Cisco ASA firewall Active/Standby failover

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Cisco ASA firewall Active/Standby failover相关的知识,希望对你有一定的参考价值。

In this article, I will briefly explain the active/standby failover configuration on the cisco ASA. The lab is done in GNS3.

  1. Physical Topology:
    技术分享图片
  2. configuration:
    ciscoasa/act/pri(config)# sh run failover
    failover
    failover lan unit primary
    failover lan interface Failover_Stateless GigabitEthernet0/2
    failover link Failover_Stateful GigabitEthernet0/1
    failover interface ip Failover_Stateless 169.254.0.15 255.255.255.0 standby 169.254.0.16
    failover interface ip Failover_Stateful 169.254.1.15 255.255.255.0 standby 169.254.1.16

  3. pitfall:
    The failover ASA pair should have identical hardware platform, software and license to achieve working failover.
    The failover configuration order is important. It could blank your active configuration if the order is not correct.
    Also, whenever there is an configuration update, it should be done on the primary / active unit, so the change could be synched to the standby.
    Do this:
    config # prompt hostname state priority
  4. the failover could be stateless and stateful, the above configuration configured G0/1 as stateful failover interface.
  5. The "show failover" command will provide the current failover state. If you need to have any interface monitored, do below and add a standby ip address for the interface:
    config # monitor-interface inside | outside | etc.

    ciscoasa/act/pri(config)# sh monitor-interface
    This host: Primary - Active
    Interface management (172.16.212.96): Normal (Waiting)
    Interface inside (10.1.1.1): Normal (Monitored)
    Interface outside (150.1.115.1): Normal (Monitored)
    Other host: Secondary - Standby Ready
    Interface management (0.0.0.0): Normal (Waiting)
    Interface inside (10.1.1.2): Normal (Monitored)
    Interface outside (150.1.115.2): Normal (Monitored)

  6. when doing the test, you could enter "failover active" on the secondary ASA, and there will be no interruption for the telnet tcp connection that already exists. As the connection is on both ASA.

ciscoasa/stby/sec# sh conn
9 in use, 9 most used

TCP outside 150.1.115.100:23 inside 10.1.1.100:32526, idle 0:00:18, bytes 147, flags UIO
ciscoasa/stby/sec#

ciscoasa/stby/sec# sh conn
9 in use, 9 most used

TCP outside 150.1.115.100:23 inside 10.1.1.100:32526, idle 0:00:18, bytes 147, flags UIO
ciscoasa/stby/sec#

ciscoasa/act/pri# sh failover interface
interface Failover_Stateless GigabitEthernet0/2
System IP Address: 169.254.0.15 255.255.255.0
My IP Address : 169.254.0.15
Other IP Address : 169.254.0.16
interface Failover_Stateful GigabitEthernet0/1
System IP Address: 169.254.1.15 255.255.255.0
My IP Address : 169.254.1.15
Other IP Address : 169.254.1.16

ciscoasa/act/pri# sh failover

Failover On
Failover unit Primary
Failover LAN Interface: Failover_Stateless GigabitEthernet0/2 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 36 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.6(2), Mate 9.6(2)
Serial Number: Ours 9A9PLK9VKN2, Mate 9A8UNB99VES
Last Failover at: 11:59:50 UTC Jun 2 2018
This host: Primary - Active
Active time: 1082 (sec)
slot 0: empty
Interface management (172.16.212.96): Normal (Waiting)
Interface inside (10.1.1.1): Normal (Monitored)
Interface outside (150.1.115.1): Normal (Monitored)
Other host: Secondary - Standby Ready
Active time: 137 (sec)
Interface management (0.0.0.0): Normal (Waiting)
Interface inside (10.1.1.2): Normal (Monitored)
Interface outside (150.1.115.2): Normal (Monitored)

  1. Interesting Log:

This is from primary:
ciscoasa(config)# failover
ciscoasa(config)# %ASA-1-105002: (Primary) Enabling failover.
.

    No Active mate detected

Beginning configuration replication: Sending to mate.
%ASA-1-709003: (Primary) Beginning configuration replication: Send to mate.
End Configuration Replication to mate
%ASA-1-709004: (Primary) End Configuration Replication (ACT)

This is from Secondary:
Detected an Active mate
Beginning configuration replication from mate.
%ASA-1-709005: (Secondary) Beginning configuration replication: Receiving from mate.
WARNING: Disabling auto import may affect Smart Licensing
Creating trustpoint "_SmartCallHome_ServerCA" and installing certificate...

Trustpoint CA certificate accepted.
WARNING: Failover is enabled but standby IP address is not configured for this interface.
WARNING: Failover is enabled but standby IP address is not configured for this interface.

WARNING: Failover is enabled but standby IP address is not configured for this interface.
WARNING: Trustpoint _SmartCallHome_ServerCA is already authenticated.
End configuration replication from mate.

ciscoasa(config)# %ASA-4-405003: IP address collision detected between host 169.254.0.15 at 5260.89c0.6003 and interface Failover_Stateless, 5260.89e7.4903

ciscoasa/act/pri# sh arp
inside 10.1.1.100 aabb.cc00.0200 2408
outside 150.1.115.100 aabb.cc00.0300 1761
Failover_Stateless 169.254.0.16 5260.89c0.6003 1248
Failover_Stateful 169.254.1.16 5260.89c0.6002 2030

ciscoasa/stby/sec# sh arp
inside 10.1.1.100 aabb.cc00.0200 2069
Failover_Stateless 169.254.0.15 5260.89e7.4903 1289
outside 150.1.115.100 aabb.cc00.0300 1802
Failover_Stateful 169.254.1.15 5260.89e7.4902 207

以上是关于Cisco ASA firewall Active/Standby failover的主要内容,如果未能解决你的问题,请参考以下文章

Cisco ASA(8.4)端口映射设定(ASDM)

Cisco ASA(8.4)端口映射设定(ASDM)

Cisco ASA - Permit/Deny Traffic Domain name FQDN

CISCO ASA防护墙详细AS/双出口配置切换---By 年糕泰迪

cisco asa5505 web管理的配置

求cisco 思科ASA5505 中文使用说明书