Shulou(Shulou.com)06/01 Report--

Cisco ASA deployment Failover

(Active/Standby)

Failover

Failover is a highly available technology for Cisco firewalls, which can transfer configuration to another device within seconds when the firewall fails, keeping the network open and achieving device-level redundancy.

How it works:

The two devices are of the same model (model, memory, interface, etc.) and are connected to the opposite end through a link (this connection is also called heartbeat). The two devices used in this technology are divided into Active devices (Primary) and Stanby devices (Secondary). This redundancy can also be called AS mode. The active machine is working online, and the standby is in standby state to monitor whether the active device is normal in real time. When the active equipment fails (interface down, equipment power off), the standby equipment can be replaced in time and replaced with the role of Avtive. After Failover is enabled, the Primary device will synchronize the configuration file to the Secondary device. At this time, the configuration cannot be added in Scondary, and the configuration must be done in Active. When managing Failover devices remotely, it is important to note that you are always logged in to the active device. You can check the physical machine logged in at that time through the command (showfailover). At present, not all state information can be synchronized by enabling failover technology, for example, NAT transformations need to be established again.

The topology is as follows:

Implement configuration:

To implement failover, two devices need to meet the following conditions:

1. Same device model and hardware configuration: device module, interface type, number of interfaces, CPU, memory, flash flash memory, etc.

two。 The same software version number, in this case, refers to the IOS version of ASA. The IOS version needs to be higher than 7.0.

3. The same FW mode must be the same route mode or transparent mode

4. The same feature set, such as the supported encryption is DES or 3DES

5. With the appropriate licensing, the license of the two devices meets the basic requirements and can support the same failover

Master-FW device configuration:

InterfaceManagement0/0

Management-only

Shutdown

Nameifmanagement

Security-level100

Ipaddress192.168.1.1 255.255.255.0

InterfaceGigabitEthernet0/0

Nameifoutside

Security-level0

Ipaddress209.165.201.2 255.255.255.0 standby 209.165.201.3

Interface GigabitEthernet0/1

Nameifinside

Security-level100

Ipaddress192.168.2.1 255.255.255.0 standby 192.168.2.2

InterfaceGigabitEthernet0/2

DescriptionSTATEFailover Interface

InterfaceGigabitEthernet0/3

DescriptionLANFailover Interface

Failover / / start the failover function

Failoverlan unitprimary / / define the main role of this device

Failoverlaninterface Lan GigabitEthernet0/3 / / define failover communication interface

Failoverpolltimeunit msec 200holdtime 1 / / sends a survival message every 200ms for 1 second

Failoverpolltimeinterface 3 holdtime 15 / / sends a hello packet every 3 seconds for 15 seconds

Failoverkey * / / defines that a shared key is equivalent to authentication

FailoverlinkSTATE GigabitEthernet0/2 / / define failover communication interface

Failoverinterfaceip Lan 172.16.1.1 255.255.255.0 standby 172.16.1.2 / / define the active and standby communication port ip

Failoverinterfaceip STATE 172.16.2.1 255.255.255.0 standby 172.16.2.2 / / define the active and standby communication port ip

Backup-FW device configuration:

Failover / / start the failover function

Failoverlan unitsecondary / / defines the role of this device as a backup

Failoverlaninterface Lan GigabitEthernet0/3 / / define failover communication interface

Failoverpolltimeunit msec 200holdtime 1 / / sends a survival message every 200ms for 1 second

Failoverpolltimeinterface 3 holdtime 15 / / sends a hello packet every 3 seconds for 15 seconds

Failoverkey * / / defines that a shared key is equivalent to authentication

FailoverlinkSTATE GigabitEthernet0/2 / / define failover communication interface

Failoverinterfaceip Lan 172.16.1.1 255.255.255.0 standby 172.16.1.2 Universe / define the main and standby communication port ip

Failoverinterfaceip STATE 172.16.2.1 255.255.255.0 standby 172.16.2.2 / / define the active and standby communication port ip

Note: after the master / slave configuration is completed, restart the firewall and synchronize the master / slave configuration (just configure the host and copy the data to the slave)

Failover triggers:

L after thinking about the information about the detection object of the firewall (switching between master and slave if the detection fails), I later learned that the detection object of Cisco equipment is different from that of Shanshi and juniper, and the device detects automatically without manual configuration intervention:

L hardware failure or power failure of the device

L the device has a software failure

Too many monitored interfaces fail / / can be modified by command (number of failoverinterface-policy + ports / percentage of failed ports)

The l no failoveractive command is enforced on the active device or failoveractive is entered on the standby device

Note: failover trigger cannot cancel an interface (such as Mgt port), and cannot execute shutdown commands on the uplink and downlink interfaces of the device to simulate failure (because the command executed will be synchronized to the slave device, resulting in normal switching), it can only be triggered by unplugging the network cable or hardware failure.

Common commands:

Showfailover state / / View the working status of the device failover

Showmonitor-interface / / View the detection status of the interface

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.