SlideShare ist ein Scribd-Unternehmen logo

Cisco asa active,active failover configuration

‱Als DOCX, PDF herunterladen‱
‱
IT Tech
IT Tech

The document describes how to configure active/active failover on Cisco ASA firewalls. Key steps include: 1) Configuring both ASA devices in multiple context mode. 2) Creating failover groups and assigning contexts to each group. 3) Configuring failover and stateful failover interfaces on each device. 4) Assigning IP addresses to interfaces in each context. This allows both devices to remain active and share the load, improving firewall throughput and availability.

Technologie
1 von 8
Cisco ASA Active/Active Failover Configuration The Cisco ASA failover configuration requires two identical security appliances connected to each other through a dedicated failover link and, optionally, a stateful failover link. The health of the active interfaces and units is monitored to determine if specific failover conditions are met. If those conditions are met, failover occurs. In case of Active/active configuration both Units carry traffic. For creating active/active Failover, configuring both ASA devices in Multiple context mode is required. For ASA redundancy scenario the two devices must be the same models, must have the same number and type of interfaces and the same license is required. ASA 5505 and 5510 do not support active/active failover without license upgrade. For active/active configuration, Failover Contexts and Failover groups need to be created. The Failover group is then applied to Primary or Secondary physical ASA unit. After this, the particular Failover group is applied to a Context. For example, primary unit is active ASA of Failover group1, but Secondary unit is Standby ASA of Failover group1. If primary ASA is out of order, Secondary ASA will become Active of Failover group1. For explaining Active/Active Failover configuration in details, let’s do the following LAB. HTTP://WWW.ROUTER-SWITCH.COM/
Click on the image above for larger size diagram Configuration !Switch both ASA devices to multiple context mode. asa(config)#mode multiple !When ASAs are reloaded, connect them to each other with Ge0/2 and Ge0/3 ports. First start with the Primary Unit configuration. Before starting configuration, all interfaces must be in the up state. !enable LAN Failover. asa(config)#failover lan enable !set this unit as primary. asa(config)#failover lan unit primary HTTP://WWW.ROUTER-SWITCH.COM/
Determine Failover and State interfaces. These two interfaces can be the same physical interface if you don’t need to consume one extra port. In our example here we use two separate physical interfaces. In this article, the “failover” (interface name for GigabitEthernet0/2) is used as a failover interface. !Define Failover Interface asa(config)#failover lan interface failover Ge0/2 !assign IP address on Failover Interface. MUST be in same Subnet as the standby on the other unit. asa(config)#failover interface ip failover 192.168.3.1 255.255.255.0 standby 192.168.3.2 In this documentation, the “state” (interface name for GigabitEthernet0/3) is used as a state interface. !Definestateful Failover interface asa(config)#failover link state Ge0/3 !assign IP address on Stateful Failover interface asa(config)#failover interface ip state 192.168.4.1 255.255.255.0 standby 192.168.4.2 !Create Failover groups, where Failover group1 will be the Primary, i.e. active on Primary Unit and Failover group2 will be the Standby on Primary Unit. Configure also HTTP Replication, after which occurs HTTP Connection state replication between active and Standby ASAs. Also determine Preempt Delay. Preempt Delay means in what time to regain role of Active after Fail Recovery. asa(config)#failover group 1 asa(config-fover-group)#primary asa(config-fover-group)#preempt 120 asa(config-fover-group)# replication http asa(config)#failover group 2 asa(config-fover-group)#secondary asa(config-fover-group)#preempt 120 asa(config-fover-group)# replication http Now let’s start creating Contexts and assigning interfaces in each Context. !Configure the admin context asa(config)# admin-context admin HTTP://WWW.ROUTER-SWITCH.COM/
asa(config)# context admin asa(config-ctx)# allocate-interface Management0/0 asa(config-ctx)# config-url disk0:/admin.cfg !configure the Sub-interfaces interface GigabitEthernet0/0.10 vlan 10 interface GigabitEthernet0/0.11 vlan 11 interface GigabitEthernet0/1.20 vlan 20 interface GigabitEthernet0/1.21 vlan 21 ! Configure the contexts asa(config)# context c1 asa(config-ctx)# allocate-interface gigabitethernet0/0.10 asa(config-ctx)# allocate-interface gigabitethernet0/1.20 asa(config-ctx)# config-url disk0:/c1.cfg asa(config)# context c2 asa(config-ctx)# allocate-interface gigabitethernet0/0.11 asa(config-ctx)# allocate-interface gigabitethernet0/1.21 asa(config-ctx)# config-url disk0:/c2.cfg !Snap each Context to Failover Groups. If we don’t indicate Contexts to Failover Groups, each context will be in Group1 by default. asa(config)# context c1 asa(config-ctx)# join-failover-group 1 asa(config)# context c2 asa(config-ctx)# join-failover-group 2 !Configure IP addresses on Context1. asa#changeto context c1 asa/c1# show running-config interface ! interface GigabitEthernet0/0.10 nameif outside security-level 0 ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2 ! interface GigabitEthernet0/1.20 nameif inside security-level 100 HTTP://WWW.ROUTER-SWITCH.COM/
ip address 192.168.20.1 255.255.255.0 standby 192.168.20.2 !Configure IP addresses on Context2. asa#changeto context c2 asa/c2# show running-config interface ! interface GigabitEthernet0/0.11 nameif outside security-level 0 ip address 192.168.11.1 255.255.255.0 standby 192.168.11.2 ! interface GigabitEthernet0/1.21 nameif inside security-level 100 ip address 192.168.21.1 255.255.255.0 standby 192.168.21.2 ! Now let’s start Secondary Unit configuration. !Define Failover Interface asa(config)#failover lan interface failover Ge0/2 !assign IP address on Failover Interface. MUST be in same Subnet as other unit. asa(config)#failover interface ip failover 192.168.3.1 255.255.255.0 standby 192.168.3.2 !enable LAN Failover. asa(config)#failover lan enable !set this unit as secondary asa(config)#failover lan unit secondary With the above piece of configuration commands everything is completed and now let’s start checking. Verification: !verify Primary UNIT asa# show failover Failover On Failover unit Primary Failover LAN Interface: failover GigabitEthernet0/2 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 HTTP://WWW.ROUTER-SWITCH.COM/
Monitored Interfaces 4 of 250 maximum Version: Ours 8.2(1), Mate 8.2(1) Group 1 last failover at: 05:12:14 tbilisi Dec 7 2010 Group 2 last failover at: 10:13:04 tbilisi Oct 24 2010 This host: Primary Group 1 State: Active Active time: 14536379 (sec) Group 2 State: Standby Ready Active time: 0 (sec) slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys) c1 Interface outside (192.168.10.1): Normal c1 Interface inside (192.168.20.1): Normal c2 Interface outside (192.168.11.1): Normal c2 Interface inside (192.168.21.1): Normal slot 1: empty Other host: Secondary Group 1 State: Standby Ready Active time: 1104 (sec) Group 2 State: Active Active time: 14537266 (sec) slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys) c1 Interface outside (192.168.10.2): Normal c1 Interface inside (192.168.20.2): Normal c2 Interface outside (192.168.11.2): Normal c2 Interface inside (192.168.22.2): Normal slot 1: empty Stateful Failover Logical Update Statistics Link : state GigabitEthernet0/3.2 (up) StatefulObj xmit xerr rcv rerr General 2405585244 0 75798262 188 sys cmd 1938317 0 1938317 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 1241561564 0 43443406 91 UDP conn 1157379296 0 28582971 84 ARP tbl 3799402 0 1833568 13 Xlate_Timeout 0 0 0 0 SIP Session 906665 0 0 0 Logical Update Queue Information Cur Max Total HTTP://WWW.ROUTER-SWITCH.COM/
Recv Q: 0 49 90335543 Xmit Q: 0 7 2405585244 !verify Secondary unit ASA# show failover Failover On Failover unit Secondary Failover LAN Interface: failover GigabitEthernet0/2 Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 4 of 250 maximum Version: Ours 8.2(1), Mate 8.2(1) Group 1 last failover at: 05:12:14 tbilisi Dec 7 2010 Group 2 last failover at: 10:13:03 tbilisi Oct 24 2010 This host: Secondary Group 1 State: Standby Ready Active time: 1104 (sec) Group 2 State: Active Active time: 14537372 (sec) slot 0: ASA5540 hw/sw rev (2.0/8.2(1)) status (Up Sys) c1 Interface outside (192.168.10.2): Normal c1 Interface inside (192.168.20.2): Normal c2 Interface outside (192.168.11.2): Normal c2 Interface inside (192.168.21.2): Normal slot 1: empty Other host: Primary Group 1 State: Active Active time: 14536486 (sec) Group 2 State: Standby Ready Active time: 0 (sec) slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys) c1 Interface outside (192.168.10.1): Normal c1 Interface inside (192.168.20.1): Normal c2 Interface outside (192.168.11.1): Normal c2 Interface inside (192.168.21.1): Normal slot 1: empty Stateful Failover Logical Update Statistics HTTP://WWW.ROUTER-SWITCH.COM/
Link : state GigabitEthernet0/3.2 (up) StatefulObj xmit xerr rcv rerr General 111758344 0 1089580597 1046 sys cmd 1938331 0 1938331 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 73801356 0 581933209 113 UDP conn 34185062 0 501003000 886 ARP tbl 1833595 0 3799403 36 Xlate_Timeout 0 0 0 0 SIP Session 0 0 906654 11 Logical Update Queue Information Cur Max Total Recv Q: 0 7 1104118240 Xmit Q: 0 1 111758344 As we observed from above, active/active Failover is working and everything is as expected. More Related Cisco and Networking Tips: How to Configure Dual ISP on Cisco ASA 5505? How to Configure a Cisco ASA 5540 for Video Conferencing for Polycom Device? New Cisco ASA Clustering Feature Enables 320 Gbps Firewall HTTP://WWW.ROUTER-SWITCH.COM/

Empfohlen

ASA Failover
ASA FailoverASA Failover
ASA Failover
NetProtocol Xpert
 
CCNP ROUTE V7 CH7
CCNP ROUTE V7 CH7CCNP ROUTE V7 CH7
CCNP ROUTE V7 CH7
Chaing Ravuth
 
Asamatrx
AsamatrxAsamatrx
Asamatrx
Filmon Zeru
 
Deploy Failover/High Availability in ASA Firewall
Deploy Failover/High Availability in ASA FirewallDeploy Failover/High Availability in ASA Firewall
Deploy Failover/High Availability in ASA Firewall
KHNOG
 
CCCNP ROUTE v6_ch06
CCCNP ROUTE v6_ch06CCCNP ROUTE v6_ch06
CCCNP ROUTE v6_ch06
Licenciatura en Redes y Sistemas Operativos
 
CCNAv5 - S3: Chapter 7 EIGRP
CCNAv5 - S3: Chapter 7 EIGRPCCNAv5 - S3: Chapter 7 EIGRP
CCNAv5 - S3: Chapter 7 EIGRP
Vuz Dở HÆĄi
 
Cisco ASA Firewall Lab WorkBook
Cisco ASA Firewall Lab WorkBookCisco ASA Firewall Lab WorkBook
Cisco ASA Firewall Lab WorkBook
RHC Technologies
 
Cisco ospf
Cisco ospf Cisco ospf
Cisco ospf
sarasanandam
 

Empfohlen

ASA Failover
ASA FailoverASA Failover
ASA Failover
NetProtocol Xpert
 
CCNP ROUTE V7 CH7
CCNP ROUTE V7 CH7CCNP ROUTE V7 CH7
CCNP ROUTE V7 CH7
Chaing Ravuth
 
Asamatrx
AsamatrxAsamatrx
Asamatrx
Filmon Zeru
 
Deploy Failover/High Availability in ASA Firewall
Deploy Failover/High Availability in ASA FirewallDeploy Failover/High Availability in ASA Firewall
Deploy Failover/High Availability in ASA Firewall
KHNOG
 
CCCNP ROUTE v6_ch06
CCCNP ROUTE v6_ch06CCCNP ROUTE v6_ch06
CCCNP ROUTE v6_ch06
Licenciatura en Redes y Sistemas Operativos
 
CCNAv5 - S3: Chapter 7 EIGRP
CCNAv5 - S3: Chapter 7 EIGRPCCNAv5 - S3: Chapter 7 EIGRP
CCNAv5 - S3: Chapter 7 EIGRP
Vuz Dở HÆĄi
 
Cisco ASA Firewall Lab WorkBook
Cisco ASA Firewall Lab WorkBookCisco ASA Firewall Lab WorkBook
Cisco ASA Firewall Lab WorkBook
RHC Technologies
 
Cisco ospf
Cisco ospf Cisco ospf
Cisco ospf
sarasanandam
 
HSRP ccna
HSRP ccna HSRP ccna
HSRP ccna
MohamedJafar5
 
Ether channel fundamentals
Ether channel fundamentalsEther channel fundamentals
Ether channel fundamentals
Edgardo Scrimaglia
 
Troubleshooting BGP
Troubleshooting BGPTroubleshooting BGP
Troubleshooting BGP
Duane Bodle
 
Segment Routing: A Tutorial
Segment Routing: A TutorialSegment Routing: A Tutorial
Segment Routing: A Tutorial
APNIC
 
Policy Based Routing
Policy Based RoutingPolicy Based Routing
Policy Based Routing
NetProtocol Xpert
 
CCNP ROUTE V7 CH6
CCNP ROUTE V7 CH6CCNP ROUTE V7 CH6
CCNP ROUTE V7 CH6
Chaing Ravuth
 
CCIE Lab - IGP Routing
CCIE Lab - IGP Routing CCIE Lab - IGP Routing
CCIE Lab - IGP Routing
Kristof De Brouwer
 
Cisco Live! :: Introduction to IOS XR for Enterprises and Service Providers
Cisco Live! :: Introduction to IOS XR for Enterprises and Service ProvidersCisco Live! :: Introduction to IOS XR for Enterprises and Service Providers
Cisco Live! :: Introduction to IOS XR for Enterprises and Service Providers
Bruno Teixeira
 
Ospf
OspfOspf
Ospf
Joshua Fonseca
 
Day 3 ENHANCED IGRP (EIGRP) AND OPEN SHORTEST PATH FIRST (OSPF)
Day 3 ENHANCED IGRP (EIGRP) AND OPEN SHORTEST PATH FIRST (OSPF)Day 3 ENHANCED IGRP (EIGRP) AND OPEN SHORTEST PATH FIRST (OSPF)
Day 3 ENHANCED IGRP (EIGRP) AND OPEN SHORTEST PATH FIRST (OSPF)
anilinvns
 
CCNP ROUTE V7 CH4
CCNP ROUTE V7 CH4CCNP ROUTE V7 CH4
CCNP ROUTE V7 CH4
Chaing Ravuth
 
Routing and OSPF
Routing and OSPFRouting and OSPF
Routing and OSPF
arpit
 
CCNA Routing Protocols
CCNA Routing ProtocolsCCNA Routing Protocols
CCNA Routing Protocols
Dsunte Wilson
 
06 evpn use-case_reviewv1
06 evpn use-case_reviewv106 evpn use-case_reviewv1
06 evpn use-case_reviewv1
ronsito
 
MPLS L3 VPN Deployment
MPLS L3 VPN DeploymentMPLS L3 VPN Deployment
MPLS L3 VPN Deployment
APNIC
 
Ospf.ppt
Ospf.pptOspf.ppt
Ospf.ppt
Edgardo Scrimaglia
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building Blocks
APNIC
 
Segment Routing Lab
Segment Routing Lab Segment Routing Lab
Segment Routing Lab
Cisco Canada
 
Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017
Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017
Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017
Bruno Teixeira
 
Juniper Bgp
Juniper BgpJuniper Bgp
Juniper Bgp
Hussein Elmenshawy
 
PROYECTO VLANS
PROYECTO VLANSPROYECTO VLANS
PROYECTO VLANS
rubendavidsuarez
 
Aruba mobility access switch useful commands v2
Aruba mobility access switch useful commands v2Aruba mobility access switch useful commands v2
Aruba mobility access switch useful commands v2
Aruba, a Hewlett Packard Enterprise company
 

Weitere Àhnliche Inhalte

Was ist angesagt?

Ether channel fundamentals
Ether channel fundamentalsEther channel fundamentals
Ether channel fundamentals
Edgardo Scrimaglia
 
Routing and OSPF
Routing and OSPFRouting and OSPF
Routing and OSPF
arpit
 
CCNA Routing Protocols
CCNA Routing ProtocolsCCNA Routing Protocols
CCNA Routing Protocols
Dsunte Wilson
 
06 evpn use-case_reviewv1
06 evpn use-case_reviewv106 evpn use-case_reviewv1
06 evpn use-case_reviewv1
ronsito
 

Was ist angesagt? (20)

HSRP ccna
HSRP ccna HSRP ccna
HSRP ccna
 
Ether channel fundamentals
Ether channel fundamentalsEther channel fundamentals
Ether channel fundamentals
 
Troubleshooting BGP
Troubleshooting BGPTroubleshooting BGP
Troubleshooting BGP
 
Segment Routing: A Tutorial
Segment Routing: A TutorialSegment Routing: A Tutorial
Segment Routing: A Tutorial
 
Policy Based Routing
Policy Based RoutingPolicy Based Routing
Policy Based Routing
 
CCNP ROUTE V7 CH6
CCNP ROUTE V7 CH6CCNP ROUTE V7 CH6
CCNP ROUTE V7 CH6
 
CCIE Lab - IGP Routing
CCIE Lab - IGP Routing CCIE Lab - IGP Routing
CCIE Lab - IGP Routing
 
Cisco Live! :: Introduction to IOS XR for Enterprises and Service Providers
Cisco Live! :: Introduction to IOS XR for Enterprises and Service ProvidersCisco Live! :: Introduction to IOS XR for Enterprises and Service Providers
Cisco Live! :: Introduction to IOS XR for Enterprises and Service Providers
 
Ospf
OspfOspf
Ospf
 
Day 3 ENHANCED IGRP (EIGRP) AND OPEN SHORTEST PATH FIRST (OSPF)
Day 3 ENHANCED IGRP (EIGRP) AND OPEN SHORTEST PATH FIRST (OSPF)Day 3 ENHANCED IGRP (EIGRP) AND OPEN SHORTEST PATH FIRST (OSPF)
Day 3 ENHANCED IGRP (EIGRP) AND OPEN SHORTEST PATH FIRST (OSPF)
 
CCNP ROUTE V7 CH4
CCNP ROUTE V7 CH4CCNP ROUTE V7 CH4
CCNP ROUTE V7 CH4
 
Routing and OSPF
Routing and OSPFRouting and OSPF
Routing and OSPF
 
CCNA Routing Protocols
CCNA Routing ProtocolsCCNA Routing Protocols
CCNA Routing Protocols
 
06 evpn use-case_reviewv1
06 evpn use-case_reviewv106 evpn use-case_reviewv1
06 evpn use-case_reviewv1
 
MPLS L3 VPN Deployment
MPLS L3 VPN DeploymentMPLS L3 VPN Deployment
MPLS L3 VPN Deployment
 
Ospf.ppt
Ospf.pptOspf.ppt
Ospf.ppt
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building Blocks
 
Segment Routing Lab
Segment Routing Lab Segment Routing Lab
Segment Routing Lab
 
Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017
Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017
Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017
 
Juniper Bgp
Juniper BgpJuniper Bgp
Juniper Bgp
 

Ähnlich wie Cisco asa active,active failover configuration

Lab 9 instructions
Lab 9 instructionsLab 9 instructions
Lab 9 instructions
trayyoo
 
Exercise 4c stp rapid pvst+ question
Exercise 4c stp rapid pvst+ questionExercise 4c stp rapid pvst+ question
Exercise 4c stp rapid pvst+ question
sufi1248
 
Ccna lab manual 640 802
Ccna lab manual 640 802Ccna lab manual 640 802
Ccna lab manual 640 802
manikkan
 
05 module managing your network enviornment
05 module managing your network enviornment05 module managing your network enviornment
05 module managing your network enviornment
Asif
 

Ähnlich wie Cisco asa active,active failover configuration (20)

PROYECTO VLANS
PROYECTO VLANSPROYECTO VLANS
PROYECTO VLANS
 
Aruba mobility access switch useful commands v2
Aruba mobility access switch useful commands v2Aruba mobility access switch useful commands v2
Aruba mobility access switch useful commands v2
 
CMIT 350 FINAL EXAM CCNA CERTIFICATION PRACTICE EXAM
CMIT 350 FINAL EXAM CCNA CERTIFICATION PRACTICE EXAMCMIT 350 FINAL EXAM CCNA CERTIFICATION PRACTICE EXAM
CMIT 350 FINAL EXAM CCNA CERTIFICATION PRACTICE EXAM
 
Detailed explanation of Basic router configuration
Detailed explanation of Basic router configurationDetailed explanation of Basic router configuration
Detailed explanation of Basic router configuration
 
Important cisco-chow-commands
Important cisco-chow-commandsImportant cisco-chow-commands
Important cisco-chow-commands
 
Lab 9 instructions
Lab 9 instructionsLab 9 instructions
Lab 9 instructions
 
Exercise 4c stp rapid pvst+ question
Exercise 4c stp rapid pvst+ questionExercise 4c stp rapid pvst+ question
Exercise 4c stp rapid pvst+ question
 
portfolio2
portfolio2portfolio2
portfolio2
 
BRKRST-3068 Troubleshooting Catalyst 2K and 3K.pdf
BRKRST-3068 Troubleshooting Catalyst 2K and 3K.pdfBRKRST-3068 Troubleshooting Catalyst 2K and 3K.pdf
BRKRST-3068 Troubleshooting Catalyst 2K and 3K.pdf
 
Spoto updated new
Spoto updated newSpoto updated new
Spoto updated new
 
Lab 3.5.1 basic frame relay
Lab 3.5.1 basic frame relayLab 3.5.1 basic frame relay
Lab 3.5.1 basic frame relay
 
VoiceBootcamp Ccnp collaboration lab guide v1.0 sample
VoiceBootcamp Ccnp collaboration lab guide v1.0 sampleVoiceBootcamp Ccnp collaboration lab guide v1.0 sample
VoiceBootcamp Ccnp collaboration lab guide v1.0 sample
 
Session 2
Session 2Session 2
Session 2
 
Ccna lab manual 640 802
Ccna lab manual 640 802Ccna lab manual 640 802
Ccna lab manual 640 802
 
Network topology by essay corp uk
Network topology by essay corp ukNetwork topology by essay corp uk
Network topology by essay corp uk
 
Packettracersimulationlabl3routing 130306235157-phpapp02
Packettracersimulationlabl3routing 130306235157-phpapp02Packettracersimulationlabl3routing 130306235157-phpapp02
Packettracersimulationlabl3routing 130306235157-phpapp02
 
05 module managing your network enviornment
05 module managing your network enviornment05 module managing your network enviornment
05 module managing your network enviornment
 
Day 13.1..1 catalyst switch
Day 13.1..1 catalyst switchDay 13.1..1 catalyst switch
Day 13.1..1 catalyst switch
 
Stu t17 a
Stu t17 aStu t17 a
Stu t17 a
 
3 2
3 23 2
3 2
 

Mehr von IT Tech

Mehr von IT Tech (20)

Cisco ip phone key expansion module setup
Cisco ip phone key expansion module setupCisco ip phone key expansion module setup
Cisco ip phone key expansion module setup
 
Cisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideCisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guide
 
Cisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideCisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guide
 
Hpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guideHpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guide
 
The new cisco isr 4461 faq
The new cisco isr 4461 faqThe new cisco isr 4461 faq
The new cisco isr 4461 faq
 
New nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switchesNew nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switches
 
Tested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi featuresTested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi features
 
Aruba campus and branch switching solution
Aruba campus and branch switching solutionAruba campus and branch switching solution
Aruba campus and branch switching solution
 
Cisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesCisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switches
 
Cisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesCisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switches
 
Cisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesCisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modes
 
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellCompetitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
 
Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000
 
The difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexThe difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fex
 
Cisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches seriesCisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches series
 
Guide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 seriesGuide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 series
 
892 f sfp configuration example
892 f sfp configuration example892 f sfp configuration example
892 f sfp configuration example
 
Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700
 
Cisco firepower ngips series migration options
Cisco firepower ngips series migration optionsCisco firepower ngips series migration options
Cisco firepower ngips series migration options
 
Eol transceiver to replacement model
Eol transceiver to replacement modelEol transceiver to replacement model
Eol transceiver to replacement model
 

KĂŒrzlich hochgeladen

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 

KĂŒrzlich hochgeladen (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

Cisco asa active,active failover configuration

  • 1. Cisco ASA Active/Active Failover Configuration The Cisco ASA failover configuration requires two identical security appliances connected to each other through a dedicated failover link and, optionally, a stateful failover link. The health of the active interfaces and units is monitored to determine if specific failover conditions are met. If those conditions are met, failover occurs. In case of Active/active configuration both Units carry traffic. For creating active/active Failover, configuring both ASA devices in Multiple context mode is required. For ASA redundancy scenario the two devices must be the same models, must have the same number and type of interfaces and the same license is required. ASA 5505 and 5510 do not support active/active failover without license upgrade. For active/active configuration, Failover Contexts and Failover groups need to be created. The Failover group is then applied to Primary or Secondary physical ASA unit. After this, the particular Failover group is applied to a Context. For example, primary unit is active ASA of Failover group1, but Secondary unit is Standby ASA of Failover group1. If primary ASA is out of order, Secondary ASA will become Active of Failover group1. For explaining Active/Active Failover configuration in details, let’s do the following LAB. HTTP://WWW.ROUTER-SWITCH.COM/
  • 2. Click on the image above for larger size diagram Configuration !Switch both ASA devices to multiple context mode. asa(config)#mode multiple !When ASAs are reloaded, connect them to each other with Ge0/2 and Ge0/3 ports. First start with the Primary Unit configuration. Before starting configuration, all interfaces must be in the up state. !enable LAN Failover. asa(config)#failover lan enable !set this unit as primary. asa(config)#failover lan unit primary HTTP://WWW.ROUTER-SWITCH.COM/
  • 3. Determine Failover and State interfaces. These two interfaces can be the same physical interface if you don’t need to consume one extra port. In our example here we use two separate physical interfaces. In this article, the “failover” (interface name for GigabitEthernet0/2) is used as a failover interface. !Define Failover Interface asa(config)#failover lan interface failover Ge0/2 !assign IP address on Failover Interface. MUST be in same Subnet as the standby on the other unit. asa(config)#failover interface ip failover 192.168.3.1 255.255.255.0 standby 192.168.3.2 In this documentation, the “state” (interface name for GigabitEthernet0/3) is used as a state interface. !Definestateful Failover interface asa(config)#failover link state Ge0/3 !assign IP address on Stateful Failover interface asa(config)#failover interface ip state 192.168.4.1 255.255.255.0 standby 192.168.4.2 !Create Failover groups, where Failover group1 will be the Primary, i.e. active on Primary Unit and Failover group2 will be the Standby on Primary Unit. Configure also HTTP Replication, after which occurs HTTP Connection state replication between active and Standby ASAs. Also determine Preempt Delay. Preempt Delay means in what time to regain role of Active after Fail Recovery. asa(config)#failover group 1 asa(config-fover-group)#primary asa(config-fover-group)#preempt 120 asa(config-fover-group)# replication http asa(config)#failover group 2 asa(config-fover-group)#secondary asa(config-fover-group)#preempt 120 asa(config-fover-group)# replication http Now let’s start creating Contexts and assigning interfaces in each Context. !Configure the admin context asa(config)# admin-context admin HTTP://WWW.ROUTER-SWITCH.COM/
  • 4. asa(config)# context admin asa(config-ctx)# allocate-interface Management0/0 asa(config-ctx)# config-url disk0:/admin.cfg !configure the Sub-interfaces interface GigabitEthernet0/0.10 vlan 10 interface GigabitEthernet0/0.11 vlan 11 interface GigabitEthernet0/1.20 vlan 20 interface GigabitEthernet0/1.21 vlan 21 ! Configure the contexts asa(config)# context c1 asa(config-ctx)# allocate-interface gigabitethernet0/0.10 asa(config-ctx)# allocate-interface gigabitethernet0/1.20 asa(config-ctx)# config-url disk0:/c1.cfg asa(config)# context c2 asa(config-ctx)# allocate-interface gigabitethernet0/0.11 asa(config-ctx)# allocate-interface gigabitethernet0/1.21 asa(config-ctx)# config-url disk0:/c2.cfg !Snap each Context to Failover Groups. If we don’t indicate Contexts to Failover Groups, each context will be in Group1 by default. asa(config)# context c1 asa(config-ctx)# join-failover-group 1 asa(config)# context c2 asa(config-ctx)# join-failover-group 2 !Configure IP addresses on Context1. asa#changeto context c1 asa/c1# show running-config interface ! interface GigabitEthernet0/0.10 nameif outside security-level 0 ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2 ! interface GigabitEthernet0/1.20 nameif inside security-level 100 HTTP://WWW.ROUTER-SWITCH.COM/
  • 5. ip address 192.168.20.1 255.255.255.0 standby 192.168.20.2 !Configure IP addresses on Context2. asa#changeto context c2 asa/c2# show running-config interface ! interface GigabitEthernet0/0.11 nameif outside security-level 0 ip address 192.168.11.1 255.255.255.0 standby 192.168.11.2 ! interface GigabitEthernet0/1.21 nameif inside security-level 100 ip address 192.168.21.1 255.255.255.0 standby 192.168.21.2 ! Now let’s start Secondary Unit configuration. !Define Failover Interface asa(config)#failover lan interface failover Ge0/2 !assign IP address on Failover Interface. MUST be in same Subnet as other unit. asa(config)#failover interface ip failover 192.168.3.1 255.255.255.0 standby 192.168.3.2 !enable LAN Failover. asa(config)#failover lan enable !set this unit as secondary asa(config)#failover lan unit secondary With the above piece of configuration commands everything is completed and now let’s start checking. Verification: !verify Primary UNIT asa# show failover Failover On Failover unit Primary Failover LAN Interface: failover GigabitEthernet0/2 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 HTTP://WWW.ROUTER-SWITCH.COM/
  • 6. Monitored Interfaces 4 of 250 maximum Version: Ours 8.2(1), Mate 8.2(1) Group 1 last failover at: 05:12:14 tbilisi Dec 7 2010 Group 2 last failover at: 10:13:04 tbilisi Oct 24 2010 This host: Primary Group 1 State: Active Active time: 14536379 (sec) Group 2 State: Standby Ready Active time: 0 (sec) slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys) c1 Interface outside (192.168.10.1): Normal c1 Interface inside (192.168.20.1): Normal c2 Interface outside (192.168.11.1): Normal c2 Interface inside (192.168.21.1): Normal slot 1: empty Other host: Secondary Group 1 State: Standby Ready Active time: 1104 (sec) Group 2 State: Active Active time: 14537266 (sec) slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys) c1 Interface outside (192.168.10.2): Normal c1 Interface inside (192.168.20.2): Normal c2 Interface outside (192.168.11.2): Normal c2 Interface inside (192.168.22.2): Normal slot 1: empty Stateful Failover Logical Update Statistics Link : state GigabitEthernet0/3.2 (up) StatefulObj xmit xerr rcv rerr General 2405585244 0 75798262 188 sys cmd 1938317 0 1938317 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 1241561564 0 43443406 91 UDP conn 1157379296 0 28582971 84 ARP tbl 3799402 0 1833568 13 Xlate_Timeout 0 0 0 0 SIP Session 906665 0 0 0 Logical Update Queue Information Cur Max Total HTTP://WWW.ROUTER-SWITCH.COM/
  • 7. Recv Q: 0 49 90335543 Xmit Q: 0 7 2405585244 !verify Secondary unit ASA# show failover Failover On Failover unit Secondary Failover LAN Interface: failover GigabitEthernet0/2 Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 4 of 250 maximum Version: Ours 8.2(1), Mate 8.2(1) Group 1 last failover at: 05:12:14 tbilisi Dec 7 2010 Group 2 last failover at: 10:13:03 tbilisi Oct 24 2010 This host: Secondary Group 1 State: Standby Ready Active time: 1104 (sec) Group 2 State: Active Active time: 14537372 (sec) slot 0: ASA5540 hw/sw rev (2.0/8.2(1)) status (Up Sys) c1 Interface outside (192.168.10.2): Normal c1 Interface inside (192.168.20.2): Normal c2 Interface outside (192.168.11.2): Normal c2 Interface inside (192.168.21.2): Normal slot 1: empty Other host: Primary Group 1 State: Active Active time: 14536486 (sec) Group 2 State: Standby Ready Active time: 0 (sec) slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys) c1 Interface outside (192.168.10.1): Normal c1 Interface inside (192.168.20.1): Normal c2 Interface outside (192.168.11.1): Normal c2 Interface inside (192.168.21.1): Normal slot 1: empty Stateful Failover Logical Update Statistics HTTP://WWW.ROUTER-SWITCH.COM/
  • 8. Link : state GigabitEthernet0/3.2 (up) StatefulObj xmit xerr rcv rerr General 111758344 0 1089580597 1046 sys cmd 1938331 0 1938331 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 73801356 0 581933209 113 UDP conn 34185062 0 501003000 886 ARP tbl 1833595 0 3799403 36 Xlate_Timeout 0 0 0 0 SIP Session 0 0 906654 11 Logical Update Queue Information Cur Max Total Recv Q: 0 7 1104118240 Xmit Q: 0 1 111758344 As we observed from above, active/active Failover is working and everything is as expected. More Related Cisco and Networking Tips: How to Configure Dual ISP on Cisco ASA 5505? How to Configure a Cisco ASA 5540 for Video Conferencing for Polycom Device? New Cisco ASA Clustering Feature Enables 320 Gbps Firewall HTTP://WWW.ROUTER-SWITCH.COM/