1.Configure ASA in active/standby failover
Active/Standby failover enables you to use a standby ASA to take over the functionality of a failed unit.
ASA1
failover
failover lan unit primary
failover lan interface failover GigabitEthernet1
failover link linkstate GigabitEthernet2
failover interface ip failover 1.1.1.1 255.255.255.252 standby 1.1.1.2
failover interface ip linkstate 2.2.2.1 255.255.255.252 standby 2.2.2.2
interface GigabitEthernet0
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
interface GigabitEthernet3
nameif outside
security-level 0
ip address 20.20.20.1 255.255.255.0 standby 20.20.20.2
ASA2
failover
failover lan unit secondary
failover lan interface failover GigabitEthernet1
failover link linkstate GigabitEthernet2
failover interface ip failover 1.1.1.1 255.255.255.252 standby 1.1.1.2
failover interface ip linkstate 2.2.2.1 255.255.255.252 standby 2.2.2.2
interface GigabitEthernet0
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
interface GigabitEthernet3
nameif outside
security-level 0
ip address 20.20.20.1 255.255.255.0 standby 20.20.20.2
The primary unit always becomes the active unit if both units start up at the same time
The primary unit MAC addresses are always coupled with the active IP addresses. The exception to this rule occurs when the secondary unit is active and cannot obtain the primary unit MAC addresses over the failover link. In this case, the secondary unit MAC addresses are used.
Also you can configure a virtual MAC address.
failover mac address GigabitEthernet0 0011.1111.1111 0022.2222.2222
failover mac address GigabitEthernet3 0033.3333.3333 0044.4444.4444
2. Testing Failover Functionality
ciscoasa# show failover
state State Last Failure Reason Date/Time
This host - Primary Active None
Other host - Secondary Standby Ready None
====Configuration State
=== Sync Done
====Communication State
===Mac set
ciscoasa# show failover interface
interface failover GigabitEthernet1
System IP Address: 1.1.1.1 255.255.255.252
My IP Address : 1.1.1.1
Other IP Address : 1.1.1.2
interface linkstate GigabitEthernet2
System IP Address: 2.2.2.1 255.255.255.252
My IP Address : 2.2.2.1
Other IP Address : 2.2.2.2
ciscoasa# show monitor-interface
This host: Primary - Active
Interface inside (192.168.1.1): Normal (Monitored)
Interface outside (20.20.20.1): Normal (Monitored)
Other host: Secondary - Standby Ready
Interface inside (192.168.1.2): Normal (Monitored)
Interface outside (20.20.20.2): Normal (Monitored)
3. Forcing Failover
Forces a failover when entered on the standby unit in a failover pair. The standby unit becomes the active unit.
failover active
Forces a failover when entered on the active unit in a failover pair. The active unit becomes the standby unit.
no failover active
4. Disabling and Enabling Interface Monitoring
You can control which interfaces affect your failover policy by disabling the monitoring of specific interfaces and enabling the monitoring of others.
no monitor-interface outside
Monitored failover interfaces can have the following status:
•Unknown—Initial status. This status can also mean the status cannot be determined.
•Normal—The interface is receiving traffic.
•Testing—Hello messages are not heard on the interface for five poll times.
•Link Down—The interface or VLAN is administratively down.
•No Link—The physical link for the interface is down.
•Failed—No traffic is received on the interface, yet traffic is heard on the peer interface.
5. Troubleshooting
5.a Active unit failed (power or hardware). Action - failover.
Standby become active and mark active as failed
ciscoasa# Switching to Active
ciscoasa# show failover
Failover On Failover unit Secondary
Failover LAN Interface: failover GigabitEthernet1 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 1 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)Last Failover at: 13:56:18 UTC Feb 7 2013
This host: Secondary - Active
Active time: 14 (sec)
Interface inside (192.168.1.1): Normal (Waiting)
Interface outside (20.20.20.1): Normal (Not-Monitored)
Other host: Primary - Failed
Active time: 1299 (sec)
Interface inside (192.168.1.2): Unknown (Monitored)
Interface outside (20.20.20.2): Unknown (Not-Monitored)
5.b Formerly active unit recovers. Action no failover.
Primary become standby (ASA Active/Standby failover does not support preemption.)
ciscoasa# Detected an Active mate
Beginning configuration replication from mate.
End configuration replication from mate.
ciscoasa# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet1 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 14:07:49 UTC Feb 7 2013
This host: Primary - Standby Ready
Active time: 0 (sec)
Interface inside (192.168.1.2): Normal (Monitored)
Interface outside (20.20.20.2): Normal (Monitored)
Other host: Secondary - Active
Active time: 902 (sec)
Interface inside (192.168.1.1): Normal (Monitored)
Interface outside (20.20.20.1): Normal (Monitored)
5.c Standby unit failed (power or hardware). Action no failover.
Mark standby as failedActive time: 0 (sec)
5.d Failover link failed during operation. Mark failover interface as failed. Action no failover
ciscoasa(config)# Failover LAN Failed
No switchover
ciscoasa# show failover
Failover On Failover unit Primary
Failover LAN Interface: failover GigabitEthernet1 (Failed - No Switchover)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 14:19:23 UTC Feb 7 2013
This host: Primary - Active
Active time: 64 (sec)
Interface inside (192.168.1.1): Normal (Monitored)
Interface outside (20.20.20.1): Normal (Monitored)
Other host: Secondary - Standby Ready
Active time: 1312 (sec)
Interface inside (192.168.1.2): Normal (Monitored)
Interface outside (20.20.20.2): Normal (Monitored)
5.e Failover link failed at startup. Mark failover interface as failed.
If the failover link is down at startup, both units become active.
5.f Stateful Failover link failed. Action - no failover.
State information becomes out of date, and sessions are terminated if a failover occurs.
ciscoasa# Failover Stateful interface Failedciscoasa# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet1 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 14:19:23 UTC Feb 7 2013
This host: Primary - Active Active time: 510 (sec)
Interface inside (192.168.1.1): Normal (Monitored)
Interface outside (20.20.20.1): Normal (Monitored)
Other host: Secondary - Standby Ready
Active time: 1312 (sec)
Interface inside (192.168.1.2): Normal (Monitored)
Interface outside (20.20.20.2): Normal (Monitored)
Stateful Failover Logical Update Statistics
Link : linkstate GigabitEthernet2 (Failed)
5.g Interface failure on active unit above threshold. Action- failover
ciscoasa# Switching to Active
ciscoasa# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: failover GigabitEthernet1 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1Monitored Interfaces 2 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 14:42:13 UTC Feb 7 2013
This host: Secondary - Active
Active time: 1490 (sec)
Interface inside (192.168.1.1): Normal (Monitored)
Interface outside (20.20.20.1): Normal (Waiting)
Other host: Primary - Failed
Active time: 1211 (sec)
Interface inside (192.168.1.2): Normal (Waiting)
Interface outside (20.20.20.2): Failed (Waiting)
5.h Interface failure on standby unit above threshold. Mark standby as failed.
When the standby unit is marked as failed, then the active unit does not attempt to fail over even if the interface failure threshold is surpassed.
5.i Failover link and Interface failure on active unit above threshold. Action no failover
Deci sa comporta cum am banuit, Active ramane in picioare in cazul in care pica link-ul de failover
ReplyDeleteGood post.
ReplyDeleteMEAN Stack Online Training
MEAN Stack Training Institute
MEAN Stack Training
MEAN Stack Training in Hyderabad
MEAN Stack Training in Ameerpet
Great post.Thanks for sharing the post
ReplyDeleteFull Stack Training in Chennai | Certification | Online Training Course| Full Stack Training in Bangalore | Certification | Online Training Course | Full Stack Training in Hyderabad | Certification | Online Training Course | Full Stack Developer Training in Chennai | Mean Stack Developer Training in Chennai | Full Stack Training | Certification | Full Stack Online Training Course