ASA 1. Active/Standby Failover.
1. Small FAQ
ASA Services Module is not considered in this blog post.
Failover can be Active/Active or Active/Standby. Active/Active failover must be setup in multi-context mode (per security context) and doesn't support VPN failover. Active/Standby failover supports VPN failover but all traffic goes only through ASA in active role (load-balancing is not supported). Primary and secondary units doesn't change their types (primary or secondary), only their state/role can change (i.e. secondary unit can be in active state/role due to primary unit fail).
Units have one dedicated physical port to be used as failover control link, this links must be interconnected (back-to-back without an intermediate switch). Failover control link is used for:
Failover can be Active/Active or Active/Standby. Active/Active failover must be setup in multi-context mode (per security context) and doesn't support VPN failover. Active/Standby failover supports VPN failover but all traffic goes only through ASA in active role (load-balancing is not supported). Primary and secondary units doesn't change their types (primary or secondary), only their state/role can change (i.e. secondary unit can be in active state/role due to primary unit fail).
Units have one dedicated physical port to be used as failover control link, this links must be interconnected (back-to-back without an intermediate switch). Failover control link is used for:
- initial failover peer discovery and negotiation
- replication of the configuration from active to the standby peer
- unit health monitoring
Both Active/Active and Active/Standby failover can be configured in stateless (no connections states are tracked) or stateful (packets and connections states are tracked and connections are not dropped when failover is done) manner. By default failover operates in stateless manner. To support stateful failover - Stateful Link must be setup.
Active unit accepts configuration changes and places the same commands to the standby unit, no configuration changes must be performed on a standby unit. If stateful failover is configured - active ASA monitors, builds and tears down all connections. Also this info also tracked and synchronized:
- stateful table for UDP and TCP connections
- ARP table and MAC mapping table
- routing table
- certain application inspection data
- most VPN data structures (only some client-less VPN info remains stateless)
When Active/Standby failover is used - for a switchover to occur automatically - the active unit must become less operational than standby unit, at least one of following must occur:
Health messages by default are exchanged in 1 second interval. If failover control link fails, failover becomes disabled. By default, a switchover occurs when at least one interface on the active unit or within an active failover group fails.
Failover provides very effective first-hop redundancy capabilities by allowing the MAC and IP address pair on each data interface to move between the failover peers based on which unit is active at any given time. Because all physical interface connections and their configurations are identical between the members of a failover pair, active ASA unit switchovers are completely transparent to the adjacent network devices and endpoints. When you enable failover, the IP address configured on each data interface becomes the active one. When the active unit fails, the standby peer automatically assumes ownership of these addresses upon taking over the active role and seamlessly picks up transit traffic processing.
In Active/Standby failover secondary unit in active state remains active even if primary unit becomes operationally healthy. The primary unit takes over an active role only if secondary unit becomes unhealthy or if switchover is done manually.
All configuration changes must be done on the active unit (either in Primary or Secondary state).
- one of the internal (monitored) interfaces goes down
- an interface expansions slot fails
- an IPS, CSC or CX application module fails
Health messages by default are exchanged in 1 second interval. If failover control link fails, failover becomes disabled. By default, a switchover occurs when at least one interface on the active unit or within an active failover group fails.
Failover provides very effective first-hop redundancy capabilities by allowing the MAC and IP address pair on each data interface to move between the failover peers based on which unit is active at any given time. Because all physical interface connections and their configurations are identical between the members of a failover pair, active ASA unit switchovers are completely transparent to the adjacent network devices and endpoints. When you enable failover, the IP address configured on each data interface becomes the active one. When the active unit fails, the standby peer automatically assumes ownership of these addresses upon taking over the active role and seamlessly picks up transit traffic processing.
In Active/Standby failover secondary unit in active state remains active even if primary unit becomes operationally healthy. The primary unit takes over an active role only if secondary unit becomes unhealthy or if switchover is done manually.
All configuration changes must be done on the active unit (either in Primary or Secondary state).
2. Preparation
- When grouping two devices in failover, the following hardware parameters must be identical:
- exact model number
- number and type of physical interfaces must be the same (also expansion modules must be the same if any)
- all cables must be connected appropriate to the Layer 2 on both units for unit health monitoring to be held properly
- all hardware or software modules and software must be the same on both units
- amount of RAM and system flash must be the same on both units
- both failover peers should run the same software image during normal operation (different images are supported during upgrade)
- prior to ASA8.3(1) licence features on both units must to be the same
- Cisco ASA 5505, ASA 5510, and ASA 5512-X appliances must have the Security Plus license installed.
- The state of the Encryption-3DES-AES license must match between the units. In other words, it must be either disabled or enabled on both failover peers.
- Choose roles for each ASA- one ASA will be primary and the other - secondary (i.e. old ASA - primary / new ASA - secondary).
- Dedicate one physical interface (the same, i.e. Gi0/3 on both) on each unit for the failover control link and connect them back-to-back without an intermediate switch.
- If you plan to use stateful failover - dedicate another physical interface to be used as stateful link
- Choose IP addresses for the primary and secondary units, used failover subnet cannot overlap with any data interfaces (one subnet per failover control and failover state links)
- Choose security key to encrypt failover traffic
3. Setup
3.1 Setup with separate physical interface for Failover Link and State Link
Start failover configuration on the primary node (also consider maintenance window as interface will go down while transiting to the failover active state - it takes roughly 1 minute to go into active state):
interface GigabitEthernet0/2
no shutdown
interface GigabitEthernet0/3
no shutdown
failover lan unit primary
failover lan interface FailoverControl GigabitEthernet0/2
failover link FailoverState GigabitEthernet0/3
failover interface ip FailoverControl 172.20.0.1 255.255.255.0 standby 172.20.0.2
failover interface ip FailoverState 172.20.1.1 255.255.255.0 standby 172.20.1.2
failover ipsec pre-shared-key *****
failover
No Active mate detected
show failover | grep host
This host: Primary - Active
Other host: Secondary - Not Detected
Then configure failover on standby unit:
interface GigabitEthernet0/2
no shutdown
interface GigabitEthernet0/3
no shutdown
failover lan unit secondary
failover lan interface FailoverControl GigabitEthernet0/2
failover replication http
failover link FailoverState GigabitEthernet0/3
failover interface ip FailoverControl 172.20.0.1 255.255.255.0 standby 172.20.0.2
failover interface ip FailoverState 172.20.1.1 255.255.255.0 standby 172.20.1.2
failover ipsec pre-shared-key *****
failover
Detected an Active mate
Beginning configuration replication from mate.
End configuration replication from mate.
show failover | grep host
This host: Secondary - Standby Ready
Other host: Other host: Primary - Active
The failover key command enables password failover encryption. Use either a string of letters, numbers, and punctuation with 1 to 63 characters or a hexadecimal value of up to 32 digits. Only use this option when running Cisco ASA Software versions earlier than 9.1(2) or deploying stateless failover.
IPSec site-to-site tunnel is more secure approach to failover link protection, so always use it in Cisco ASA Software version 9.1(2) and later. The failover ipsec pre-shared-key command enables this method of failover encryption. You must deploy stateful failover to use this feature. When using IPSec as encryption method - this tunnel is not counted in ASA maximum supported VPN count.
IPSec site-to-site tunnel is more secure approach to failover link protection, so always use it in Cisco ASA Software version 9.1(2) and later. The failover ipsec pre-shared-key command enables this method of failover encryption. You must deploy stateful failover to use this feature. When using IPSec as encryption method - this tunnel is not counted in ASA maximum supported VPN count.
3.2 Setup with 1 redundant interface for both Failover Link and State Link
If you want to use redundant interface:
On primary unit:
interface GigabitEthernet0/2
no shutdown
interface GigabitEthernet0/3
no shutdown
interface Redundant 1
member-interface GigabitEthernet 0/2
INFO: security-level and IP address are cleared on GigabitEthernet0/2
member-interface GigabitEthernet 0/3
INFO: security-level and IP address are cleared on GigabitEthernet0/3
interface Redundant 1
member-interface GigabitEthernet 0/2
INFO: security-level and IP address are cleared on GigabitEthernet0/2
member-interface GigabitEthernet 0/3
INFO: security-level and IP address are cleared on GigabitEthernet0/3
failover lan unit primary
failover lan interface FailoverLink Redundant1
INFO: Non-failover interface config is cleared on Redundant1 and its sub-interfaces
failover interface ip FailoverLink 172.20.0.1 255.255.255.0 standby 172.20.0.2
INFO: Non-failover interface config is cleared on Redundant1 and its sub-interfaces
failover interface ip FailoverLink 172.20.0.1 255.255.255.0 standby 172.20.0.2
failover link FailoverLink
failover ipsec pre-shared-key *****
failover
No Active mate detected
show failover | grep host
This host: Primary - Active
Other host: Secondary - Not Detected
Then configure failover on standby unit:
interface GigabitEthernet0/2
no shutdown
interface GigabitEthernet0/3
no shutdown
interface Redundant 1
member-interface GigabitEthernet 0/2
INFO: security-level and IP address are cleared on GigabitEthernet0/2
member-interface GigabitEthernet 0/3
INFO: security-level and IP address are cleared on GigabitEthernet0/3
member-interface GigabitEthernet 0/2
INFO: security-level and IP address are cleared on GigabitEthernet0/2
member-interface GigabitEthernet 0/3
INFO: security-level and IP address are cleared on GigabitEthernet0/3
failover lan unit secondary
failover lan interface FailoverLink Redundant1
INFO: Non-failover interface config is cleared on Redundant1 and its sub-interfaces
failover interface ip FailoverLink 172.20.0.1 255.255.255.0 standby 172.20.0.2
INFO: Non-failover interface config is cleared on Redundant1 and its sub-interfaces
failover interface ip FailoverLink 172.20.0.1 255.255.255.0 standby 172.20.0.2
failover link FailoverLink
failover ipsec pre-shared-key *****
failover
Detected an Active mate
Beginning configuration replication from mate.
End configuration replication from mate.
show failover | grep host
This host: Secondary - Standby Ready
Other host: Other host: Primary - Active
3.3 Disabling failover monitoring for interface
You can have an interface which can't be replicated (i.e. like fiber optic coming directly from an ISP). This interfaces must be unplugged from failed ASA and then plugged into currently active ASA. To exclude interface from the failover monitoring:
asa (config)# no monitor interface interface_name_here
By default, monitoring physical interfaces is enabled and monitoring subinterfaces is disabled. You can check this via: sh run all | grep monitor-interface
If you can replicate your interface (ex. Gi0/0), then on primary node:
# conf t
# int gi0/0
# ip address 192.168.0.1 255.255.255.0 standby 192.168.0.2
To check:
find name of the gi0/0:
sh nameif | grep G.*0/0
GigabitEthernet0/0 inside 100
Check this name in failover:
sh failover | grep inside
Interface inside (192.168.0.1): Normal (Monitored)
Interface inside (192.168.0.2): Normal (Monitored)
You also can use standby IP to access node in Standby state.
If you can replicate your interface (ex. Gi0/0), then on primary node:
# conf t
# int gi0/0
# ip address 192.168.0.1 255.255.255.0 standby 192.168.0.2
To check:
find name of the gi0/0:
sh nameif | grep G.*0/0
GigabitEthernet0/0 inside 100
Check this name in failover:
sh failover | grep inside
Interface inside (192.168.0.1): Normal (Monitored)
Interface inside (192.168.0.2): Normal (Monitored)
4. Test and operate
Use the show failover command to monitor the operational state of the failover.
You can use show failover history command to investigate failover events.
Use failover execute mate command_to_execute_remotely to execute command on the standby unit (i.e.: failover exec mate show version | grep Serial). Do not execute configuration commands on the standby unit.
Use write standby - to restore standby unit proper state after accidentally performing configuration on a standby unit, this command replaces all configuration with the copy of the configuration from the active unit.
Use the failover active command on the standby unit to transit unit to the active state.
Use the no failover active command on the currently active unit to transit unit to the standby state.
You can use show failover history command to investigate failover events.
Use failover execute mate command_to_execute_remotely to execute command on the standby unit (i.e.: failover exec mate show version | grep Serial). Do not execute configuration commands on the standby unit.
Use write standby - to restore standby unit proper state after accidentally performing configuration on a standby unit, this command replaces all configuration with the copy of the configuration from the active unit.
Use the failover active command on the standby unit to transit unit to the active state.
Use the no failover active command on the currently active unit to transit unit to the standby state.
No comments:
Post a Comment