Configuring Active/Standby failover on an ASA

Configuring Active/Standby failover on Cisco ASA

Considerations:
Licensing: Primary firewall must have unrestricted (UR) license. Secondary must have UR, failover(FA), or active/active(FA-AA) licenses.

Connection: The failover port can either be serial(Pix only) or Ethernet.
The serial port must use a proprietary RS-232 cable. The cable is labeled for the primary and secondary ends. The primary end MUST be plugged into the primary firewall.

The Ethernet failover uses a dedicated Ethernet port and connects either via crossover or plugs into a switch using a straight through cable. If using a switch, it must either be a dedicated switch that only uses the 2 ports needed for failover or must have a dedicated VLAN.

LAN based failover takes longer to failover because Ethernet ports take longer to recognize a problem.

Failover link communicates state info, power status (serial only), MAC address of firewalls, keep alives, Interface status, and configuration replication.


Statesync: Statesync synchronizes the Nat table, connections, arp, l2
bridging (transparent firewalls), VPNS, clock, DHCP leases, user auth, and routing. By default HTTP sessions are not synced. If state sync will be used a dedicated Ethernet port that is at least as fast as the fastest active port must be used.


Failover takes place when:
Active firewall experiences hardware failure
Active firewall has a power failure
Active firewall has software failure
Many monitored interfaces fail at the firewall level
-when hello message are not received on a monitored interface the firewall tests link state to ensure its up (checks for disconnects or bad switch ports), listens for network activity for 5 seconds. If no network connectivity, it runs and arp test (arp requests). If no response is received, the firewall sends out a broadcast.
No failover active command is used on the active firewall
Failover active command is used on the standby

The default poll is every 15 seconds. The default hold time is 45 seconds (3 polls). The device is considered failed if hellos are not received in 45 seconds.


The serial cable is intelligent enough to distinguish between a power failure and an unplugged cable.

If the primary firewall boots up and sees that the secondary is active, the primary will become standby.

When a failover occurs, the IP and MAC addresses are swapped between firewalls.


Configuring failover:
Do not power on the secondary firewall
Configure IP addressed on each interface on the primary firewall.
Interface ethernet0
Nameif outside
Ip address 10.5.1.1 255.255.255.0 standby 10.5.1.2
No shutdown

Enable LAN based failover
Failover lan enable

Configure the LAN failover interface and IP it
Failover lan interface ip lanlink 172.16.1.1 255.255.255.0 standby 172.16.1.2
Interface eth2
No shut

Power on the secondary unit and disconnect the failover interface
On secondary do the following
Failover lan enable
Failover lan interface lanlink eth2
Failover interface ip lanlink 172.16.1.1 255.255.255.0 standby 172.16.1.1
Interface eth2
No shut
Failover lan unit secondary
Failover

This completes the setup. If using state sync, do the following:
Failover link eth3 state
Ip address state 172.16.2.1 255.255.255.0 standby 172.16.2.2
Inter eth3
No shut


Additional options:
Forcing a failover from primary- no failover active
Forcing a failover from the secondary – failover active
Disabling failover- no failover
Adjust poll time –failover polltime unit holdtime
To turn off monitoring of specific interfaces- no monitor-inter


To encrypt communications over the failover link – failover key
Enable http replication- failover repl http

Failover troubleshooting:


Show fail command status:
Cable status:
Normal-Cable is operating normally.
My side not connected-Serial not connected to the firewall on which you entered the command.
Other side not connected-serial not connected to the other firewall
Other side powered off-serial is connected but the firewall is powered off.
N/A Lan based failover is enabled-no serial status because LAN based failover is configured.

Failover Unit status:
Normal-Interface is functioning
No link-Line Protocol is down
Link Down-Administratively down
Failed-Interface has failed checks
Unknown-status undetermined
Waiting-Monitoring of this interface on the other firewall has not started.

Debug options debug fover
Cable –LAN or serial cable status
Fail- failover internal exception
Fmsg – failover message
Ifc- Network interface status trace
Open- Failover device open
Rx- failover message receive
rxdmp-serial message receive dump
rxip-IP failover packet received
switch-switching status
sync-command replication
txdmp-cable transmit dump
verify-message verify