CISCO - ASA FailOver Active/Standby
Configuring FailoverRemarks
a) The two units in a failover configuration must have the same hardware configuration. They must be the same model, have the same number and type of interfaces, the same amount of Flash memory, and the same amount of RAM.
b) The two units in a failover configuration must be in the same operating mode, they have the same major (first number) and minor (second number) software version.
c) The two unit in a failover pair constantly communicate over the failover link to determine the operating status of each unit. You can use any unused Ethernet interface on the device as the failover link. You cannot specify an interface that is currently configured with a name. The failover link interface is not configured as a normal networking interface. The interface should only be used for the failover link (and optionally for the Stateful Failover link).
d) The unit that become active assumes the IP addresses and the MAC address of the failed unit and begins passing traffic. The unit that is now in standby state takes over the standby IP and MAC address. Because network device see no change in the MAC to IP address pairing, no ARP entries or time out anywhere on the network. This change are not the case on the failover link.
Configuration synchronization
Configuration synchronization occurs when one or both units in a failover pair boot. The configurations are synchronized as follows :
- When unit boots while the peer unit is active, the booting unit contacts the active unit to obtain the running configuration regardless of the primary or secondary designation of the booting unit
- When both units boot simultaneously, the secondary unit obtains the running configuration from the primary unit.
On the unit receiving the configuration, the configuration exist only in the running memory. To save the configuration to flash after synchronization enter the write memory all on the active unit.
Global configuration process
A ) Configure the primary unit
Step 1 - Configure the IP address on each interface (the active and standby IP address). This step are not needed on the failover interface.
ip address active_addr netmask standby standby_addr
Step 2 - Designate the unit as the primary unit
failover lan unit primary
Step 3 – Define the failover interface
failover lan interface if_name phys_if
if_name assign a name the the interface specified by phys_if. The phys_if can be the physical port name (ex ethernet0), or a previously defined subinterface ( ex ethernet 0/1.1)
Step 4 – Assign the active and standby address to the failover link
failover interface ip if_name ip_addr netmask standby ip_addr
Step 5 – Optional – Enable the Stateful Failover
failover link if_name phys_if
Step 6 – Enable the Failover interface
interface phys_if
no shutdown
Step 6 – Enable Failover
failover
Note 1 : If the Stateful Failover link use the failover link, then you only need to supply the if_name argument.
Note 2 : The standby ip address must be in the same subnet as the active IP address.
B) Configure the secondary unit
Step 1 – Define the interface used as the failover interface
failover lan interface if_name phys_if
Step 2 – Assign the active and standby address to the failover link
failover interface ip if_name ip_addr netmask standby ip_addr
Enter the command exactly in the way you entered it on the primary unit
Step 3 – Enable the interface
interface phys_if
no shutdown
Step 4 – Optional - Designate the unit as the secondary unit
failover lan unit secondary
Step 5 – Enable Failover
failover
Disabling / Enabling Interface Monitoring
By default, monitoring physical interface is enabled and monitoring subinterfaces is disabled. You can control which interfaces affect your failover policy by disabling the monitoring of specific interfaces and enabling the monitoring of others.
- to disable the health monitoring for interface – no monitor-interface if_name
- to enable the health monitoring for interface –monitor-interface if_name
Main commands and options
Configuring Failover communication Authentication / Encryption
You can encrypt and authenticate the communication between failover peers by specifying a shared secret or hexadecimal key.
failover key {secret hex key}
Verifying the failover configuration and state
For verifying the failover configuration you can use the following command :
show failover
show monitor-interface -> Show the status of the monitored interfaces
show running-config failover -> Show the failover commands in the running configuration
write standby -> Resynchronize configurations that become out of sync.
preempt -> Cause the unit to automatically become active when the unit become available.
no failover active -> force a failover to the standby unit. Executed from the active unit, the active unit become standby
failover active -> restore the unit to active status. Executed from the standby unit, the standby unit become active
no failover -> Disable the failover. The state of each unit doesn’t change until you restart
failover reset -> To restore a failed unit to an unfailed state
The failover process generate syslog messages 411001 and 411002
posted by Hervé SCHLECHT @ 6:00 PM
<< Home