To use stateful failover, you would need to configure a link for the link information, and another link for the state information. The two links configured here can be the same link if there is enough bandwidth!
There are two types of standby mode:
-Active/Standby - The primary device is actively serving connections, while the secondary device stays in a hot standby (passive) mode. When the Active device goes down, the Secondary standby appliance will assume the failover IP address.
Active/Active - There is still a single primary ASA device, but it's only available in Multiple Context Mode. One context from each ASA is the primary for each standby group.
For stateful failover to work, the platform type, platform upgrades and the platform version must match! There are also two failover mechanisms performed by an ASA:
-LAN-Based Failover - A link between the two devices is required to share link information. The messages sent has a PID of 105.
-Stateful Failover - A link between the two device is required to share the stateful information.
The two devices can be connected via a switch or a straight/crossover cable.
Devices configured for failover will constantly monitor the interfaces (up to 250) through link up/down tests, activity tests, ARP cache verifications, broadcast ping test, and so on.
I will now configure failover with the following topology. I'll begin with Active/Standby first:
The top network is 1.1.1.0/24 and the bottom network is 2.2.2.0/24. First of all, we'll configure the interface IP addresses for the failover on Primary:
in e0
nameif OUTSIDE
ip add 1.1.1.1 255.255.255.0 standby 1.1.1.2
no shut
in e1
nameif INSIDE
ip add 2.2.2.1 255.255.255.0 standby 2.2.2.2
no shut
in e2
no shut
exit
failover
failover lan unit primary
failover lan interface FAILOVER Ethernet2
failover lan enable
failover interface ip FAILOVER 3.3.3.1 255.255.255.0 standby 3.3.3.2Then we configure Secondary ASA as follows:
in e2
no shut
exit
failover
failover lan unit secondary
failover lan interface FAILOVER Ethernet2
failover lan enable
failover interface ip FAILOVER 3.3.3.1 255.255.255.0 standby 3.3.3.2Notice that I did not configure an IP address for the interfaces on the secondary unit. This is because once the secondary unit detects the primary, the configuration will be automatically passed over. The message you will see is:
ASAPrimary# Beginning configuration replication: Sending to mate. ASASecondary# Beginning configuration replication from mate. ASAPrimary# End Configuration Replication to mate ASAPrimary# End configuration replication from mate.
Notice that even the hostnames went across! Right now on the Secondary unit, a "show int ip br" will look like this:
Interface IP-Address OK? Method Status Protocol Ethernet0 1.1.1.2 YES CONFIG up up Ethernet1 2.2.2.2 YES CONFIG up up Ethernet2 3.3.3.2 YES unset up up Ethernet3 unassigned YES unset administratively down up Ethernet4 unassigned YES unset administratively down up
Pull the plug on ASAPrimary and check "show int ip br" again and this is what you'll end up with:
ASAPrimary# Switching to Active Interface IP-Address OK? Method Status Protocol Ethernet0 1.1.1.1 YES CONFIG up up Ethernet1 2.2.2.1 YES CONFIG up up Ethernet2 3.3.3.2 YES unset up up Ethernet3 unassigned YES unset administratively down up Ethernet4 unassigned YES unset administratively down up
Remember the stateful information that's supposed to go across? Well, this is how we'll configure in on the primary appliance:
failover link FAILOVER e2Now set up a telnet session through, cause a failure, and watch as your telnet session survives!
No comments :
Post a Comment