255.0 standby 192.168.1.2
ASAPRI/act(config-if)# nameif outside
INFO: Security level for “outside” set to 0 by default.
ASAPRI/act(config-if)# no sh
ASAPRI/act(config-if)#
ASAPRI/act(config-if)# end
ASAPRI/act#

Step 6: tweaking

There are lots of stuff we can adjust, such as what interfaces we don’t want to monitor, how often we will verify the status of interfaces and appliances, which MAC address we will use for failover and so on. About these – some other time. Now we will just set up a prompt so we can tell on which box we have logged in:

ASAPRI#
ASAPRI(config)#
ASAPRI(config)# prompt hostname state
ASAPRI/act(config)#

Don’t forget a wr m Smile

Take a look at your stop watch! Less than 5 minutes Smile

Advertisements
This entry was posted in ASA, Cisco and tagged , , , , . Bookmark the permalink.

12 Responses to Cisco ASA Active/Standby failover in 5 minutes

  1. rpurnama says:

    Hi guys, I’ve setup failover in ASA using GNS3. I think the failover is success.
    But i’m confusing with my client gateway. What IP’s gateway that i have to ? Let’s say Primary ASA have inside interface with IP 10.0.0.1 and Secondary ASA have inside interface IP 10.0.0.2. Which one i have to choose as my gateway ?

    Thanks

    • Sasa says:

      Well, this is not valid scenario for a failover.

      You should have the same primary and standby IP addresses on *both* devices.

      Eg:

      On the primary:

      int e0/1
      ip addr 10.0.0.1 255.255.255.0 standby 10.0.0.2

      On the secondary:

      int e0/1
      ip addr 10.0.0.1 255.255.255.0 standby 10.0.0.2

      And you should use the primary IP address (10.0.0.1) for default gateway. Which box will pass the traffic? The active box.

      Regs,

      • rpurnama says:

        hmm… i c, Yeah that’s like as my configuration. When, I tried to poweroff the primary unit FAILOVER is running well. But, from my client cann’t ping either to the gateway or to another client outside the Firewall. I already permit acl ip any any. ???

      • Sasa says:

        Well, if everything else is ok, you should be able to ping those stuff.

        Check the usual stuff, such as NAT, routing, and ICMP protocol inspection.

        Anyhow, you should be able to ping your gateway. Here you could double check a netmask for instance.

  2. CCIE says:

    one of the good article i found out . thank you ….

  3. CCIE says:

    if any one can explain active active failover than it’s really good…
    thanks in advance

  4. Darko says:

    I’m wondering, is secondary ASA going to take name of primary ASA when copy configuration from primary?

  5. Robbin says:

    Why you use a secondary IP in virtual FAILOVER interface?

  6. Alex says:

    Hi Sasa,

    Will the failover support IPSEC VPN failover? I mean when the primary fails will all the tunnels rebuild automatically and successfully when failover occurs?

    Regards,
    Alex

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s