ASA Active/Standby Failover

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

LAN-Based Active/Standby Failover Configuration

Network Diagram

This document uses this network setup:

This section describes how to configure Active/Standby Failover with an Ethernet failover link. When you configure LAN-based failover, you must bootstrap the secondary device to recognize the failover link before the secondary device can obtain the running configuration from the primary device.
Note: Instead of using a crossover Ethernet cable to directly link the units, Cisco recommends that you use a dedicated switch between the primary and secondary units.

Primary Unit Configuration

Follow these steps to configure the primary unit in a LAN-based, Active/Standby Failover configuration. These steps provide the minimum configuration needed to enable failover on the primary unit. For multiple context mode, all steps are performed in the system execution space unless otherwise noted.
In order to configure the primary unit in an Active/Standby Failover pair, perform these steps:

If you have not done so already, configure the active and standby IP addresses for each interface (routed mode) or for the management interface (transparent mode). The standby IP address is used on the security appliance that is currently the standby unit. It must be in the same subnet as the active IP address.
Note: Do not configure an IP address for the stateful failover link if you use a dedicated stateful failover interface. You use the failover interface ip command to configure a dedicated stateful failover interface in a later step.
```
hostname(config-if)#ip address active_addr netmask 
                         standby standby_addr
```
In this example, the outside interface of the primary PIX is configured this way:
```
hostname(config-if)#ip address 172.16.1.1 255.255.0.0 standby 172.16.1.2
```
Here, 172.16.1.1 is used for the primary unit outside interface IP address, and 172.16.1.2 assigns to the secondary (standby) unit outside interface.
Note: In multiple context mode, you must configure the interface addresses from within each context. Use the changeto context command to switch between contexts. The command prompt changes to hostname/context(config-if)#, where context is the name of the current context.
(PIX security appliance platform only) Enable the LAN-based failover.
```
hostname(config)#failover lan enable
```

Designate the unit as the primary unit.

hostname(config)#failover lan unit primary

Define the failover interface.
1. Specify the interface to be used as the failover interface.
```
hostname(config)#failover lan interface if_name phy_if
```
  In this documentation, the "failover" (interface name for Ethernet3) is used for a failover interface.
```
hostname(config)#failover lan interface failover Ethernet3
```
  The if_name argument assigns a name to the interface specified by the phy_if argument. The phy_if argument can be the physical port name, such as Ethernet1, or a previously created subinterface, such as Ethernet0/2.3.
2. Assign the active and standby IP address to the failover link
```
hostname(config)#failover interface ip if_name ip_addr mask 
                       standby ip_addr
```
  In this documentation, to configure the failover link, 10.1.0.1 is used for active, 10.1.0.2 for the standby unit, and "failover" is an interface name of Ethernet3.
```
hostname(config)#failover interface ip failover 10.1.0.1 
                       255.255.255.0 standby 10.1.0.2
```
  The standby IP address must be in the same subnet as the active IP address. You do not need to identify the standby address subnet mask.
  The failover link IP address and MAC address do not change at failover. The active IP address for the failover link always stays with the primary unit, while the standby IP address stays with the secondary unit.
3. Enable the interface
```
hostname(config)#interface phy_if


hostname(config-if)#no shutdown
```
  In the example, Ethernet3 is used for failover:
```
hostname(config)#interface ethernet3

hostname(config-if)#no shutdown
```
(Optional) In order to enable stateful failover, configure the stateful failover link.
1. Specify the interface to be used as the stateful failover link.
```
hostname(config)#failover link if_name phy_if
```
  This example used "state" as an interface name for Ethernet2 to exchange the failover link state information:
```
hostname(config)#failover link state Ethernet2
```
  Note: If the stateful failover link uses the failover link or a data interface, you only need to supply the if_name argument.
  The if_name argument assigns a logical name to the interface specified by the phy_if argument. The phy_if argument can be the physical port name, such as Ethernet1, or a previously created subinterface, such as Ethernet0/2.3. This interface must not be used for any other purpose, except, optionally, as the failover link.
2. Assign an active and standby IP address to the stateful failover link.
  Note: If the stateful failover link uses the failover link or data interface, skip this step. You have already defined the active and standby IP addresses for the interface.
```
hostname(config)#failover interface ip if_name ip_addr 
                       mask standby ip_addr
```
  The 10.0.0.1 is used as an active and the 10.0.0.2 as a standby IP address for the stateful failover link in this example.
```
hostname(config)#failover interface ip state 10.0.0.1 255.0.0.0 
                       standby 10.0.0.2
```
  The standby IP address must be in the same subnet as the active IP address. You do not need to identify the standby address subnet mask.
  The stateful failover link IP address and MAC address do not change at failover unless they use a data interface. The active IP address always stays with the primary unit, while the standby IP address stays with the secondary unit.
3. Enable the interface.
  Note: If the stateful failover link uses the failover link or data interface, skip this step. You have already enabled the interface.
```
hostname(config)#interface phy_if

hostname(config-if)#no shutdown
```
  Note: For example, in this scenario, Ethernet2 is used for the stateful failover link:
```
hostname(config)#interface ethernet2

hostname(config-if)#no shutdown
```
Enable failover.
```
hostname(config)#failover
```
Note: Issue the failover command on the primary device first, and then issue it on the secondary device. After you issue the failover command on the secondary device, the secondary device immediately pulls the configuration from the primary device and sets itself as standby. The primary ASA stays up and passes traffic normally and marks itself as the active device. From that point on, whenever a failure occurs on the active device, the standby device comes up as active.

Save the system configuration to Flash memory.

hostname(config)#copy running-config startup-config

Secondary Unit Configuration

The only configuration required on the secondary unit is for the failover interface. The secondary unit requires these commands to initially communicate with the primary unit. After the primary unit sends its configuration to the secondary unit, the only permanent difference between the two configurations is the failover lan unit command, which identifies each unit as primary or secondary.
For multiple context mode, all steps are performed in the system execution space unless noted otherwise.
In order to configure the secondary unit, perform these steps:

(PIX security appliance platform only) Enable LAN-based failover.
```
hostname(config)#failover lan enable
```
Define the failover interface. Use the same settings that you used for the primary unit.
1. Specify the interface to be used as the failover interface.
```
hostname(config)#failover lan interface if_name phy_if
```
  In this documentation, the "failover" (interface name for Ethernet3) is used for a LAN failover interface.
```
hostname(config)#failover lan interface failover Ethernet3
```
  The if_name argument assigns a name to the interface specified by the phy_if argument.
2. Assign the active and standby IP address to the failover link.
```
hostname(config)#failover interface ip if_name ip_addr mask 
                       standby ip_addr
```
  In this documentation, to configure the failover link, 10.1.0.1 is used for active, 10.1.0.2 for the standby unit, and "failover" is an interface name of Ethernet3.
```
hostname(config)#failover interface ip failover 10.1.0.1 
                       255.255.255.0 standby 10.1.0.2
```
  Note: Enter this command exactly as you entered it on the primary unit when you configured the failover interface on the primary unit.
3. Enable the interface.
```
hostname(config)#interface phy_if


hostname(config-if)#no shutdown
```
  For example, in this scenario, Ethernet3 is used for failover.
```
hostname(config)#interface ethernet3

hostname(config-if)#no shutdown
```
(Optional) Designate this unit as the secondary unit.
```
hostname(config)#failover lan unit secondary
```
Note: This step is optional because, by default, units are designated as secondary unless previously configured.
Enable failover.
```
hostname(config)#failover
```
Note: After you enable failover, the active unit sends the configuration in running memory to the standby unit. As the configuration synchronizes, the messages Beginning configuration replication: Sending to mate and End Configuration Replication to mate appear on the active unit console.
After the running configuration has completed replication, save the configuration to Flash memory.
```
hostname(config)#copy running-config startup-config
```

Configurations

This document uses these configurations:

Primary PIX
pix#show running-config PIX Version 7.2(1) ! hostname pix domain-name default.domain.invalid enable password 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0 nameif outside security-level 0 ip address 172.16.1.1 255.255.0.0 standby 172.16.1.2 ! interface Ethernet1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2 ! !--- Configure "no shutdown"* in the stateful failover interface !--- of both Primary and secondary PIX.* interface Ethernet2 nameif state description STATE Failover Interface interface ethernet3 nameif failover description LAN Failover Interface ! interface Ethernet4 shutdown no nameif no security-level no ip address ! interface Ethernet5 shutdown no nameif no security-level no ip address ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive dns server-group DefaultDNS domain-name default.domain.invalid access-list 101 extended permit ip any any pager lines 24 mtu outside 1500 mtu inside 1500 failover failover lan unit primary failover lan interface failover Ethernet3 failover lan enable failover key ****** failover link state Ethernet2 failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2 failover interface ip state 10.0.0.1 255.0.0.0 standby 10.0.0.2 asdm image flash:/asdm-521.bin no asdm history enable arp timeout 14400 nat (inside) 0 access-list 101 access-group 101 in interface outside route outside 0.0.0.0 0.0.0.0 172.16.1.3 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet timeout 5 ssh timeout 5 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global prompt hostname context Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e : end

Primary PIX

pix#show running-config 
 PIX Version 7.2(1)
!
hostname pix
domain-name default.domain.invalid
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 172.16.1.1 255.255.0.0 standby 172.16.1.2
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
!

!--- Configure "no shutdown" in the stateful failover interface 
!--- of both Primary and secondary PIX.


interface Ethernet2 
nameif state

  description STATE Failover Interface

interface ethernet3 
nameif failover

  description LAN Failover Interface

!
interface Ethernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list 101 extended permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500

failover
failover lan unit primary
failover lan interface failover Ethernet3
failover lan enable
failover key ******
failover link state Ethernet2
failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2
failover interface ip state 10.0.0.1 255.0.0.0 standby 10.0.0.2

asdm image flash:/asdm-521.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list 101
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.1.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end

Secondary PIX
pix#show running-config failover failover lan unit secondary failover lan interface failover Ethernet3 failover lan enable failover key ****** failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2

Secondary PIX

pix#show running-config 

failover
failover lan unit secondary
failover lan interface failover Ethernet3
failover lan enable
failover key ******
failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2

Verify

Use of the show failover Command

This section describes the show failover command output. On each unit, you can verify the failover status with the show failover command.
Primary PIX

pix#show failover
Failover On
Cable status: Normal
Failover unit Primary
Failover LAN Interface: N/A - Serial-based failover enabled
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 7.2(1), Mate 7.2(1)
Last Failover at: 06:07:44 UTC Dec 26 2006
        This host: Primary - Active
                Active time: 1905 (sec)
                  Interface outside (172.16.1.1): Normal
                  Interface inside (192.168.1.1): Normal
        Other host: Secondary - Standby Ready
                Active time: 0 (sec)
                  Interface outside (172.16.1.2): Normal
                  Interface inside (192.168.1.2): Normal

Stateful Failover Logical Update Statistics
        Link : state Ethernet2 (down)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         0          0          0          0
        sys cmd         0          0          0          0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        0          0          0          0
        UDP conn        0          0          0          0
        ARP tbl         0          0          0          0
        Xlate_Timeout   0          0          0          0
        VPN IKE upd     0          0          0          0
        VPN IPSEC upd   0          0          0          0
        VPN CTCP upd    0          0          0          0
        VPN SDI upd     0          0          0          0
        VPN DHCP upd    0          0          0          0

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       0       0
        Xmit Q:         0       0       0

Secondary PIX

pix(config)#show failover
Failover On
Cable status: Normal
Failover unit Secondary
Failover LAN Interface: N/A - Serial-based failover enabled
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 7.2(1), Mate 7.2(1)
Last Failover at: 00:00:18 UTC Jan 1 1993
        This host: Secondary - Standby Ready
                Active time: 0 (sec)
                  Interface outside (172.16.1.2): Normal
                  Interface inside (192.168.1.2): Normal
        Other host: Primary - Active
                Active time: 154185 (sec)
                  Interface outside (172.16.1.1): Normal
                  Interface inside (192.168.1.1): Normal

Stateful Failover Logical Update Statistics
        Link : state Ethernet2 (down)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         0          0          0          0
        sys cmd         0          0          0          0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        0          0          0          0
        UDP conn        0          0          0          0
        ARP tbl         0          0          0          0
        Xlate_Timeout   0          0          0          0
        VPN IKE upd     0          0          0          0
        VPN IPSEC upd   0          0          0          0
        VPN CTCP upd    0          0          0          0
        VPN SDI upd     0          0          0          0
        VPN DHCP upd    0          0          0          0

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       0       0
        Xmit Q:         0       0       0

Use the show failover state command to verify the state.
Primary PIX

pix#show failover state
====My State===
Primary | Active |
====Other State===
Secondary | Standby |
====Configuration State===
        Sync Done
====Communication State===
        Mac set
=========Failed Reason==============
My Fail Reason:
Other Fail Reason:
        Comm Failure

Secondary unit

pix#show failover state
====My State===
Secondary | Standby |
====Other State===
Primary | Active |
====Configuration State===
        Sync Done - STANDBY
====Communication State===
        Mac set
=========Failed Reason==============
My Fail Reason:
Other Fail Reason:

In order to verify the IP addresses of the failover unit, use the show failover interfacecommand.
Primary unit

pix#show failover interface
        interface state Ethernet2
                System IP Address: 10.0.0.1 255.0.0.0
                My IP Address    : 10.0.0.1
                Other IP Address : 10.0.0.2

Secondary unit

pix#show failover interface
        interface state Ethernet2
                System IP Address: 10.0.0.1 255.0.0.0
                My IP Address    : 10.0.0.2
                Other IP Address : 10.0.0.1

View of Monitored Interfaces

In order to view the status of monitored interfaces: In single context mode, enter the show monitor-interface command in global configuration mode. In multiple context mode, enter the show monitor-interface within a context.
Note: In order to enable health monitoring on a specific interface, use the monitor-interface command in global configuration mode:

monitor-interface <if_name>

Primary PIX

pix(config)#show monitor-interface
        This host: Primary - Active
                Interface outside (172.16.1.1): Normal
                Interface inside (192.168.1.1): Normal
        Other host: Secondary - Standby Ready
                Interface outside (172.16.1.2): Normal
                Interface inside (192.168.1.2): Normal

Secondary PIX

pix(config)#show monitor-interface
        This host: Secondary - Standby Ready
                Interface outside (172.16.1.2): Normal
                Interface inside (192.168.1.2): Normal
        Other host: Primary - Active
                Interface outside (172.16.1.1): Normal
                Interface inside (192.168.1.1): Normal

Note: If you do not enter a failover IP address, the show failover command displays 0.0.0.0 for the IP address and interface monitoring remains in a waiting state. Refer to the show failover section of the Cisco Security Appliance Command Reference, Version 7.2 for more information about the different failover states.
Note: By default, monitoring of physical interfaces is enabled, and monitoring of subinterfaces is disabled.

Display of the Failover Commands in the Running Configuration

In order to view the failover commands in the running configuration, enter this command:

hostname(config)#show running-config failover

All of the failover commands are displayed. On units that run in multiple context mode, enter the show running-config failover command in the system execution space. Enter the command show running-config all failover to display the failover commands in the running configuration and include commands for which you have not changed the default value.

Repositorio IT - IT Repository

Barra de menus