Configuring Active Standby Failover on the Cisco ASA

Maintaining appropriate redundancy mechanisms within infrastructure devices is extremely important for any organization. The Cisco ASA supports active-active and active-standby failover.

NOTE When the active unit fails, it changes to the standby state while the standby unit changes to the active state. The unit that becomes active takes ownership of the IP addresses and MAC addresses of the failed unit. The unit that is now in standby state takes over the standby IP addresses and MAC addresses. Because network devices see no change in the MAC-to-IP address pairing, no ARP entries change or time out anywhere on the network.

When a pair of Cisco ASAs is configured in active-active failover mode, both appliances are actively passing traffic at the same time. In contrast, when configured in active-standby mode, the primary appliance is the active one and the secondary appliance is in standby and does not pass traffic. After the primary fails, the secondary takes over and begins to pass traffic.

The network security team of Company-B evaluates both options. They decide to implement active-standby failover because, for active-active to work, the appliances must be configured in multicontext mode. Active-active requires a minimum of two security contexts on each appliance. Company-B has a site-to-site VPN tunnel to a business partner (Partner-A). The Cisco ASA does not support VPN when configured in multicontext mode.

The following are the steps taken to configure active-standby failover on the Cisco ASAs.

Step 1 Log in to the Cisco ASA using ASDM.

Step 2 On the main toolbar, click Wizards and choose High Availability and Scalability Wizard, as illustrated in Figure 12-52.

Figure 12-52 Launching the High Availability and Scalability Wizard

Figure 12-52 Launching the High Availability and Scalability Wizard

Step 3 The screen shown in Figure 12-53 is displayed. Click Configure Active/Standby failover.

Figure 12-53 Configuring Active/Standby Failover

Figure 12-53 Configuring Active/Standby Failover

Step 4 Click Next.

Step 5 Enter the IP address of the secondary appliance, as shown in Figure 12-54. The IP address of the secondary appliance management interface is 10.200.30.2 in this case. ASDM completes several compatibility and connectivity checks on the secondary appliance. These steps are listed within the ASDM screen shown in Figure 12-54. If successful, ASDM allows you to proceed to the next step. However, if issues exist, ASDM marks each check that failed. You must fix any errors before proceeding further.

Step 6 Click Next.

Step 7 The screen shown in Figure 12-55 is displayed. This screen allows you to configure a dedicated interface for failover communication between the two appliances. Choose an available interface from the drop-down menu. In this case, the interface selected is GigabitEthernet0/3.

Step 8 Enter a name for the failover interface. In this example, the interface is called failover for simplicity. This is an arbitrarily name.

Figure 12-54 Failover Peer Connectivity and Compatibility Check

Figure 12-54 Failover Peer Connectivity and Compatibility Check

Anti Nmda Receptor Encephalitis
Figure 12-55 Configuring the Failover LAN Link

Step 9 Assign an IP address for this interface, in addition to a standby IP

address, as shown in Figure 12-55. In this example, the active IP address is 10.200.40.1, and the secondary is 10.200.40.2.

Step 10 Configure a subnet mask for this interface. A 30-bit (255.255.255.252) subnet mask is configured in this example.

Step 11 You can optionally encrypt the failover communication data exchanged by both appliances. To enable encryption, select the Use 32 hexadecimal character key option under Communication Encryption.

Step 12 Enter a 32 hexadecimal character key.

Step 13 Click Next.

Step 14 You can configure stateful failover to maintain connection status, translation, and other information on the standby appliance to avoid interruption of services when a failover occurs. You can configure a dedicated interface or use the previously configured failover interface for this communication. On busy networks where numerous connections are built and torn down at a fast pace, a dedicated interface is suggested. In this case, all other interfaces on the Cisco ASAs are used for other purposes, and the stateful failover traffic of Company-B does not present an oversubscription risk based on tests that the administrator performed in the lab prior to deployment. The administrator configures the failover LAN link interface as the stateful failover link, as shown in Figure 12-56.

Figure 12-56 Configuring the Stateful Failover Link flS High Availability and Scalability Wizard \x\

ASDM High Availability state Link Configuration (5tep 4 of 6) Scalability Wizard

Figure 12-56 Configuring the Stateful Failover Link flS High Availability and Scalability Wizard \x\

ASDM High Availability state Link Configuration (5tep 4 of 6) Scalability Wizard

Step 15 You must configure a standby IP address for each interface that is enabled on the Cisco ASA. The standby appliance uses these IP addresses. The screen shown in Figure 12-57 allows you to configure the standby IP address for each interface.

Figure 12-57 Configuring the Standby IP Addresses

Figure 12-57 Configuring the Standby IP Addresses

Step 16 Click Next.

Step 17 A summary screen showing the configuration items to be sent to the security appliance is displayed. Click Finish to apply the changes.

Example 12-8 includes the CLI commands sent to the primary appliance.

Example 12-8 Failover Configuration on the Primary ASA

failover failover lan unit primary failover lan interface failover GigabitEthernet0/3 failover key *****

failover link failover GigabitEthernet0/3

failover interface ip failover 10.200.40.1 255.255.255.252 standby 10.200.40.2 interface GigabitEthernet0/3

description LAN/STATE Failover Interface monitor-interface dmz monitor-interface inside monitor-interface outside monitor-interface management

Example 12-9 includes the CLI commands sent to the secondary appliance.

Example 12-9 Failover Configuration on the Secondary ASA failover failover lan unit secondary failover lan interface failover GigabitEthernet0/3 failover key *****

failover interface ip failover 10.200.40.1 255.255.255.252 standby 10.200.40.2 interface GigabitEthernet0/3 no shutdown

You will see the message shown in Example 12-10 after the secondary appliance is configured and the configuration replication is performed.

Example 12-10 Failover Configuration Replication Confirmation companyB-ASA1#..

Detected an Active mate Beginning configuration replication from mate. companyB-ASA1# End configuration replication from mate.

Was this article helpful?

0 0

Responses

  • leonie kalb
    How to check cisco firepower active standby log?
    2 months ago

Post a comment