SNPA50SL16

Failover
Lesson 16
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-1

Understanding Failover

Hardware and Stateful Failover
Internet
 Hardware failover
– Connections are dropped.
– Client applications must reconnect.
– Provides hardware redundancy.
– Provided by serial or LAN-based failover link.
 Stateful failover
– TCP connections remain active.
– No client applications need to reconnect.
– Provides redundancy and stateful connection.
– Provided by stateful link.

Hardware Failover: Active/Standby
Failover: Failover:
Active/Standby Active/Standby
Primary: Secondary: Primary: Secondary:

Active Standby Failed Active
Internet Internet
Hardware failover protects the network should the primary go offline.

 Active/Standby: Only one unit can be actively processing traffic while the other is a
hot standby
Hardware Failover: Active/Active
Contexts
1 2 1 2 Primary: 1 2 1 2
Primary: Secondary: Secondary:
Active/Standby Standby/Active Failed/Standby Active/Active
Internet Internet
Hardware failover protects the network should the primary go offline.

 Active/Active: Both units can process traffic and serve as backup units.

Failover Requirements
Failover:
Active/Standby
Contexts
1 2 1 2
Primary: Secondary:
Standby Active
Primary: Secondary:
Failed/Standby Active/Active
Internet
Internet
The primary and secondary security appliances must be identical in the following requirements:
 Same model number and hardware configurations
 Same software versions* (prior to version 7.0)
 Same operating mode
 Same features (DES or 3DES)
 Same amount of Flash memory and RAM
 Proper licensing*
Failover Interface Test
 Link up/down test: Testing the network interface card itself

 Network activity test: Testing received network activity
 ARP test: Reading the security appliance ARP cache for the 10
most recently acquired entries
 Broadcast ping test: Sending out a broadcast ping request

Types of Failover Links
Primary Security Appliance
192.168.0.0 /24 10.0.0.0 /24
Internet e1
.1 e0 .11
e3
e2
Cable-Based
Stateful
(PIX Security Appliance only)
Link
LAN-Based
e2 e3
e0 e1
Secondary Security Appliance
LAN-Based Cable-Based
Stateful
PIX Security Appliance

Serial Cable-Based
Failover Configuration

Serial Cable: Active/Standby Failover
Primary: Active
Security Appliance
192.168.1.2 10.0.1.1
Internet
Serial
Cable
192.168.1.7 10.0.1.7
Secondary: Standby
Security Appliance
Failover Primary: Failed

Security Appliance
192.168.1.7 10.0.1.7
Internet
Serial
Cable
192.168.1.2 10.0.1.1
Secondary: Active
Security Appliance

Overview of Configuring Failover with a
Failover Serial Cable
Complete the following tasks to configure failover with a

failover serial cable:
 Attach the security appliance network interface cables.
 Connect the failover cable between the primary and secondary
firewalls.
 Configure the primary firewall for failover and save the
configuration to flash memory.
 Power on the secondary firewall.

Step 1: Cable the Secondary Security
Appliance
Primary
Security Appliance
.2 .1
192.168.1.0 10.0.1.0
Internet
.7 .7
Secondary
Security Appliance

Step 3: Configuring the Primary Security
Appliance
Primary
fw1
.2 .1
192.168.1.0 Failover 10.0.1.0

Internet Cable
.7 .7
Secondary
 Enable failover on the primary security appliance.
 Create active and standby IP addresses on the primary security appliance.
 (Optionally) Set the failover poll time.
fw1(config)# failover
fw1(config)# interface ethernet0
fw1(config-if)# ip address 192.168.1.2 255.255.255.0 standby
192.168.1.7
fw1(config)# interface ethernet1
fw1(config-if)# ip address 10.0.1.1 255.255.255.0 standby 10.0.1.7
fw1(config)# failover polltime unit msec 500

show failover Command: Secondary
Security Appliance Not Connected
fw1# show failover

Failover On
Failover unit Primary
Failover LAN Interface: N/A - Serial-based failover enabled
Unit Poll frequency 500 milliseconds, holdtime 6 seconds
Interface Poll frequency 600 milliseconds, holdtime 15 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 7.2(1), Mate Unknown
Last Failover at: 13:21:38 UTC Dec 10 2006
This host: Primary - Active
Active time: 200 (sec)
Interface outside (192.168.1.2): Normal (Waiting)
Interface inside (10.0.1.1): Normal (Waiting)
Other host: Secondary – Not detected
Interface outside (192.168.1.7): Unknown (Waiting)
Interface inside (10.0.1.7): Unknown (Waiting)
Stateful Failover Logical Update Statistics

Link : Unconfigured

Configuration Replication
Primary
Security Appliance
Internet
Replication
Secondary
Security Appliance
Configuration replication occurs:

 When the standby firewall completes its initial bootup
 As commands are entered on the active firewall
 By entering the write standby command

Step 4: Powering on the Secondary
Firewall
Primary
fw1
.2 .1
192.168.1.0 Replication 10.0.1.0

Internet
.7 .7
Secondary Power
Security Appliance On
 Replication of primary security appliance to secondary security appliance
Detected an active mate

Beginning configuration replication to mate.
End configuration replication to mate.

show failover Command
Detected an active mate
Beginning configuration replication to mate.
fw1# show failover

Failover On
Failover LAN Interface: N/A - Serial-based failover enabled
Interface Policy 1
Version: Ours 7.2(1), Mate 7.2(1)
This host: Primary - Active
Interface outside (192.168.1.2): Normal
Interface inside (10.0.1.1): Normal
Other host: Secondary – Standby Ready
Interface outside (192.168.1.7): Normal
Interface inside (10.0.1.7): Normal
Stateful Failover Logical Update Statistics

Link : Unconfigured

Force Control Back
Primary: Standby Active
fw1
192.168.1.0 10.0.1.0
Internet
Secondary: Active Standby

fw2
firewall(config)#
failover active
 Forces control of the connection back to the unit you are accessing
fw2(config)# failover active

Active/Standby LAN-Based
Failover Configuration

LAN-Based Failover Overview
LAN-based failover:
 Provides long-distance failover functionality
 Uses an Ethernet cable rather than the serial failover cable
 Requires a dedicated LAN interface, but the same interface can
be used for stateful failover
 Enables you to use a dedicated switch, hub, or VLAN, or a
crossover cable to connect the two security appliances
 Uses message encryption and authentication to secure failover
transmissions

LAN-Based Failover Configuration
Overview
Complete the following tasks to configure LAN-based failover:

1. Install a LAN-based failover connection between primary and secondary
security appliances.
2. Configure the primary security appliance.
3. Configure the primary security appliance for stateful failover.
4. Save the primary security appliance configuration to flash memory.
5. Power on the secondary security appliance.
6. Configure the secondary security appliance with the minimum failover LAN
command set.
7. Save the secondary security appliance configuration to flash memory.
8. Connect the secondary unit LAN failover interface to the network.
9. Reboot the secondary security appliance.

Cabling LAN Failover
Primary
Security Appliance
g0/0 g0/1
g0/2
192.168.1.0 LAN 10.0.1.0
Internet Failover
g0/2
g0/0 g0/1
Secondary
Security Appliance

Configuring LAN Failover: Primary
asa1
.2 .1
.1
Internet 192.168.1.0 10.0.1.0
172.17.1.0
.7
.7 .7
asa2
Secondary Security Appliance
asa1(config)# interface GigabitEthernet0/2

asa1(config-if)# no shut
asa1(config)# failover lan interface LANFAIL GigabitEthernet0/2
asa1(config)# failover interface ip LANFAIL 172.17.1.1 255.255.255.0 standby
172.17.1.7
asa1(config)# failover lan unit primary
asa1(config)# failover key 1234567
asa1(config)# failover

Stateful Failover
asa1
.1 .1
g0/2
192.168.1.0 Stateful 10.0.1.0
Internet failover
g0/2
.2 .2
asa2
Secondary
Security Appliance
ciscoasa(config)#
failover link if_name [phy_if]
 Specifies the name of the dedicated interface used for stateful failover
asa1(config)# failover link LANFAIL

Configuring LAN Failover: Secondary
Primary
asa1
.1 .1
.1
192.168.1.0 10.0.1.0
Internet 172.17.1.0
.7
.2 .2
Secondary
asa2

172.17.1.7
asa2(config)# failover lan unit secondary
asa2(config)# failover

Replication to Secondary
Beginning configuration replication sending to mate.

Primary Security
Appliance
asa1
Internet
Secondary Security
Appliance
asa2

show failover Command with LAN-Based
Failover
asa2(config)# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: LANFAIL GigabitEthernet0/2 (up)
Interface Policy 1
This host: Secondary – Standby Ready
slot 0: ASA5520 hw/sw rev (1.0/7.2(1)) status (Up Sys)
slot 1: ASA-SSM-10 hw/sw rev (1.0/5.0(2)S152.0) status
(Up/Up)IPS, 5.0(2)S152.0 Up
Other host: Primary – Active
slot 0: ASA5520 hw/sw rev (1.0/7.2(1)) status (Up Sys)
slot 1: ASA-SSM-10 hw/sw rev (1.0/5.0(2)S152.0) status
(Up/Up)IPS, 5.0(2)S152.0 Up . . .

failover mac address Command
Outside MAC address asa1 Inside MAC address
Act - 00a0.c989.e481 .1 .1 Act - 00a0.c976.cde5
Stby - 00a0.c969.c7f1 Stby - 00a0.c922.9176
192.168.1.0 10.0.1.0
Internet
.2 .2
ciscoasa(config)#
failover mac address mif_name act_mac stn_mac
 Enables you to configure a virtual MAC address for a security appliance failover pair
asa1(config)# failover mac address GigabitEthernet0/0

00a0.c989.e481 00a0.c969.c7f1
asa1(config)# failover mac address GigabitEthernet0/1
00a0.c976.cde5 00a0.c922.9176

Active/Active Failover
Configuration

Active/Active Failover
Traffic Traffic
g0/1 m0/0 g0/1 m0/0
CTX1- CTX2- CTX1- CTX2-

Active Standby g0/2 1 2 1 2 Standby Active
g0/2
g0/0 g0/3 g0/0 g0/3
Unit A Unit B
Active/Standby Internet Active/Standby
Active/active failover requires the use of contexts. For example, you could have two security
appliances with two contexts each.
 CTX1
 CTX2
Under normal conditions, each security appliance has one active and one standby context.
 The active context processes traffic.
 The standby context is located in the peer security appliance.

Active/Active Failover (Cont.)
Traffic Traffic
Unit B:
Active/Active
g0/1 m0/0 g0/1 m0/0

Failed Standby 1 2 1 2 Active Active
g0/2 g0/2
g0/3 g0/0 g0/3

g0/0
Unit A Unit B
Failed/Standby Internet Active/Active
Under failed conditions, Unit A determines that the outside interface on CTX1 has failed.
 CTX1 is placed in a failed state.
 Unit A has one failed and one standby context.
CTX1 on Unit B becomes active.
 Unit B has two active contexts.
 Both active contexts pass traffic.
Failover can be context-based or unit-based.
Configure the Failover Link
g0/1 m0/0 g0/1 m0/0
CTX1- CTX2- 172.17.1.1 172.17.1.7 CTX2-

CTX1-
Active Standby
g0/2 1 2 1 2 Active Standby
g0/2
asa1 asa2
g0/0 g0/3 g0/0 g0/3
Failover Link
172.17.1.7
asa1(config)# failover link LANFAIL GigabitEthernet0/2
 Configures the failover link on the primary security appliance

Failover Group
Group 2
Primary Secondary
g0/1 m0/0 g0/1 m0/0
CTX1- CTX2- 172.17.1.1 172.17.1.7 CTX2-

CTX1-
Group 1 Group 2 g0/2 1 2 1 2 Group 1 Group 2
g0/2
g0/0 g0/3 g0/0 g0/3
Group 1
 Active/active failover adds support for a failover group. A group is comprised of one or more contexts.
 Failover is performed at a unit or group level.
 Each failover group contains separate state machines to keep track of the group failover state.
asa1(config)# failover group 1
asa1(config-fover-group)# primary
asa1(config-fover-group)# exit
asa1(config)# failover group 2
asa1(config-fover-group)# secondary

Context: Allocate Interfaces and Assign
a Failover Group Number
g0/1 m0/0 g0/1 m0/0

Group 1 Group 2 1 2 1
1 2 Group 1 Group 2
g0/0 g0/3 g0/0 g0/3
 Associate interfaces and a group to a context

asa1(config)# context CTX1
asa1(config-ctx)# allocate-interface GigabitEthernet0/0
asa1(config-ctx)# config-url flash:/CTX1.cfg
asa1(config-ctx)# join-failover-group 1
asa1(config)# context CTX2
asa1(config-ctx)# allocate-interface Management0/0
asa1(config-ctx)# config-url flash:/CTX2.cfg
asa1(config-ctx)# join-failover-group 2
Context: Configure Interfaces
Context 1
 Interface g0/0
10.0.1.1 10.0.31.7 – IP address 192.168.1.2
g0/1 m0/0 – Standby address 192.168.1.7
 Interface g0/1
CTX1- CTX2- 172.17.1.1 – IP address 10.0.1.1
Group 1 Group 2 1 2 – Standby address 10.0.1.7
Active Standby g0/2
Context 2
g0/0 g0/3  Interface g0/3
– IP address 192.168.31.1
192.168.1.2 192.168.31.7
– Standby address 192.168.31.7
 Interface m0/0
Internet – IP address 10.0.31.1
– Standby address 10.0.31.7
asa1(config)# changeto context CTX1

asa1/CTX1(config)# interface GigabitEthernet0/0
asa1/CTX1(config-if)# ip address 192.168.1.2 255.255.255.0 standby 192.168.1.7
asa1/CTX1(config-if)# nameif outside
asa1/CTX1(config-if)# exit
asa1/CTX1(config)# interface GigabitEthernet0/1
asa1/CTX1(config-if)# ip address 10.0.1.1 255.255.255.0 standby 10.0.1.7
asa1/CTX1(config-if)# nameif inside
asa1/CTX1(config-if)# exit

Show Failover: Part 1
Primary 10.0.1.1 10.0.31.7 10.0.1.7 10.0.31.1
g0/1 m0/0 g0/1 m0/0
CTX1- CTX2- 172.17.1.1 172.17.1.7 CTX1- CTX2-

Group 1 Group 2 1 1 Group 1 Group 2
Active Standby g0/2 1 2 1 2
g0/2 Standby Active
g0/0 g0/3 g0/0 g0/3

192.168.1.2 192.168.31.7 192.168.1.7 192.168.31.1
asa1# show failover

Failover On
Failover LAN Interface: LANFAIL GigabitEthernet0/2 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Group 1 last failover at: 15:54:49 UTC Dec 17 2006
Group 2 last failover at: 15:55:00 UTC Dec 17 2006

Primary 10.0.1.1 10.0.31.7 10.0.1.7 10.0.31.1
g0/1 m0/0 g0/1 m0/0
CTX1- CTX2- 172.17.1.1 172.17.1.7 CTX1- CTX2-

Group 1 Group 2 1 2 11 2 Group 1 Group 2
Active Standby g0/2 g0/2 Standby Active
g0/0 g0/3 g0/0 g0/3

192.168.1.2 192.168.31.7 192.168.1.7 192.168.31.1
asa1# show failover

………………………………………….
This host: Primary
Group 1 State: Active
Group 2 State: Standby Ready
CTX1 Interface outside (192.168.1.2): Normal

CTX1 Interface inside (10.0.1.1): Normal

Secondary
10.0.1.1 10.0.31.7 10.0.1.7 10.0.31.1
g0/1 m0/0 g0/1 m0/0
CTX1- CTX2- 172.17.1.1 172.17.1.7 CTX1- CTX2-

g0/0 g0/3 g0/0 g0/3

192.168.1.2 192.168.31.7 192.168.1.7 192.168.31.1
asa1# show failover

…………………………………………………………………..
Other host: Secondary
Group 1 State: Standby
Group 2 State: Active


Show Failover Group
Primary
10.0.1.1 10.0.31.7 10.0.1.7 10.0.31.1
g0/1 m0/0 g0/1 m0/0
CTX1- CTX2- 172.17.1.1 172.17.1.7 CTX1- CTX2-

g0/0 g0/3 g0/0 g0/3

192.168.1.2 192.168.31.7 192.168.1.7 192.168.31.1
asa1# show failover group 1
This host: Primary

State: Active


Switching a Failover State
Primary
g0/1 m0/0
CTX1- CTX2- 172.17.1.1

Group 1 Group 2 1 2 1 2
Active Standby g0/2
g0/0 g0/3
Activate
Internet
ciscoasa(config)#
failover active [group group_id]
 Activates a group or unit
asa1(config)# failover active group 2

 Changes CTX2 from standby to active

Summary

Summary
 In order for failover to work, a pair of security appliances must be

identical in several respects, including platform type and model,
number and types of interfaces, amount of flash memory, and
amount of RAM.
 When failover occurs, the security appliance unit type
(primary or secondary) does not change; however, the role
(active or standby) of the unit does change. In multiple context
mode, the role of the context changes.
 With stateful failover, connection status is tracked and relayed
between security appliances; therefore, connections remain
active.
 With active/standby failover, only one security appliance actively
processes user traffic while the other unit acts as a hot standby
and is prepared to take over if the active unit fails.

Summary (Cont.)
 With active/active failover, both units can actively process firewall

traffic while serving as a back up for their peer unit.
 Active/active failover is only available to security appliances in
multiple context mode.
 The configuration of the primary security appliance is replicated to
the secondary security appliance during configuration replication.
 Commands entered within a security context are replicated from
the unit on which the security context appears in the active state
to the peer unit.

Lab Visual Objective
Web
FTP
.50
172.26.26.0
.150
RBB
.1 192.168.P.0
.2 .7
Primary .1 172.16.P.0 .7 Secondary

Security Appliance Security Appliance
.1 .7
10.0.P.0
.100
RTS
10.0.P.11
Student PC

Lab Visual Objective
WEB
FTP
.50
172.26.26.0
.150
RBB
.1 .1
192.168.P.0
192.168.30+P.0
.7 .7 .2 .2
g0/0 g0/3 g0/3 g0/0
A C C A Primary
Secondary
D T g0/2 g0/2 T D Security Appliance
Security Appliance .7 .1
M X X M
g0/1 m0/0 m0/0 g0/1
.7 .7 .1 .1
10.0.30+P.0
.10
10.0.P.0
.10 .100 .100
RTS
Student PC
10.0.P.11


SNPA50SL16

Caricato da

Informazioni sul documento

Descrizione originale:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

SNPA50SL16

Caricato da

Copyright:

Formati disponibili

Failover

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-1

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-2

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-3

Primary: Secondary: Primary: Secondary:

Hardware failover protects the network should the primary go offline.

Active/Standby Standby/Active Failed/Standby Active/Active

Hardware failover protects the network should the primary go offline.

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-5

 Link up/down test: Testing the network interface card itself

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-7

Secondary Security Appliance

PIX Security Appliance

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-8

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-9

Failover Primary: Failed

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-10

Complete the following tasks to configure failover with a

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-11

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-12

192.168.1.0 Failover 10.0.1.0

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-13

fw1# show failover

Stateful Failover Logical Update Statistics

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-14

Configuration replication occurs:

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-15

192.168.1.0 Replication 10.0.1.0

 Replication of primary security appliance to secondary security appliance

Detected an active mate

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-16

fw1# show failover

Stateful Failover Logical Update Statistics

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-17

Secondary: Active Standby

fw2(config)# failover active

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-18

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-19

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-20

Complete the following tasks to configure LAN-based failover:

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-21

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-22

asa1(config)# interface GigabitEthernet0/2

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-23

asa1(config)# failover link LANFAIL

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-24

asa2(config)# interface GigabitEthernet0/2

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-25

Beginning configuration replication sending to mate.

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-26

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-27

asa1(config)# failover mac address GigabitEthernet0/0

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-28

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-29

g0/1 m0/0 g0/1 m0/0

CTX1- CTX2- CTX1- CTX2-

g0/0 g0/3 g0/0 g0/3

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-30

CTX1- CTX2- CTX1- CTX2-

g0/3 g0/0 g0/3

g0/1 m0/0 g0/1 m0/0

CTX1- CTX2- 172.17.1.1 172.17.1.7 CTX2-

g0/0 g0/3 g0/0 g0/3