Tuesday 16 February 2016

Setting up an active/standby failover with the ASA

For this guide I will be using two of the ASAv 9.21 appliance's in an ESXI environment - although the procedure should be very similar on other models such as the ASA5510,5540 etc.

There are some requirements we must also meet for setting up a failover cluster of ASA's.

- Firstly: The two devices should be IDENTICAL - that is: the same model, same amount of interfaces, same licenses and so on.

- If you are using ASAv's to create a failover cluster you are limited to Active/Standby - you are not able to do an Active/Active setup.

- Ensure you are running exactly the same IOS version on each device and also that you have the same ASDM images in flash / set on each device.

- Obviously all of the physical port setup on ASA1 should be mirrored on ASA2 - i.e. if int g0/0 on ASA1 is connected to the GZ LAN switch - so should int g0/0 on ASA2.

For this tutorial I will have a simple topology of two ASA's that are both connected to the inside and outside networks - the config looks something like the below:

We should now make a backup of ASA1 config:

copy run flash:/orig_config.cfg

And then setup the interface we will use for failover (management 0/0 in my case):

clear configure interface m0/0
int m0/0
no shut

And configure the inside and outside interfaces:

conf t
int g0/0
nameif inside
duplex full
security-level 100
ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2
no shut

int g0/1
nameif outside
duplex full
security-level 0
ip address 192.168.240.1 255.255.255.0 standby 192.168.240.2
no shut
exit

We should proceed to setup dyanmic NATing:

Pre IOS 8.3:
nat (inside) 1 192.168.240.0 255.255.255.0

and enable the outside interface for NAT:
global (outside) 1 80.90.110.121

On IOS 8.3+
object network obj-10.0.0.0
subnet 192.168.240.0 255.255.255.0
nat (inside,outside) dynamic interface

Now setup the ASA1 as the primary unit in the failover:

conf t
failover lan unit primary

We should now define the interface that will be used for the failover:

failover lan interface FAILOVER m0/0

Set the failover link IP addresses:

failover interface ip FAILOVER 192.168.5.1 255.255.255.0 standby 192.168.5.2

For security we should also ensure a shared key is set:

failover key 212121

And then turn on failover:

failover

Now we can active stateful failover and save changes:

failover link FAILOVER m0/0
write memory

Now we have setup ASA1 - we should proceed to setup ASA2 as follows:

conf t
clear config int m0/0
no shut
exit

and turn on the interface for the failover:

failover lan int FAILOVER m0/0

and set the failover IP address (note: that although this is duplicated on ASA1 - this is expected)"

failover interface ip FAILOVER 192.168.5.1 255.255.255.0 standby 192.168.5.2

Set the pre-shared key and intruct the ASA2 to be the secondary / standby unit:

failover lan key 212121
failover lan unit secondary

Finally turn on the failover feature:

failover

We can then verify with (on each ASA):

show failover

A good / quick test to check everything is working is too power of ASA1 - wait 30 seconds and issue the 'show failover' command on ASA2 again - you should see that is has now taken up ASA1's / the primary interface IP's.

We can then turn on ASA1 again and manually change it back to the active of the pair by issuing:

failover active

Note: If you have a backup link (e.g. for the internet) and have setup SLA monitoring - you will probably want to disable the failover from monitoring the primary outside / internet interface - or else it will failover to the ASA when the primary internet link goes down!

This can be done with:

no monitor outside

0 comments:

Post a Comment