...

Friday, July 23, 2010

CCNA Security 34

In a stateless hardware failover model, all existing connections maintained by the primary appliance are dropped. The stateful information is lost. During this downtime, most applications would encounter some form of downtime as the new Active ASA recreates the state table. To fix this, you'll need to enable ASA's stateful failover feature. During a stateful failover, all state tables are moved over to the new Active appliance.
To use stateful failover, you would need to configure a link for the link information, and another link for the state information. The two links configured here can be the same link if there is enough bandwidth!

There are two types of standby mode:
-Active/Standby - The primary device is actively serving connections, while the secondary device stays in a hot standby (passive) mode. When the Active device goes down, the Secondary standby appliance will assume the failover IP address.
Active/Active - There is still a single primary ASA device, but it's only available in Multiple Context Mode. One context from each ASA is the primary for each standby group.

For stateful failover to work, the platform type, platform upgrades and the platform version must match! There are also two failover mechanisms performed by an ASA:
-LAN-Based Failover - A link between the two devices is required to share link information. The messages sent has a PID of 105.
-Stateful Failover - A link between the two device is required to share the stateful information.

The two devices can be connected via a switch or a straight/crossover cable.

Devices configured for failover will constantly monitor the interfaces (up to 250) through link up/down tests, activity tests, ARP cache verifications, broadcast ping test, and so on.

I will now configure failover with the following topology. I'll begin with Active/Standby first:


The top network is 1.1.1.0/24 and the bottom network is 2.2.2.0/24. First of all, we'll configure the interface IP addresses for the failover on Primary:
in e0
nameif OUTSIDE
ip add 1.1.1.1 255.255.255.0 standby 1.1.1.2
no shut
in e1
nameif INSIDE
ip add 2.2.2.1 255.255.255.0 standby 2.2.2.2
no shut
in e2
no shut
exit
failover
failover lan unit primary
failover lan interface FAILOVER Ethernet2
failover lan enable
failover interface ip FAILOVER 3.3.3.1 255.255.255.0 standby 3.3.3.2


Then we configure Secondary ASA as follows:
in e2
no shut
exit
failover
failover lan unit secondary
failover lan interface FAILOVER Ethernet2
failover lan enable
failover interface ip FAILOVER 3.3.3.1 255.255.255.0 standby 3.3.3.2


Notice that I did not configure an IP address for the interfaces on the secondary unit. This is because once the secondary unit detects the primary, the configuration will be automatically passed over. The message you will see is:
ASAPrimary# Beginning configuration replication: Sending to mate.
ASASecondary# Beginning configuration replication from mate.
ASAPrimary# End Configuration Replication to mate
ASAPrimary# End configuration replication from mate.


Notice that even the hostnames went across! Right now on the Secondary unit, a "show int ip br" will look like this:
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0                  1.1.1.2         YES CONFIG up                    up
Ethernet1                  2.2.2.2         YES CONFIG up                    up
Ethernet2                  3.3.3.2         YES unset  up                    up
Ethernet3                  unassigned      YES unset  administratively down up
Ethernet4                  unassigned      YES unset  administratively down up


Pull the plug on ASAPrimary and check "show int ip br" again and this is what you'll end up with:
ASAPrimary# Switching to Active
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0                  1.1.1.1         YES CONFIG up                    up
Ethernet1                  2.2.2.1         YES CONFIG up                    up
Ethernet2                  3.3.3.2         YES unset  up                    up
Ethernet3                  unassigned      YES unset  administratively down up
Ethernet4                  unassigned      YES unset  administratively down up


Remember the stateful information that's supposed to go across? Well, this is how we'll configure in on the primary appliance:
failover link FAILOVER e2

Now set up a telnet session through, cause a failure, and watch as your telnet session survives!

No comments :

Post a Comment

<