Cisco ASA firewall Active/Standby failover

In this article, I will briefly explain the active/standby failover configuration on the cisco ASA. The lab is done in GNS3.

  1. Physical Topology:
  2. configuration:
    ciscoasa/act/pri(config)# sh run failover
    failover
    failover lan unit primary
    failover lan interface Failover_Stateless GigabitEthernet0/2
    failover link Failover_Stateful GigabitEthernet0/1
    failover interface ip Failover_Stateless 169.254.0.15 255.255.255.0 standby 169.254.0.16
    failover interface ip Failover_Stateful 169.254.1.15 255.255.255.0 standby 169.254.1.16
  3. pitfall:
    The failover ASA pair should have identical hardware platform, software and license to achieve working failover.
    The failover configuration order is important. It could blank your active configuration if the order is not correct.
    Also, whenever there is an configuration update, it should be done on the primary / active unit, so the change could be synched to the standby.
    Do this:
    config # prompt hostname state priority
  4. the failover could be stateless and stateful, the above configuration configured G0/1 as stateful failover interface.
  5. The "show failover" command will provide the current failover state. If you need to have any interface monitored, do below and add a standby ip address for the interface:
    config # monitor-interface inside | outside | etc.

    ciscoasa/act/pri(config)# sh monitor-interface
    This host: Primary - Active
    Interface management (172.16.212.96): Normal (Waiting)
    Interface inside (10.1.1.1): Normal (Monitored)
    Interface outside (150.1.115.1): Normal (Monitored)
    Other host: Secondary - Standby Ready
    Interface management (0.0.0.0): Normal (Waiting)
    Interface inside (10.1.1.2): Normal (Monitored)
    Interface outside (150.1.115.2): Normal (Monitored)

  6. when doing the test, you could enter "failover active" on the secondary ASA, and there will be no interruption for the telnet tcp connection that already exists. As the connection is on both ASA.

ciscoasa/stby/sec# sh conn
9 in use, 9 most used

TCP outside 150.1.115.100:23 inside 10.1.1.100:32526, idle 0:00:18, bytes 147, flags UIO
ciscoasa/stby/sec#

ciscoasa/stby/sec# sh conn
9 in use, 9 most used

TCP outside 150.1.115.100:23 inside 10.1.1.100:32526, idle 0:00:18, bytes 147, flags UIO
ciscoasa/stby/sec#

ciscoasa/act/pri# sh failover interface
interface Failover_Stateless GigabitEthernet0/2
System IP Address: 169.254.0.15 255.255.255.0
My IP Address : 169.254.0.15
Other IP Address : 169.254.0.16
interface Failover_Stateful GigabitEthernet0/1
System IP Address: 169.254.1.15 255.255.255.0
My IP Address : 169.254.1.15
Other IP Address : 169.254.1.16

ciscoasa/act/pri# sh failover

Failover On
Failover unit Primary
Failover LAN Interface: Failover_Stateless GigabitEthernet0/2 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 36 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.6(2), Mate 9.6(2)
Serial Number: Ours 9A9PLK9VKN2, Mate 9A8UNB99VES
Last Failover at: 11:59:50 UTC Jun 2 2018
This host: Primary - Active
Active time: 1082 (sec)
slot 0: empty
Interface management (172.16.212.96): Normal (Waiting)
Interface inside (10.1.1.1): Normal (Monitored)
Interface outside (150.1.115.1): Normal (Monitored)
Other host: Secondary - Standby Ready
Active time: 137 (sec)
Interface management (0.0.0.0): Normal (Waiting)
Interface inside (10.1.1.2): Normal (Monitored)
Interface outside (150.1.115.2): Normal (Monitored)

  1. Interesting Log:

This is from primary:
ciscoasa(config)# failover
ciscoasa(config)# %ASA-1-105002: (Primary) Enabling failover.
.

    No Active mate detected

Beginning configuration replication: Sending to mate.
%ASA-1-709003: (Primary) Beginning configuration replication: Send to mate.
End Configuration Replication to mate
%ASA-1-709004: (Primary) End Configuration Replication (ACT)

This is from Secondary:
Detected an Active mate
Beginning configuration replication from mate.
%ASA-1-709005: (Secondary) Beginning configuration replication: Receiving from mate.
WARNING: Disabling auto import may affect Smart Licensing
Creating trustpoint "_SmartCallHome_ServerCA" and installing certificate...

Trustpoint CA certificate accepted.
WARNING: Failover is enabled but standby IP address is not configured for this interface.
WARNING: Failover is enabled but standby IP address is not configured for this interface.

WARNING: Failover is enabled but standby IP address is not configured for this interface.
WARNING: Trustpoint _SmartCallHome_ServerCA is already authenticated.
End configuration replication from mate.

ciscoasa(config)# %ASA-4-405003: IP address collision detected between host 169.254.0.15 at 5260.89c0.6003 and interface Failover_Stateless, 5260.89e7.4903

ciscoasa/act/pri# sh arp
inside 10.1.1.100 aabb.cc00.0200 2408
outside 150.1.115.100 aabb.cc00.0300 1761
Failover_Stateless 169.254.0.16 5260.89c0.6003 1248
Failover_Stateful 169.254.1.16 5260.89c0.6002 2030

ciscoasa/stby/sec# sh arp
inside 10.1.1.100 aabb.cc00.0200 2069
Failover_Stateless 169.254.0.15 5260.89e7.4903 1289
outside 150.1.115.100 aabb.cc00.0300 1802
Failover_Stateful 169.254.1.15 5260.89e7.4902 207

原文地址:http://blog.51cto.com/blade20/2123505

时间: 2024-12-11 20:32:58

Cisco ASA firewall Active/Standby failover的相关文章

Cisco ASA firewall swap

Cisco ASA FW replacement Active sand Standby Mode 思科防火墙 更换 must make sure the cross connection is there. must have written connection for DC to check must make sure the lincense is there show verion Must have a roll back plane. Must communication eff

Implementing Cisco ASA Firewall

ASA Initialization ASA stateful firewall filtering Basic Initialization Security level & Interface name

思科ASA部署Failover (Active/Standby)

          思科ASA部署Failover (Active/Standby)         Failover  Failover是思科防火墙一种高可用技术,能在防火墙发生故障时数秒内转移配置到另一台设备,使网络保持畅通,达到设备级冗余的目的. 工作原理: 两台设备型号一样(型号.内存.接口等),通过一条链路连接到对端(这个连接也叫心跳线).该技术用到的两台设备分为Active设备(Primary)和Stanby设备(Secondary),这种冗余也可以叫AS模式.活跃机器处于在线工作状

两台Cisco A5510 防火墙配置为Active/Standby模式的双机互备

二.实现方式: 两台A5510通过接口Ethernet 0/3实现互联. 配置如下: A5510-2(Primary Host):hostname/context hostname(config)# interface Ethernet0/0 hostname(config-if)#nameif inside security-level 100 hostname(config-if)#ip address 192.168.10.244 255.255.255.248 standby 192.1

Cisco ASA 高级配置

Cisco ASA 高级配置 一.防范IP分片攻击 1.Ip分片的原理: 2.Ip分片的安全问题: 3.防范Ip分片. 这三个问题在之前已经详细介绍过了,在此就不多介绍了.详细介绍请查看上一篇文章:IP分片原理及分析. 二.URL过滤 利用ASA防火墙IOS的特性URL过滤可以对访问的网站域名进行控制,从而达到某种管理目的. 实施URL过滤一般分为以下三个步骤: (1) 创建class-map (类映射),识别传输流量. (2) 创建policy-map (策略映射),关联class-map.

Scenario 1 – Simple vNet with Active/Standby Uplinks – Ethernet a

    Scenario 1 – Simple vNet with Active/Standby Uplinks – Ethernet and FCoE – Windows 2008 R2         场景1:简单vNet使用Active/Standby Uplinks-Ethernet和FCoE-Windows2008R2 概述: 这个简单的配置场景使用VC vNet和FCoE来满足SAN需求.此简单设计没有使用VLAN Mapping,vNet是以最简单的方式连接Virtual Conn

TimesTen 数据库复制学习:7. 管理Active Standby Pair(无缓存组)

Active Standby Pair是TimesTen复制的一种固定模式,就是1个active到1个standby,再到0个或127个subscriber,如下图: 配置 Active Standby Pair (不带缓存组) 大致步骤如下: 1. 创建数据库 2. 使用CREATE ACTIVE STANDBY PAIR创建复制 3. 调用Call ttRepStateSet('ACTIVE'),将active数据库的角色设为ACTIVE 4. 调用Call ttRepStart, 启动复制

cisco ASA ios升级或恢复

cisco ASA ios升级或恢复 一.升级前准备工作 1.准备好所要升级的IOS文件及对应的ASDM文件 2.在一台电脑上架设好tftp,设置好目录,与防火墙进行连接(假设电脑IP为192.168.1.2) 二.升级步骤 1.telnet上ASA ASA>en                  //进入特权模式 ASA#conft                 //进入配置模式 2.查看ASA上的文件.版本信息及启动文件 ASA(config)#dir           //查看asa上

Cisco asa 5510升级IOS和ASDM

asa asa(config)# dir //显示文件目录 copy disk0:/asa707-k8.bin tftp://192.168.1.149/ asa707-k8.bin //将原有IOS文件备份到TFTP服务器上 copy disk0:/asdm507.bin tftp://192.168.1.149/asdm507.bin //将原有asdm文件备份到TFTP服务器上 copy tftp://192.168.1.149/asa803-k8.bin disk0:/asa803-k8