Hardware requirements:
Two units in failover must:
- be the same model
- have the same number and type of interfaces
- have the same modules installed(if any)
- have the same RAM installed
Flash memory size does not have to be equal however the smaller one has to have enough space for firmware and configuration file. This is extremally important because config synchronization can fail if there is no enough space.
Limitation:
- You cannot enable failover when CA server is up and running.
“ERROR: Failover cannot be configured while the local CA server
is configured. Please remove the local CA server configuration
before configuring failover.”
command to remove CA server:
(config)# clear configure crypto ca server
- firmware version should be the same on both units but it is not mandatory.
FIREWALLS:
ASA1 – Primary unit
ethernet 0/0 – 81.223.184.146/28 ( Internet – ISP1)
ethernet0/1 – 77.204.202.4/29 (Internet – ISP2)
ethernet 0/2 – 10.10.231.254/24 (LAN)
Ethernet 0/3 – failover interface
Management0/0 – Statefull interface
ASA2 – Secondary unit
ethernet 0/0 – 81.223.184.147/28 ( Internet – ISP1)
ethernet0/1 – 77.204.202.7/29 (Internet – ISP2)
ethernet 0/2 – 10.10.231.253/24 (LAN)
Ethernet 0/3 – failover interface
Management0/0 – Statefull interface
Statefull and Failover interface can be on the same physical interface. They can be connected together via cable or via switch.
When you connect via switch be carefull do not keep those interfaces on shared(data) network.
STATELESS FAILOVER(HARDWARE)
Stateless failover does not handle session state so in case of switching to standby unit sessions will be lost and has to be reestablished. In stateless failover we do not need Statefull interface.
ASA1
(config)# failover lan unit primary
Enable this appliance as a primary unit.
(config)# failover lan interface FAILOVER ethernet0/3
INFO: Non-failover interface config is cleared on Ethernet0/3 and its sub-interfaces
Specify ethernet0/3 as a failover interface.The name of this interface is FAILOVER but can be any name.
(config)# failover interface ip FAILOVER 192.168.250.1 255.255.255.0 standby 192.168.250.2
Assign active and standby IP to FAILOVER interface.
(config)# failover key cisco
Encrypt and authenticate traffic.
(config)# failover
Enable failover on primary unit.
Check current status of Failover on primary unit.
ASA2
(config)# failover lan unit secondary
Configure second asa as a secondary unit in failover pair.
(config)# failover lan interface FAILOVER ethernet0/3
INFO: Non-failover interface config is cleared on Ethernet0/3 and its sub-interfaces
Configure ethernet0/3 interface as a failover interface
(config)# failover interface ip FAILOVER 192.168.250.1 255.255.255.0 standby 192.168.250.2
Assign ip to failover interface.
(config)# failover key cisco
Encrypt and authenticate traffic.
(config)# failover
Enable failover on standby unit.
Check failover status on standby unit.
Note that firmware version is different on both ASA. It is possible on firmware 7.0 and higher but I stronglyrecommend to keep the same version on both unit.
Below warning on both unit if there is mismatch with firmware version.
Check failover status on primary unit.
Failover is configured properly and working fine
STATEFULL FAILOVER
The difference between statefull and stateless failover is:
– in statefull failover all session states are exchange so case of hardware failure users will not loose their session and standby unit will still be able to keep active connections.(no sessions drop)
– in stateless failover in case of failure all sessions has to be reestablished and users will see short breaks.
Because our failover is up all changes we have to do on active unit only!
If you try to configure standby unit you will get:
# conf t
**** WARNING ****
Configuration Replication is NOT performed from Standby unit to Active unit.
Configurations are no longer synchronized.
ASA1
(config)# failover link STATEFULL management0/0
INFO: Non-failover interface config is cleared on Management0/0 and its sub-interfaces
Configure management0/0 interface as a statefull interface.
(config)# failover interface ip STATEFULL 192.168.255.1 255.255.255.0 standby 192.168.255.2
Assign ip for statefull interface.
(config)# failover replication http
Enable http replication.
As we see above statefull failover started to work.
SIMULATE HARDWARE FAILURE
First simulation is reload primary unit because I upgraded image to the same version as standby unit.
See output from standby unit.
ASA2#
Switching to Active
Above output from secondary unit which now is primary.
When Primary unit is up after failute secondary still will be active unit his failure or until we change the role by hand(see output below).
MANULY CHANGE ROLE TO ACTIVE ON STANDBY UNIT
# failover active
This command has to be typed on STANDBY unit!
Check failover status
FAILOVER MONITORING
Descriptors
When failover is working properly descriptors on interfaces have to be the same.
#show failover descriptors
State
This command show current state of failover. Here you can also see if and when last failure happened.
#show failover state
History
This command shows you history of states changes.
#show failover history
Statefull configuration and statefull stats
Interfaces configuration
This command shows you failover intefaces configuration
#show failover interface
WORK WITH PRIMARY AND STANDBY UNIT
In most cases you will manage failover from primary unit(configuration always) however you can also manage standby unit from primary unit,e.g. to reload switch.
example 1
Reload standy unit from active unit
# failover reload-standby
example 2
Run command on standby unit and display on primary unit,e.g. show ip
dzbanek 2013-04-18