Full configurations are located here so you can lab this up in GNS3.
With this in mind, let's get started on this topology.
Overview:
We have two outside interfaces on each ASA to connect to two different ISPs and we will advertise our public address upstream. We won't get too much into the configuration of the outside interface / NAT in this blogtorial but I will save this for another post.
There is one failover interface on each ASA to send hello messages, mac address exchange and other information.
There is one stateful failover link on each ASA to communicate and pass all state related information.
There is one inside interface on each ASA which connects to the LAN.
Let's first work on the ASA1 which will be our primary unit.
ciscoasa(config)#interface g0
ciscoasa(config-if)#description inside-int
ciscoasa(config-if)#ip add 10.1.1.1 255.255.255.0 standby 10.1.1.2
ciscoasa(config-if)#nameif inside-int
ciscoasa(config-if)#exit
ciscoasa(config)#failover lan unit primary
!!<--Set this to be the primary unit so it can actively pass traffic-->!!
ciscoasa(config)#failover lan interface failover-int GigabitEthernet2
!!<--Set the failover interface for heart beats and other information-->!!
ciscoasa(config)#failover link stateful-int GigabitEthernet3
!!<--Set the stateful interface to pass state information-->!!
ciscoasa(config)#failover interface ip failover-int 10.1.2.1 255.255.255.0 standby 10.1.2.2
!!<--Assign an IP for the failover and stateful interface-->!!
ciscoasa(config)#failover interface ip stateful-int 10.1.3.1 255.255.255.0 standby 10.1.3.2
!!<--Enable failover-->!!
ciscoasa(config)#failover
ciscoasa(config)#
Now we should have ASA1 functioning as the primary unit passing traffic so let's do some show commands to verify.
ciscoasa# show failover
Failover On
!!<--Failover is turned on-->!!
Failover unit Primary
!!<--Failover primary unit-->!!
Failover LAN Interface: failover-int GigabitEthernet2 (up)
!!<--Failover lan interface is up-->!!
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
!!<--Poll frequency can/should be tweaked to achieve faster failure detection-->!!
Interface Policy 1
Monitored Interfaces 2 of 60 maximum
Version: Ours 8.4(2), Mate Unknown
Last Failover at: 22:16:27 UTC Aug 25 2013
This host: Primary - Active
!!<--Failover primary unit is Active instead of Standby-->!!
Active time: 582 (sec)
Interface inside-int (10.1.1.1): Normal (Waiting)
Interface outside-int-isp1 (192.168.1.1): Normal (Waiting)
Other host: Secondary - Failed
!!<--Secondary unit shows failed but that is because we have not yet configured it-->!!
Active time: 0 (sec)
Interface inside-int (10.1.1.2): Unknown (Waiting)
Interface outside-int-isp1 (0.0.0.0): Unknown (Waiting)
Stateful Failover Logical Update Statistics
!!<--Stateful failover status and its related counters/statistics-->!!
Link : stateful-int GigabitEthernet3 (up)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
<--output shortened-->
Everything on ASA1 looks normal so let's move on to the secondary unit. On the secondary unit only the failover interface needs to be configured because the primary unit will sync the rest of the configurations.
ciscoasa(config)#failover lan interface failover-int GigabitEthernet2
ciscoasa(config)#failover interface ip failover-int 10.1.2.1 255.255.255.0 standby 10.1.2.2
ciscoasa(config)#interface g2
ciscoasa(config-if)#no shut
ciscoasa(config)#exit
ciscoasa(config)#failover lan unit secondary
ciscoasa(config)#failover
ciscoasa(config)#wr
Once the secondary unit is finished syncing the configuration should be same on both ends.
ciscoasa# sh failover
Failover On
!!<--Failover is turned on-->!!
Failover unit Secondary
!!<--This unit is secondary in the failover pair-->!!
Failover LAN Interface: failover-int GigabitEthernet2 (up)
!!<--Failover interface is up-->!!
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
!!<--Poll frequency can/should be tweaked to achieve faster failure detection-->!!
Interface Policy 1
Monitored Interfaces 2 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 22:59:09 UTC Aug 25 2013
This host: Secondary - Standby Ready
!!<--This host is secondary and ready to assume primary if needed-->!!
Active time: 0 (sec)
Interface inside-int (10.1.1.2): Normal (Monitored)
Interface outside-int-isp1 (0.0.0.0): Normal (Waiting)
Other host: Primary - Active
!!<--The other host is Primary and is active-->!!
Active time: 2826 (sec)
Interface inside-int (10.1.1.1): Normal (Monitored)
Interface outside-int-isp1 (192.168.1.1): Normal (Waiting)
Stateful Failover Logical Update Statistics
!!<--Stateful link is up and exchanging information-->!!
Link : stateful-int GigabitEthernet3 (up)
Stateful Obj xmit xerr rcv rerr
General 30 0 34 0
sys cmd 30 0 29 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 17 544
Xmit Q: 0 1 30
!!<--Output Shortened-->!!
We can invoke a failure by shutting down the inside-interface on ASA1. So on R8 I will shutdown Fa1/1 which connects to the ASA1 inside-int (e1) and let's see what happens.
!!<--Secondary ASA Unit-->!!
ciscoasa# debug fover fail
fover event trace on
ciscoasa# fover_fail_check: ifc_monitor(2) hcnt(3) exceeded threshold
!!<--Interface on the primary unit failed-->!!
fover_FSM_thread: Vlan status(DOWN) update Time: 0
Waiting for the earlier webvpn instance to terminate...
Previous instance shut down. Starting a new one.
Switching to Active
!!<--Secondary ASA Unit is now becoming the ACTIVE unit to forward traffic-->!!
fover_FSM_thread: MAC update Time: 0
fover_FSM_thread: IP update Time: 5680
fover_FSM_thread: Vlan status(UP) update Time: 10
ciscoasa# sh failover
Failover On
Failover unit Secondary
!!<--Secondary ASA Unit-->!!
Failover LAN Interface: failover-int GigabitEthernet2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 03:13:04 UTC Aug 26 2013
This host: Secondary - Active
!!<--Secondary ASA Unit is now Active passing traffic-->!!
Active time: 33 (sec)
Interface inside-int (10.1.1.1): Normal (Waiting)
Interface outside-int-isp1 (192.168.1.1): Normal (Waiting)
Other host: Primary - Failed
!!<--Primary Unit has failed-->!!
Active time: 388 (sec)
Interface inside-int (10.1.1.2): Failed (Waiting)
!!<--This is the interface on the primary unit that failed-->!!
Interface outside-int-isp1 (0.0.0.0): Normal (Waiting)
As you can see soon as the inside-interface of the primary unit goes down, the secondary unit takes over.
After the inside-interface of the primary unit comes back it will not automatically failback. You will have to enter "no failover active" on the unit that is currently Active (which is the secondary unit for now) and it will switch back to being secondary and standby.
ciscoasa(config)# no failover active
ciscoasa(config)# Waiting for the earlier webvpn instance to terminate...
Previous instance shut down. Starting a new one.
ciscoasa(config)#
Switching to Standby
You can also configure the number of interfaces or the percentage of the interfaces that must go down before the secondary takes over. May come in handy when you have multiple DMZs. You can also take out interfaces from being monitored. There are numerous options and you can get really fancy but for now this should get you up and running.
I will do a follow up post on the configuration of the outside interfaces to two different ISPs and NAT on ASAs.
Many more articles to come so stay tuned.
Please reshare/subscribe/comment/+1 if you like my posts as it keeps me motivated to write more and spread the knowledge.
Now i came to know how we can do ASA High Availability process successfully.Thanks for sharing
ReplyDeleteRegards
Silvester Norman
Change MAC Address