Configuring ASA in Multi Mode, Active/Active

In the system context on the primary unit, setup interfaces (no shut), create subinterfaces, assign subinterface to vlan, and do interface no shut.
Then you create contexts and assign interfaces to the context, setup failover commands, create failover groups, setup primary, preempt and interface policy and polltime.
Next step is to switch to context and join context to correct failover group. Activate failover within config-t.

On the switch, setup trunk interfaces for outside and inside interfaces allowing correct vlans.

Then switch to context1 and setup interface names, ip addresses, objects, nat, access list and interface monitoring.

Then switch to context 2 and setup interface names, ip addresses, objects, nat, access list and interface monitoring.

On secondary unit enter only failover commands (same as from primary unit), bring up failover interface and activate failover.

!– Change ASA mode from single to multi on both units
ASA1(config)# mode multi
ASA2(config)# mode multi

!– Check out the warning messages:

WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot

Proceed with change mode? [confirm]
Convert the system configuration? [confirm]

The old running configuration file will be written to flash
Converting the configuration – this may take several minutes for a large configuration
The admin context configuration will be written to flash
The new running configuration file was written to flash
Security context mode: multiple

!– In system context on primary firewall, enable physical interfaces, create subinterfaces, create contexts, assign interfaces to contexts, setup context1 to be admin context.

ASA1(config)# int et0/0
ASA1(config)# no shut
ASA1(config)# int eth0/1
ASA1(config)# no shut
ASA1(config)# int et0/3
ASA1(config)# no shut
ASA1(config)# int eth0/1.11
ASA1(config-subif)# vlan 11
ASA1(config-subif)# no shut
ASA1(config)# int eth0/1.13
ASA1(config-subif)# vlan 13
ASA1(config-subif)# no shut
ASA1(config)# context CTX1

Creating context ‘CTX1’… Done. (3)
ASA1(config-ctx)# description == CTX1 ==
ASA1(config-ctx)# allocate-interface eth0/1.11
ASA1(config-ctx)# allocate-interface et0/0
ASA1(config-ctx)# config-url disk0:/CTX1-ActiveActive.cfg

!– dedicate CTX1 as admin context
ASA1(config)# admin-context CTX1
ASA1(config)# context CTX2

Creating context ‘CTX2’… Done. (3)

ASA1(config-ctx)# description == CTX2 ==
ASA1(config-ctx)# allocate-interface eth0/0
ASA1(config-ctx)# allocate-interface eth0/1.13
ASA1(config-ctx)# config-url disk0:/CTX2-ActiveActive.cfg
ASA1(config-ctx)#

!– Switch to CTX1 and configure it: apply interface ip and security levels, create dynamic pat for inside to outside basic communication, create basic acl to permit ping, setup interface monitoring as requested:

ASA1(config)# changeto context CTX1
ASA1/CTX1(config)# int eth0/1.11
ASA1/CTX1(config)# nameif inside
ASA1/CTX1(config)# ip address 10.0.0.13 255.255.255.0 standby 10.0.0.14
ASA1/CTX1(config)# no shut
ASA1/CTX1(config)# int eth0/0
ASA1/CTX1(config)# nameif outside
ASA1/CTX1(config)# ip address 150.50.0.13 255.255.255.0 standby 150.50.0.14
ASA1/CTX1(config)# no shut
ASA1/CTX1(config)# object network inside
ASA1/CTX1(config-network-object)# subnet 10.0.0.0 255.255.255.0

ASA1/CTX1(config-network-object)# nat (inside,outside) dynamic interface
ASA1/CTX1(config-network-object)# access-list OUTSIDE-IN permit icmp  any any echo-rep
ASA1/CTX1(config)# access-group OUTSIDE-IN in int outside
ASA1/CTX1(config)# monitor-interface inside
ASA1/CTX1(config)# no monitor-interface outside

!– Switch to CTX2 and configure it: apply interface ip and security levels, create dynamic pat for inside to outside basic communication, create basic acl to permit ping, setup interface monitoring as requested:

ASA1/CTX1# changeto context CTX2
ASA1/CTX2(config)# int eth 0/0
ASA1/CTX2(config)# nameif outside
ASA1/CTX2(config)# ip address 150.50.0.31 255.255.255.0 standby 150.50.0.41
ASA1/CTX2(config)# no shut
ASA1/CTX2(config)# int eth0/1.13
ASA1/CTX2(config)# nameif inside
ASA1/CTX2(config)# ip address 10.0.1.13 255.255.255.0 standby 10.0.1.14
ASA1/CTX2(config)# no shut

ASA1/CTX2(config)# object network inside
ASA1/CTX2(config-network-object)# subnet 10.0.1.0 255.255.255.0
ASA1/CTX2(config-network-object)# nat (inside,outside) dynamic interface
ASA1/CTX2(config-network-object)# access-list OUTSIDE-IN permit icmp any any echo-reply
ASA1/CTX2(config)# access-group OUTSIDE-IN in int outside
ASA1/CTX2(config)# monitor-interface inside
ASA1/CTX2(config)# no monitor-interface outside
ASA1/CTX2(config)#

!– In system context on primary firewall, setup failover commands (this unit is primary), create failover groups, assigning context to failover groups, activate failover:

ASA1/CTX2# changeto system
ASA1(config)# int eth0/3
ASA1(config)# no shut
ASA1(config)# failover lan unit  primary
ASA1(config)# failover lan interface FAIL eth0/3
ASA1(config)# failover link FAIL eth0/3
ASA1(config)# failover interface ip FAIL 1.1.1.1 255.255.255.0 standby 1.1.1.2
ASA1(config)# failover group 1
ASA1(config-fover-group)# primary
ASA1(config-fover-group)# preempt
ASA1(config-fover-group)# interface-policy 1
ASA1(config-fover-group)# polltime interface msec 500 holdtime 5
ASA1(config-fover-group)# exit

ASA1(config)# failover group 2
ASA1(config-fover-group)# secondary
ASA1(config-fover-group)# preempt
ASA1(config-fover-group)# interface-policy 1
ASA1(config-fover-group)# polltime interface msec 500 hold 5
ASA1(config-fover-group)# exit
ASA1(config)# context CTX1
ASA1(config-ctx)# join-failover-group 1
ASA1(config)# context CTX2
ASA1(config-ctx)# join-failover-group 2

ASA1(config)# failover

!– On secondary firewall, bring up failover interface, setup failover commands (unit secondary)
!– Note that only few commands will be needed; all other config details are replicated via failover.

ASA2(config)# int eth0/3
ASA2(config)# no shut
ASA2(config)# failover lan unit secondary
ASA2(config)# failover lan interface FAIL eth0/3
ASA2(config)# failover link FAIL eth0/3
ASA2(config)# failover interface ip FAIL 1.1.1.1 255.255.255.0 standby 1.1.1.2

!– Activate failover
ASA2(config)# failover

How to verify:

!– show failover in system context
ASA1(config)# sh failover

Failover On
Failover unit Secondary
Failover LAN Interface: FAIL Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1
Monitored Interfaces 2 of 110 maximum
Version: Ours 8.4(3), Mate 8.4(5)
Group 1 last failover at: 14:47:42 UTC Sep 11 2013
Group 2 last failover at: 14:47:55 UTC Sep 11 2013

This host:    Secondary

Group 1       State:          Standby Ready

Active time:    0 (sec)

Group 2       State:          Active

Active time:    113 (sec)

slot 0: ASA5510 hw/sw rev (2.0/8.4(3)) status (Up Sys)

CTX1 Interface outside (150.50.0.14): Normal (Not-Monitored)

CTX1 Interface inside (10.0.0.14): Unknown (Waiting)

CTX2 Interface outside (150.50.0.31): Normal (Not-Monitored)

CTX2 Interface inside (10.0.1.13): Unknown (Waiting)

slot 1: empty

Other host:   Primary

Group 1       State:          Active

Active time:    388 (sec)

Group 2       State:          Standby Ready

Active time:    274 (sec)

slot 0: ASA5510 hw/sw rev (2.0/8.4(5)) status (Up Sys)

CTX1 Interface outside (150.50.0.13): Normal (Not-Monitored)

CTX1 Interface inside (10.0.0.13): Unknown (Waiting)

CTX2 Interface outside (150.50.0.41): Normal (Not-Monitored)

CTX2 Interface inside (10.0.1.14): Unknown (Waiting)

slot 1: empty

Stateful Failover Logical Update Statistics

Link : FAIL Ethernet0/3 (up)

Stateful Obj    xmit       xerr       rcv        rerr

General         16         0          18         0

sys cmd         16         0          16         0

up time         0          0          0          0

RPC services    0          0          0          0

TCP conn        0          0          0          0

UDP conn        0          0          0          0

ARP tbl         0          0          0          0

Xlate_Timeout   0          0          0          0

IPv6 ND tbl     0          0          0          0

SIP Session     0          0          0          0

Route Session   0          0          0          0

User-Identity   0          0          2          0

Logical Update Queue Information

Cur     Max     Total

Recv Q:         0       1       18

Xmit Q:         0       1       16

ASA1(config)#

!– Once the failed interface recovers, the original primary unit takes over the primary role and the messages pops up on the screen.

#telnet or ping thru firewall

#show monitor-interface in context

filter vlan on switch interface to force switchover (“switch trunk allowed vlan remove 11”)

!– Note that once you allow back vlan 11, the primary unit will preempt.

ASA1#

Group 1 preempt mate

Configuring failover on ASA version 8.4 and up

ASA config for failover PRIMARY UNIT:
!– enables failover interface
ASA1(config)#inte et0/3
ASA1(config-if)# no shut
ASA1(config)# int e0/0
ASA1(config)# nameif outside
ASA1(config)# ip address 150.10.0.13 255.255.255.0 standby 150.10.0.14
ASA1(config)# no shut
ASA1(config)# int e0/1
ASA1(config)# nameif inside
ASA1(config)# ip address 10.0.0.13 255.255.255.0 standby 10.0.0.14
ASA1(config)# no shut
ASA1(config)# exit
 !– enables rip routing protocol
ASA1(config)# router rip    
ASA1(config-router)# ver 2
ASA1(config-router)# network 10.0.0.0
ASA1(config-router)# network 150.10.0.0
ASA1(config-router)# no auto-summary
ASA1(config-router)# exit
!– default nat to permit inside to outside traffic
ASA1(config)# object net ANY-INSIDE  
ASA1(config-network-object)# subnet 0 0
ASA1(config-network-object)# nat (inside,outside) dynamic interface
ASA1(config-network-object)# exit!– permit icmp for testing

ASA1(config)# access-list OUT-IN permit icmp any any echo-reply
ASA1(config)# access-group OUT-IN in interface outside
!– Failover commands
ASA1(config)# failover lan unit primary
ASA1(config)# failover lan interface FAILOVER-INT et0/3
ASA1(config)# failover  link FAILOVER-INT e0/3
ASA1(config)# failover interface ip FAILOVER-INT 1.1.1.13 255.255.255.0 standby 1.1.1.14
ASA1(config)# failoverASA1(config)# monitor-interface outside
ASA1(config)# monitor-interface inside

ASA1(config)# failover polltime unit msec 200 holdtime msec 800
ASA1(config)# failover polltime interface msec 500 holdtime 5
ASA1(config)# failover interface-policy 1

Failover commands SECONDARY UNIT
ASA2(config)# int e0/3
ASA2(config-if)# no shut
ASA2(config-if)# exitASA2(config)# failover lan unit secondary
ASA2(config)# failover lan interface FAILOVER-INT e0/3
ASA2(config)# failover link FAILOVER-INT e0/3

ASA2(config)# failover interface ip FAILOVER-INT 1.1.1.13 255.255.255.0 standby 1.1.1.14
ASA2(config)# failover************WARNING****WARNING****WARNING********************************
Mate version 8.4(5) is not identical with ours 8.4(6)
************WARNING****WARNING****WARNING********************************

ASA1# sh failover state                State          Last Failure Reason      Date/Time
This host  –   Primary
Active         None
Other host –   Secondary
Standby Ready  Comm Failure             14:33:36 UTC Sep 6 2013

This shows that failover link commands was not entered. Once command is entered like this:
ASA1(config)# failover link FAILOVER-INT et0/3
 
everything looks good:
ASA1# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER-INT Ethernet0/3 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 2 of 110 maximum
Version: Ours 8.4(5), Mate 8.4(6)
Last Failover at: 14:33:20 UTC Sep 6 2013
This host: Primary – Active
Active time: 1005 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(5)) status (Up Sys)
Interface outside (150.10.0.13): Normal (Monitored)
Interface inside (10.0.0.13): Normal (Monitored)
slot 1: empty
Other host: Secondary – Standby Ready
Active time: 0 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(6)) status (Up Sys)
Interface outside (150.10.0.14): Normal (Monitored)
Interface inside (10.0.0.14): Normal (Monitored)
slot 1: emptyStateful Failover Logical Update Statistics
Link : FAILOVER-INT Ethernet0/3 (up)
Stateful Obj    xmit       xerr       rcv        rerr
General         11         0          10         0
sys cmd         10         0          10         0
up time         0          0          0          0
RPC services    0          0          0          0
TCP conn        0          0          0          0
UDP conn        0          0          0          0
ARP tbl         0          0          0          0
Xlate_Timeout   0          0          0          0
IPv6 ND tbl     0          0          0          0
VPN IKEv1 SA    0          0          0          0
VPN IKEv1 P2    0          0          0          0
VPN IKEv2 SA    0          0          0          0
VPN IKEv2 P2    0          0          0          0
VPN CTCP upd    0          0          0          0
VPN SDI upd     0          0          0          0
VPN DHCP upd    0          0          0          0
SIP Session     0          0          0          0
Route Session   0          0          0          0
User-Identity   1          0          0          0

Logical Update Queue Information
Cur     Max     Total
Recv Q:         0       2       10
Xmit Q:         0       25      108
ASA1#
************WARNING****WARNING****WARNING********************************
Mate version 8.4(6) is not identical with ours 8.4(5)
************WARNING****WARNING****WARNING*****************************

!– You can run commands on standby unit by issuing:
ASA1# failover exec standby show run router rip
router rip
network 136.1.0.0
version 2
no auto-summary
ASA1#
!– once you establish connection thru ASA, check connections on primary and standby. This show that statefull tracking is happening.
ASA1# sh conn
11 in use, 13 most used
TCP outside 150.10.0.2:23 inside 10.0.0.1:38081, idle 0:00:01, bytes 67, flags UIO
ASA1#
ASA1# failover exec standby show conn
11 in use, 13 most used
TCP outside 150.10.0.2:23 inside 10.0.0.1:38081, idle 0:01:07, bytes 67, flags UIO
ASA1#
!– When you shut down switch interface where primary outside interface is connected to, the switchover happens:
ASA1(config)#
Switching to Standby
!– Check failover status on secondary unit:
ASA1# sh failover 
Failover On
Failover unit Secondary
Failover LAN Interface: FAILOVER Ethernet0/3 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 2 of 110 maximum
Version: Ours 8.4(3), Mate 8.4(5)
Last Failover at: 16:10:44 UTC Sep 9 2013
This host: Secondary – Active
Active time: 117 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(3)) status (Up Sys)
Interface outside (150.10.0.13): Normal (Waiting)
Interface inside (10.0.0.13): Normal (Monitored)
slot 1: empty
Other host: Primary – Failed
Active time: 844 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(5)) status (Up Sys)
 Interface outside (150.10.0.14): No Link (Waiting)
Interface inside (10.0.0.14): Normal (Monitored)
slot 1: emptyStateful Failover Logical Update Statistics
Link : FAILOVER Ethernet0/3 (up)
Stateful Obj    xmit       xerr       rcv        rerr
General         76         0          82         0
sys cmd         75         0          75         0
up time         0          0          0          0
RPC services    0          0          0          0
TCP conn        1          0          4          0
UDP conn        0          0          0          0
ARP tbl         0          0          2          0
Xlate_Timeout   0          0          0          0
IPv6 ND tbl     0          0          0          0
VPN IKEv1 SA    0          0          0          0
VPN IKEv1 P2    0          0          0          0
VPN IKEv2 SA    0          0          0          0
VPN IKEv2 P2    0          0          0          0
VPN CTCP upd    0          0          0          0
VPN SDI upd     0          0          0          0
VPN DHCP upd    0          0          0          0
SIP Session     0          0          0          0
Route Session   0          0          0          0
User-Identity   0          0          1          0

Logical Update Queue Information
Cur     Max     Total
Recv Q:         0       5       648
Xmit Q:         0       1       188
ASA1#

A bit of theory:

In failover, one firewall unit is designated as primary and the other as secondary. Initially, the primary unit is active and the secondary is standby. Only one unit is active and forwards traffic at any given time, while the other remains in standby mode. When the active unit fails, the standby assumes the role of the active unit by taking its IP/MAC addresses. The unit still remains known as the “secondary” unit, but it operates in an “active” mode. Failover is available in both transparent firewall and routed firewall modes.

The firewall supports two types of failover: stateful and regular. During the regular failover process, the states of the currently active sessions, which include NAT translations, etc., are not copied between the active and standby units. After a failover, users must re-initiate their connections. Stateful failover preserves all connection states during a failover, making the switchover process nearly seamless from the end user perspective. The configurations of both units are kept synchronized at all times, because the commands from the active unit are always replicated to the standby
! Configure ip address for interfaces, this is done only on primary unit.
int g0/0
     ip address 150.10.0.13 255.255.255.0 standby 150.10.0.14
! Configure failover settings
!

!- to designates the primary/secondary unit
failover lan unit primary
!– to configure a failover link
failover lan interface FAILOVER GigabitEthernet0/23
!– to enable stateful failover mode (default failover mode is stateless)
failover link FAILOVER GigabitEthernet0/3
!– to assign an IP addresses to the failover interface, same command entered on the secondary unit as well. Primary and secondary unit should have different ip addresses. This command is entered for primary and secondary units at the same time when configuring active unit.
failover interface ip FAILOVER 1.1.1.13 255.255.255.0 standby 1.1.1.14  
!– required to activate the failover configuration
failover  ! Configure interface monitoring and failover policy

monitor-interface outside
monitor-interface inside
! Setup unit & interface polling using minimum values available

failover polltime unit msec 200 holdtime msec 800
failover polltime interface msec 500 holdtime 5

failover interface-policy 1

Failover occurs under three general conditions:1. The active unit detects system health issues (software, hardware or power failure).

   In this case the active unit become a standby and secondary become
   primary unit immediatelly.
2. The standby unit detects loss of contact with the active unit across the failover interface.
     Both units constantly send keepalive message to each other across the failover link. If the standby unit loses 3 consecutive keepalives, it will try to restore contact with the active unit. The standby unit will broadcast ARP requests out of all interfaces, asking for the IP address of the active unit. If it receives the ARP response on the failover link, nothing changes. If the response is only received on the non-failover link, the standby unit marks the failover link as non-functional but does not fail over. Manual intervention is required to fix the problem. If no response is received on any interface, the standby unit fails over.
3. The active unit detects loss of the monitored interfaces above the configured threshold.
     By default, when interface monitoring is enabled, every single physical interface failure would force the active unit to give its role to the standby. In the most simple case, if the unit detects loss of carrier on the interface, it immediately declares the interface to be down. To account for more complex cases, interface monitoring is performed by sending and receiving keepalive packets to the standby unit. If the active unity does not receive any hello packets for the duration of half of the hold-interval, it will attempt to count packets on the monitored interface to see if any traffic enters the interface. If this does not succeed, the unit will attempt to send ARP requests for known destinations to provoke some responses and see if this generates traffic. If all attempts to generate a receive traffic fails, the unit will initiate failover.
By default, the firewall monitors all physical interfaces with IP addresses assigned. At the same time, sub-interfaces are not monitored by default. With default settings, any interface failure will trigger failover.