In Active/Active Failover, both units can pass network traffic.
Active/Active Failover is only available on units that run in multiple context mode.
In Active/Active failover, you divide the security contexts on the security appliance into failover groups. A failover group is simply a logical group of one or more security contexts. You can create a maximum of two failover groups on the security appliance. The admin context is always a member of failover group 1. Any unassigned security contexts are also members of failover group 1 by default.
In an Active/Active failover configuration, failover occurs on a failover group basis, not a system basis.
Primary/Secondary Status
- Determines which unit provides the running configuration to the pair when they boot simultaneously
- Determines on which unit each failover group appears in the active state when the units boot simultaneously. Each failover group in the configuration is configured with a primary or secondary unit preference.
Active/Standby Status
- When a unit boots while the peer unit is not available, both failover groups become active on the unit.
- When a unit boots while the peer unit is active (with both failover groups in the active state), the failover groups remain in the active state on the active unit regardless of the primary or secondary preference of the failover group until one of the following:
1.A failover occurs.
2.You manually force the failover group to the other unit with the no failover active command
3.You configured the failover group with the preempt command, which causes the failover group to automatically become active on the preferred unit when the unit becomes available.
- When both units boot at the same time, each failover group becomes active on its preferred unit after the configurations have been synchronized.
Failover Triggers
In Active/Active failover, failover can be triggered at the unit level if one of the following events occurs:
- The unit has a hardware failure.
- The unit has a power failure.
- The unit has a software failure.
- The no failover active or the failover active command is entered in the system execution space.
- Too many monitored interfaces in the group fail.
- The no failover active group group_id or failover active group group_id command is entered.
Configuration
1.Enable multiple context mode(on both devices)
ciscoasa(config)# mode multiple
ciscoasa(config)# show mode
Security context mode: multiple
2.Configure contexts (on primary device)
admin-context CustomerA
context CustomerA
allocate-interface GigabitEthernet0.100
allocate-interface GigabitEthernet2
config-url disk0:/admin.cfg
context CustomerB
allocate-interface GigabitEthernet0.200
allocate-interface GigabitEthernet2
config-url disk0:/CustomerB.cfg
3.Configure failover group (on primary device)
failover group 14.Configure failover interface (on both devices)
preempt
polltime interface 1 holdtime 3
failover group 2
secondary
preempt
polltime interface 1 holdtime 3
failover lan unit primary (secondary on the second device)
failover lan interface failover GigabitEthernet1
failover link linkstate GigabitEthernet2
failover interface ip failover 1.1.1.1 255.255.255.252 standby 1.1.1.2
failover interface ip linkstate 2.2.2.1 255.255.255.252 standby 2.2.2.2
failover
5.Configure the virtual firewall (contexts) - ip addresses, policies, etc.
ciscoasa(config)# changeto context CustomerA
interface GigabitEthernet0.100
nameif insideA
security-level 0
ip address 10.100.100.1 255.255.255.0 standby 10.100.100.2
!
interface GigabitEthernet3
nameif outside
security-level 0
ip address 192.168.223.100 255.255.255.0 standby 192.168.223.101
ciscoasa(config)# changeto context CustomerB
nterface GigabitEthernet0.200
nameif insideB
security-level 0
ip address 10.200.200.1 255.255.255.0 standby 10.200.200.2
!
interface GigabitEthernet3
nameif outside
security-level 0
ip address 192.168.223.200 255.255.255.0 standby 192.168.223.201
Command Replication
After both units are running in Active/Active faillover, commands are replicated from one unit to the other as shown:
- Commands entered within a security context are replicated from the unit on which the security context appears in the active state to the peer unit.
- Commands entered in the system execution space are replicated from the unit on which failover group 1 is in the active state to the unit on which failover group 1 is in the standby state.
- Commands entered in the admin context are replicated from the unit on which failover group 1 is in the active state to the unit on which failover group 1 is in the standby state.
You can use the write standby command to resynchronize configurations that have become out of sync. For Active/Active failover, the write standby command behaves as shown:
- If you enter the write standby command in the system execution space, the system configuration and the configurations for all of the security contexts on the security appliance is written to the peer unit. This includes configuration information for security contexts that are in the standby state. You must enter the command in the system execution space on the unit that has failover group 1 in the active state.
- If you enter the write standby command in a security context, only the configuration for the security context is written to the peer unit. You must enter the command in the security context on the unit where the security context appears in the active state.
Verification
ciscoasa(config)# show failover group 1
Last Failover at: 16:46:53 UTC Mar 8 2013
This host: Primary
State: Active
Active time: 1652 (sec)
CustomerA Interface insideA (10.100.100.1): Normal (Monitored)
CustomerA Interface outside (192.168.223.100): Normal (Monitored)
CustomerB Interface insideB (10.200.200.1): Normal (Not-Monitored)
CustomerB Interface outside (192.168.223.200): Normal (Monitored)
Other host: Secondary
State: Standby Ready
Active time: 452 (sec)
CustomerA Interface insideA (10.100.100.2): Normal (Monitored)
CustomerA Interface outside (192.168.223.101): Normal (Monitored)
CustomerB Interface insideB (10.200.200.2): Normal (Not-Monitored)
CustomerB Interface outside (192.168.223.201): Normal (Monitored)
Stateful Failover Logical Update Statistics
Status: Configured.
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 3 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 2 0 2 0
ciscoasa(config)# show failover group 2
Last Failover at: 16:46:51 UTC Mar 8 2013
This host: Primary
State: Standby Ready
Active time: 0 (sec)
Other host: Secondary
State: Active
Active time: 1656 (sec)
Stateful Failover Logical Update Statistics
Status: Configured.
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 0 0 0 0
ciscoasa(config)# show failover state
State Last Failure Reason Date/Time
This host - Primary
Group 1 Active None
Group 2 Standby Ready None
Other host - Secondary
Group 1 Standby Ready None
Group 2 Active None
====Configuration State===
Sync Done
====Communication State===
Mac set
No comments:
Post a Comment