ASA config for failover PRIMARY UNIT:
!– enables failover interface
ASA1(config)#inte et0/3
ASA1(config-if)# no shut
ASA1(config)# int e0/0
ASA1(config)# nameif outside
ASA1(config)# ip address 150.10.0.13 255.255.255.0 standby 150.10.0.14
ASA1(config)# no shut
ASA1(config)# nameif outside
ASA1(config)# ip address 150.10.0.13 255.255.255.0 standby 150.10.0.14
ASA1(config)# no shut
ASA1(config)# int e0/1
ASA1(config)# nameif inside
ASA1(config)# ip address 10.0.0.13 255.255.255.0 standby 10.0.0.14
ASA1(config)# no shut
ASA1(config)# exit
ASA1(config)# nameif inside
ASA1(config)# ip address 10.0.0.13 255.255.255.0 standby 10.0.0.14
ASA1(config)# no shut
ASA1(config)# exit
!– enables rip routing protocol
ASA1(config)# router rip
ASA1(config-router)# ver 2
ASA1(config-router)# network 10.0.0.0
ASA1(config-router)# ver 2
ASA1(config-router)# network 10.0.0.0
ASA1(config-router)# network 150.10.0.0
ASA1(config-router)# no auto-summary
ASA1(config-router)# exit
ASA1(config-router)# no auto-summary
ASA1(config-router)# exit
!– default nat to permit inside to outside traffic
ASA1(config)# object net ANY-INSIDE
ASA1(config-network-object)# subnet 0 0
ASA1(config-network-object)# nat (inside,outside) dynamic interface
ASA1(config-network-object)# exit!– permit icmp for testing
ASA1(config-network-object)# subnet 0 0
ASA1(config-network-object)# nat (inside,outside) dynamic interface
ASA1(config-network-object)# exit!– permit icmp for testing
ASA1(config)# access-list OUT-IN permit icmp any any echo-reply
ASA1(config)# access-group OUT-IN in interface outside
ASA1(config)# access-group OUT-IN in interface outside
!– Failover commands
ASA1(config)# failover lan unit primary
ASA1(config)# failover lan interface FAILOVER-INT et0/3
ASA1(config)# failover link FAILOVER-INT e0/3
ASA1(config)# failover interface ip FAILOVER-INT 1.1.1.13 255.255.255.0 standby 1.1.1.14
ASA1(config)# failoverASA1(config)# monitor-interface outside
ASA1(config)# monitor-interface inside
ASA1(config)# failover lan interface FAILOVER-INT et0/3
ASA1(config)# failover link FAILOVER-INT e0/3
ASA1(config)# failover interface ip FAILOVER-INT 1.1.1.13 255.255.255.0 standby 1.1.1.14
ASA1(config)# failoverASA1(config)# monitor-interface outside
ASA1(config)# monitor-interface inside
ASA1(config)# failover polltime unit msec 200 holdtime msec 800
ASA1(config)# failover polltime interface msec 500 holdtime 5
ASA1(config)# failover interface-policy 1
Failover commands SECONDARY UNIT
ASA2(config)# int e0/3
ASA2(config-if)# no shut
ASA2(config-if)# exitASA2(config)# failover lan unit secondary
ASA2(config)# failover lan interface FAILOVER-INT e0/3
ASA2(config)# failover link FAILOVER-INT e0/3
ASA2(config-if)# no shut
ASA2(config-if)# exitASA2(config)# failover lan unit secondary
ASA2(config)# failover lan interface FAILOVER-INT e0/3
ASA2(config)# failover link FAILOVER-INT e0/3
ASA2(config)# failover interface ip FAILOVER-INT 1.1.1.13 255.255.255.0 standby 1.1.1.14
ASA2(config)# failover************WARNING****WARNING****WARNING********************************
Mate version 8.4(5) is not identical with ours 8.4(6)
************WARNING****WARNING****WARNING********************************
Mate version 8.4(5) is not identical with ours 8.4(6)
************WARNING****WARNING****WARNING********************************
ASA1# sh failover state State Last Failure Reason Date/Time
This host – Primary
Active None
Other host – Secondary
Standby Ready Comm Failure 14:33:36 UTC Sep 6 2013
This host – Primary
Active None
Other host – Secondary
Standby Ready Comm Failure 14:33:36 UTC Sep 6 2013
This shows that failover link commands was not entered. Once command is entered like this:
ASA1(config)# failover link FAILOVER-INT et0/3
everything looks good:
ASA1# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER-INT Ethernet0/3 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 2 of 110 maximum
Version: Ours 8.4(5), Mate 8.4(6)
Last Failover at: 14:33:20 UTC Sep 6 2013
This host: Primary – Active
Active time: 1005 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(5)) status (Up Sys)
Interface outside (150.10.0.13): Normal (Monitored)
Interface inside (10.0.0.13): Normal (Monitored)
slot 1: empty
Other host: Secondary – Standby Ready
Active time: 0 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(6)) status (Up Sys)
Interface outside (150.10.0.14): Normal (Monitored)
Interface inside (10.0.0.14): Normal (Monitored)
slot 1: emptyStateful Failover Logical Update Statistics
Link : FAILOVER-INT Ethernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 11 0 10 0
sys cmd 10 0 10 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 1 0 0 0
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER-INT Ethernet0/3 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 2 of 110 maximum
Version: Ours 8.4(5), Mate 8.4(6)
Last Failover at: 14:33:20 UTC Sep 6 2013
This host: Primary – Active
Active time: 1005 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(5)) status (Up Sys)
Interface outside (150.10.0.13): Normal (Monitored)
Interface inside (10.0.0.13): Normal (Monitored)
slot 1: empty
Other host: Secondary – Standby Ready
Active time: 0 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(6)) status (Up Sys)
Interface outside (150.10.0.14): Normal (Monitored)
Interface inside (10.0.0.14): Normal (Monitored)
slot 1: emptyStateful Failover Logical Update Statistics
Link : FAILOVER-INT Ethernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 11 0 10 0
sys cmd 10 0 10 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 1 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 2 10
Xmit Q: 0 25 108
ASA1#
************WARNING****WARNING****WARNING********************************
Mate version 8.4(6) is not identical with ours 8.4(5)
************WARNING****WARNING****WARNING*****************************
!– You can run commands on standby unit by issuing:
ASA1# failover exec standby show run router rip
router rip
network 136.1.0.0
version 2
no auto-summary
ASA1#
router rip
network 136.1.0.0
version 2
no auto-summary
ASA1#
!– once you establish connection thru ASA, check connections on primary and standby. This show that statefull tracking is happening.
ASA1# sh conn
11 in use, 13 most used
TCP outside 150.10.0.2:23 inside 10.0.0.1:38081, idle 0:00:01, bytes 67, flags UIO
ASA1#
11 in use, 13 most used
TCP outside 150.10.0.2:23 inside 10.0.0.1:38081, idle 0:00:01, bytes 67, flags UIO
ASA1#
ASA1# failover exec standby show conn
11 in use, 13 most used
TCP outside 150.10.0.2:23 inside 10.0.0.1:38081, idle 0:01:07, bytes 67, flags UIO
ASA1#
11 in use, 13 most used
TCP outside 150.10.0.2:23 inside 10.0.0.1:38081, idle 0:01:07, bytes 67, flags UIO
ASA1#
!– When you shut down switch interface where primary outside interface is connected to, the switchover happens:
ASA1(config)#
Switching to Standby
Switching to Standby
!– Check failover status on secondary unit:
ASA1# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: FAILOVER Ethernet0/3 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 2 of 110 maximum
Version: Ours 8.4(3), Mate 8.4(5)
Last Failover at: 16:10:44 UTC Sep 9 2013
This host: Secondary – Active
Active time: 117 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(3)) status (Up Sys)
Interface outside (150.10.0.13): Normal (Waiting)
Interface inside (10.0.0.13): Normal (Monitored)
slot 1: empty
Other host: Primary – Failed
Active time: 844 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(5)) status (Up Sys)
Interface outside (150.10.0.14): No Link (Waiting)
Interface inside (10.0.0.14): Normal (Monitored)
slot 1: emptyStateful Failover Logical Update Statistics
Link : FAILOVER Ethernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 76 0 82 0
sys cmd 75 0 75 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 1 0 4 0
UDP conn 0 0 0 0
ARP tbl 0 0 2 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 0 0 1 0
Failover On
Failover unit Secondary
Failover LAN Interface: FAILOVER Ethernet0/3 (up)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 2 of 110 maximum
Version: Ours 8.4(3), Mate 8.4(5)
Last Failover at: 16:10:44 UTC Sep 9 2013
This host: Secondary – Active
Active time: 117 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(3)) status (Up Sys)
Interface outside (150.10.0.13): Normal (Waiting)
Interface inside (10.0.0.13): Normal (Monitored)
slot 1: empty
Other host: Primary – Failed
Active time: 844 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(5)) status (Up Sys)
Interface outside (150.10.0.14): No Link (Waiting)
Interface inside (10.0.0.14): Normal (Monitored)
slot 1: emptyStateful Failover Logical Update Statistics
Link : FAILOVER Ethernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 76 0 82 0
sys cmd 75 0 75 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 1 0 4 0
UDP conn 0 0 0 0
ARP tbl 0 0 2 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 0 0 1 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 5 648
Xmit Q: 0 1 188
ASA1#
A bit of theory:
In failover, one firewall unit is designated as primary and the other as secondary. Initially, the primary unit is active and the secondary is standby. Only one unit is active and forwards traffic at any given time, while the other remains in standby mode. When the active unit fails, the standby assumes the role of the active unit by taking its IP/MAC addresses. The unit still remains known as the “secondary” unit, but it operates in an “active” mode. Failover is available in both transparent firewall and routed firewall modes.
The firewall supports two types of failover: stateful and regular. During the regular failover process, the states of the currently active sessions, which include NAT translations, etc., are not copied between the active and standby units. After a failover, users must re-initiate their connections. Stateful failover preserves all connection states during a failover, making the switchover process nearly seamless from the end user perspective. The configurations of both units are kept synchronized at all times, because the commands from the active unit are always replicated to the standby
! Configure ip address for interfaces, this is done only on primary unit.
int g0/0
ip address 150.10.0.13 255.255.255.0 standby 150.10.0.14
! Configure failover settings
!
!- to designates the primary/secondary unit
failover lan unit primary
!– to configure a failover link
failover lan interface FAILOVER GigabitEthernet0/23
!– to enable stateful failover mode (default failover mode is stateless)
failover link FAILOVER GigabitEthernet0/3
!– to assign an IP addresses to the failover interface, same command entered on the secondary unit as well. Primary and secondary unit should have different ip addresses. This command is entered for primary and secondary units at the same time when configuring active unit.
failover interface ip FAILOVER 1.1.1.13 255.255.255.0 standby 1.1.1.14
!– required to activate the failover configuration
failover ! Configure interface monitoring and failover policy
failover ! Configure interface monitoring and failover policy
monitor-interface outside
monitor-interface inside! Setup unit & interface polling using minimum values available
monitor-interface inside! Setup unit & interface polling using minimum values available
failover polltime unit msec 200 holdtime msec 800
failover polltime interface msec 500 holdtime 5
failover interface-policy 1
Failover occurs under three general conditions:1. The active unit detects system health issues (software, hardware or power failure).
In this case the active unit become a standby and secondary become
primary unit immediatelly.
2. The standby unit detects loss of contact with the active unit across the failover interface.
Both units constantly send keepalive message to each other across the failover link. If the standby unit loses 3 consecutive keepalives, it will try to restore contact with the active unit. The standby unit will broadcast ARP requests out of all interfaces, asking for the IP address of the active unit. If it receives the ARP response on the failover link, nothing changes. If the response is only received on the non-failover link, the standby unit marks the failover link as non-functional but does not fail over. Manual intervention is required to fix the problem. If no response is received on any interface, the standby unit fails over.
3. The active unit detects loss of the monitored interfaces above the configured threshold.
By default, when interface monitoring is enabled, every single physical interface failure would force the active unit to give its role to the standby. In the most simple case, if the unit detects loss of carrier on the interface, it immediately declares the interface to be down. To account for more complex cases, interface monitoring is performed by sending and receiving keepalive packets to the standby unit. If the active unity does not receive any hello packets for the duration of half of the hold-interval, it will attempt to count packets on the monitored interface to see if any traffic enters the interface. If this does not succeed, the unit will attempt to send ARP requests for known destinations to provoke some responses and see if this generates traffic. If all attempts to generate a receive traffic fails, the unit will initiate failover.
By default, the firewall monitors all physical interfaces with IP addresses assigned. At the same time, sub-interfaces are not monitored by default. With default settings, any interface failure will trigger failover.
ccienumberwanted 