ASA Firewall HA

Hello,

I need help setting up Cisco ASA High Availability Failover.

2 ASA Firewalls
5520
Latest Software version

Public Interface 64.x.x.x
Private Interface 192.168.6.x
DMZ Interface 192.168.20.x

We would like to set them up to have automatic failover between the two.

I am fairly new to the ASAs, so please include as much details as possible.

Thank you very much,

Zeke
Zeke2016Asked:
Who is Participating?
 
ffleismaSenior Network EngineerCommented:
1. Can we use the cross-over cable to connect the two firewalls directly and use it as a fail-over link?
Unlike in the setup I've shown above, where the failover connects to the switch and is assigned its own VLAN/subnet, yes you can connect it directly between the firewall as your failover interface. It is the same setup that Pete did on his article mentioned above. Cheers Pete!

1.

Since your the primary ASA is already active and under production, you can start off with the following on the primary ASA.
ciscoasa(config)# failover lan interface failover GigabitEthernet3
INFO: Non-failover interface config is cleared on GigabitEthernet3 and its sub-interfaces
ciscoasa(config)# failover interface ip failover 10.1.1.1 255.255.255.252 stan$
ciscoasa(config)# failover key password-failover
ciscoasa(config)# failover lan unit primary
ciscoasa(config)# failover
ciscoasa(config)# failover link failover GigabitEthernet3
ciscoasa(config)# !
ciscoasa(config)# prompt hostname state
ciscoasa/act(config)# !
ciscoasa/act(config)# interface GigabitEthernet3
ciscoasa/act(config-if)# no shut
ciscoasa/act(config-if)#

Open in new window

Line 1, I'm using interface GigabitEthernet3 for this example, you can choose whatever interface you like. You can even choose to use the Management interface to save regular interface for other use.
Line 5, This unit is designated as primary. the secondary ASA will be assigned "failover lan unit secondary".
Line 6, At this point you are enabling failover. But do note that nothing yet will happen since neighbor is not yet configured. Should not impact your production.
Line 7, Enables stateful failover. With stateful failover, traffic states are maintained on both active and standby, hence currently connection states (not all) are not drop during active firewall failure.
Line 9, This is not necessary but what this does is that it shows the hostname together with state of the firewall. As you can see the prompt for the hostname changes to "cisco/act". This is handy to keep track which ASA device you are configuring or accessing.

2.

Now for the secondary ASA, this can be blank config ASA you are introducing, the failover will sync the configuration between primary and secondary. What you just need to add are as follows.
ciscoasa(config)# failover lan interface failover GigabitEthernet3
INFO: Non-failover interface config is cleared on GigabitEthernet3 and its sub-interfaces
ciscoasa(config)# failover interface ip failover 10.1.1.1 255.255.255.252 stan$
ciscoasa(config)# failover key password-failover
ciscoasa(config)# failover lan unit secondary
ciscoasa(config)# failover
ciscoasa(config)# failover link failover GigabitEthernet3
ciscoasa(config)# !
ciscoasa(config)# prompt hostname state
ciscoasa/act(config)# !
ciscoasa/act(config)# interface GigabitEthernet3
ciscoasa/act(config-if)# no shut
ciscoasa/act(config-if)#
ciscoasa/act(config-if)# .

        Detected an Active mate
Beginning configuration replication from mate.
ERROR: Password recovery was not changed, unable to access
the configuration register.
COREDUMP UPDATE: open message queue fail: No such file or directory/2
Crashinfo is NOT enabled on Full Distribution Environment
End configuration replication from mate.

INFO: Issuing "tls-proxy maximum-sessions 10000" command due to license change

INFO: "tls-proxy maximum-sessions" config is changed, please save the running-config before system reboot

ciscoasa/stby(config-if)#

Open in new window

Line 5, be sure to assign the secondary unit as secondary, you wouldn't want the real primary to sync it's running-config with a blank config ASA. If all goes well the two ASA will detect each other as shown. the snippets I've shown are done on an ASA running on GNS3

3.

Now to check the failover by "show failover"
ciscoasa/act# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 03:17:01 UTC Mar 12 2015
        This host: Primary - Active
                Active time: 1015 (sec)
                  Interface outside (64.1.1.1): Normal (Waiting)
                  Interface inside (192.168.6.1): Normal (Waiting)
                  Interface dmz (192.168.20.1): Normal (Waiting)
        Other host: Secondary - Standby Ready
                Active time: 0 (sec)
                  Interface outside (0.0.0.0): Normal (Waiting)
                  Interface inside (0.0.0.0): Normal (Waiting)
                  Interface dmz (0.0.0.0): Normal (Waiting)

Stateful Failover Logical Update Statistics
        Link : failover GigabitEthernet3 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         56         0          55         0
        sys cmd         55         0          55         0
!
!(output omitted)

Open in new window

At this point, is failover working? Yes. Is setup complete? No.
Notice Line 13-18, Secondary ASA has no IP address assigned yet

4.

Configure the secondary IP.
ciscoasa/act(config)# show run int gi1
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.6.1 255.255.255.0
ciscoasa/act(config)#
ciscoasa/act(config)# interface GigabitEthernet1
ciscoasa/act(config-if)# ip address 192.168.6.1 255.255.255.0 standby 192.168.6.2
ciscoasa/act(config-if)#
ciscoasa/act(config-if)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 03:17:01 UTC Mar 12 2015
        This host: Primary - Active
                Active time: 1336 (sec)
                  Interface outside (64.1.1.1): Normal (Waiting)
                  Interface inside (192.168.6.1): Normal (Waiting)
                  Interface dmz (192.168.20.1): Normal (Waiting)
        Other host: Secondary - Standby Ready
                Active time: 0 (sec)
                  Interface outside (0.0.0.0): Normal (Waiting)
                  Interface inside (192.168.6.2): Normal (Waiting)
                  Interface dmz (0.0.0.0): Normal (Waiting)

Open in new window

Line 9, Secondary IP for inside interface is now set. Add the secondary IP for the rest of the interfaces.

Can you please clarify what is the process when active ASA goes down and standby takes over? Will the above 64.1.1.2 become 64.1.1.1 (the one that primary ASA had)?
Let's force a failover as shown below:
ciscoasa/stby# failover active

        Switching to Active
ciscoasa/act#
ciscoasa/act#
ciscoasa/act# show ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0         outside                64.1.1.1        255.255.255.0   manual
GigabitEthernet1         inside                 192.168.6.1     255.255.255.0   manual
GigabitEthernet2         dmz                    192.168.20.1    255.255.255.0   manual
GigabitEthernet3         failover               10.1.1.1        255.255.255.252 unset
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0         outside                64.1.1.1        255.255.255.0   manual
GigabitEthernet1         inside                 192.168.6.1     255.255.255.0   manual
GigabitEthernet2         dmz                    192.168.20.1    255.255.255.0   manual
GigabitEthernet3         failover               10.1.1.2        255.255.255.252 unset
ciscoasa/act#
ciscoasa/stby# show int GigabitEthernet1 | inc MAC address
        MAC address 0000.aba6.4b00, MTU 1500
ciscoasa/stby#
ciscoasa/stby# failover active

        Switching to Active
ciscoasa/act#
ciscoasa/act# show int GigabitEthernet1 | inc MAC address
        MAC address 0000.abe7.9801, MTU 1500
ciscoasa/act#

Open in new window

Line 1, We access the stby ASA and issue the "failover active" command.
Line 3-4, This device is now the active firewall as you can reference the hostname. Handy huh?
Line 6, This ASA now takes on the primary IP address
Line 21 and 28, not only the ASA takes the primary IP, it takes also the primary MAC address.

Lastly, I forgot to mention one important detail. Before making any changes, make sure that both your ASA are the same hardware as well as running the same software version with the same license features installed if on both if there are any.

Sorry for the long post, hopefully this clarifies some of your question. Let me know if you have anything further, be glad to help out!
0
 
ffleismaSenior Network EngineerCommented:
Can you provide the software version of the ASA you are using? Depending on the software version pre-8.3 and 8.3&above, the firewall configuration will slightly differ. Just to be sure, if you could check the device software beforehand it would be better.

Also, how would your firewall configuration approach will be, will be it via CLI (command line) or via ASDM (GUI).

Lastly, do you need the entire firewall configuration setup, meaning is this a start from scratch setup you are building?

Be glad to help you out.
0
 
ffleismaSenior Network EngineerCommented:
I'll start of the network topology for the HA ASA. Logically it would look like something below:
Logical DiagramDepending on the number of switches (L2 or L3 switch) you will use, I'll assume a single L2 switch for now. The physical network would look like something as below:
Physical DiagramNow with regards to the switchport configuration it would look something like below:
enable
!
configure terminal
!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!VLAN CONFIGURATION
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!
vlan 10
 name VL010_ASA_FAILOVER
 exit
!
vlan 11
 name VL011_INSIDE01
 exit
!
vlan 21
 name VL021_DMZ01
 exit
!
vlan 30
 name VL030_OUTSIDE01
 exit
!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!INTERFACE CONFIGURATION
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! 
interface FastEthernet1/1
 description ASA/act mgt0/0 - 10.1.1.1/30 failover
 switchport mode access
 switchport access vlan 10
 spanning-tree portfast enable
 no shut
!
interface FastEthernet1/2
 description ASA/act Gi0 - 64.x.x.1/24 outside
 switchport mode access 30
 switchport access vlan 
 spanning-tree portfast enable
 no shut
!
interface FastEthernet1/3
 description ASA/act Gi1 - 192.168.6.1/24 inside
 switchport mode access 11
 switchport access vlan 
 spanning-tree portfast enable
 no shut
!
interface FastEthernet1/4
 description ASA/act Gi2 - 192.168.20.1/24 dmz
 switchport mode access 21
 switchport access vlan 
 spanning-tree portfast enable
 no shut
!
interface FastEthernet1/5
 description ASA/stby mgt0/0 - 10.1.1.2/30 failover
 switchport mode access 10
 switchport access vlan 
 spanning-tree portfast enable
 no shut
!
interface FastEthernet1/6
 description ASA/stby Gi0 - 64.x.x.2/24 outside
 switchport mode access 30
 switchport access vlan 
 spanning-tree portfast enable
 no shut
!
interface FastEthernet1/7
 description ASA/stby Gi1 - 192.168.6.2/24 inside
 switchport mode access 11
 switchport access vlan 
 spanning-tree portfast enable
 no shut
!
interface FastEthernet1/8
 description ASA/stby Gi2 - 192.168.20.2/24 dmz
 switchport mode access 21
 switchport mode access
 switchport access vlan 
 spanning-tree portfast enable
 no shut
!
interface FastEthernet1/9
 description Internet Router Fa0/0 - 64.x.x.254
 switchport mode access 30
 switchport access vlan 
 spanning-tree portfast enable
 no shut
!
interface FastEthernet1/x
 description inside HOST
 switchport mode access 11
 switchport access vlan 
 spanning-tree portfast enable
 no shut
!
interface FastEthernet1/y
 description dmz SERVER
 switchport mode access 21
 switchport access vlan 
 spanning-tree portfast enable
 no shut
!

Open in new window

Now for the active-standby setup of the ASA:
We start of by configuring the active/primary firewall via command line
configure terminal
!
hostname ASA
!
failover lan interface failover mgt0/0
failover interface ip failover 10.1.1.1 255.255.255.252 standby 10.1.1.2
failover key password-failover
failover lan unit primary
failover
!
prompt hostname state
!
interface mgt0/0
no shut
!

Open in new window


We go on to proceed with configuring the standby/secondary ASA
configure terminal
!
failover lan interface failover mgt0/0
failover interface ip failover 10.1.1.1 255.255.255.252 standby 10.1.1.2
failover key password-failover
failover lan unit secondary
failover
!
interface mgt0/0
no shut
!

Open in new window

Once the two ASA see each other, you should see something like this
ciscoasa/act(config)# int mgt0/0
ciscoasa/act(config-if)# no shut
ciscoasa/act(config-if)# end
ciscoasa/act# Failover LAN became OK
Switchover enabled
Configuration has changed, replicate to mate.
Beginning configuration replication: Sending to mate.
ciscoasa/act# End Configuration Replication to mate

ciscoasa/act#

Open in new window

At this point your ASA are now in active standby and it is time to configure the interfaces
You just need to do this now on the active ASA
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 64.1.1.1 255.255.255.0 standby 64.1.1.2
 no shut
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.6.1 255.255.255.0 standby 192.168.6.2
 no shut
!
interface GigabitEthernet2
 nameif dmz
 security-level 50
 ip address 192.168.20.1 255.255.255.0 standby 192.168.20.2
 no shut
!

Open in new window

You can verify the failover by the following:
ciscoasa/act# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 07:05:19 UTC Mar 11 2015
        This host: Primary - Active
                Active time: 5370 (sec)
                  Interface outside (64.1.1.1): Normal (Monitored)
                  Interface inside (192.168.6.1): Normal (Monitored)
                  Interface dmz (192.168.20.1): Normal (Monitored)
        Other host: Secondary - Standby Ready
                Active time: 143 (sec)
                  Interface outside (64.1.1.2): Normal (Monitored)
                  Interface inside (192.168.6.2): Normal (Monitored)
                  Interface dmz (192.168.20.2): Normal (Monitored)

Stateful Failover Logical Update Statistics
        Link : Unconfigured.

ciscoasa/act#

Open in new window


And that should cover the basic configuration of active-standby ASA. Let me know if you have further questions, be glad to help out.

Other reference you can use to learn more on act/stby ASA
http://www.petenetlive.com/KB/Article/0000048.htm
0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

 
Pete LongTechnical ConsultantCommented:
^^^ Top Website that like :)
0
 
Zeke2016Author Commented:
Thank you Ffleisma. That helps a lot. I greatly appreciate it.

We are running on version 9.1.  One of the firewalls is in place and it's working properly. The second one will be the new addition.

And in regard to the configuration approach, I was informed that the best way would be via CLI. What would you suggest?  

A couple of additional questions:

1. Can we use the cross-over cable to connect the two firewalls directly and use it as a fail-over link?
2.  In regard to "At this point your ASA are now in active standby and it is time to configure the interfaces
You just need to do this now on the active ASA"

interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 64.1.1.1 255.255.255.0 standby 64.1.1.2

Can you please clarify what is the process when active ASA goes down and standby takes over? Will the above 64.1.1.2 become 64.1.1.1 (the one that primary ASA had)?

I am sorry for all the questions.

Thanks again,

Zeke
0
 
Zeke2016Author Commented:
This is great information. Thank you very much for your answer and patience with all of my questions. I should be good to go for now.
0
 
Zeke2016Author Commented:
Ffleisma provided very detailed answer. I am very happy with the answer.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.