+ All Categories
Home > Technology > Deploy Failover/High Availability in ASA Firewall

Deploy Failover/High Availability in ASA Firewall

Date post: 19-Feb-2017
Category:
Upload: khnog
View: 293 times
Download: 13 times
Share this document with a friend
16
HAING SEANG [email protected] Network Engineer at DEAM KHNOG Micro-Event Date: 27 July 2016
Transcript
Page 1: Deploy Failover/High Availability in ASA Firewall

HAING [email protected] Engineer at DEAM KHNOG Micro-Event

Date: 27 July 2016

Page 2: Deploy Failover/High Availability in ASA Firewall

1/ Introduction to High Availability network design

2/ Failover/ High Availability Overview (Terms and Concepts)3/ Failover Deployment

4/ Failover Requirements

5/ How failover work 6/ Failover Active/Standby Configuration

7/ Failover Behaviors 8/ Question/Answer

Agenda

Page 3: Deploy Failover/High Availability in ASA Firewall

1/ Introduction to High Availability network design

Internet

Internet InternetFlat network topology HA Network topology

Page 4: Deploy Failover/High Availability in ASA Firewall

2/ Failover/ High Availability Overview (Terms and Concepts)

- Failover/High Availability : Two ASAs are paired to operate together and provide redundancy

in case of a device failure.

- Primary Unit : All the configurations are done. The primary unit always becomes the active

unit if both units start up at the same time but it can either be active or standby .

- Secondary Unit : The secondary unit can either be active or standby.

- Active : Handle all the and traffic and maintenance session table .

- Standby : Only monitor the active unit for failure and take the active role when a failure occurs.

- Stateless failover : The TCP/UDP Connection, NAT translation tables, ARP table, VPN information

and more are NOT replicated on the standby unit. Two ASAs use Failover link for configuration

/commands synchronization.

- Stateful failover : The TCP/UDP connection, NAT translation tables, ARP table, VPN information

and more are replicated on the standby unit. Two ASAs use Stateful link to replicated on to the

standby unit.

Page 5: Deploy Failover/High Availability in ASA Firewall

Active  ASA Standby  ASAActive  ASA-­‐1 Active  ASA-­‐2

ASA can be configured in Active/standby and Active/Active modes

Active/StandbyActive/Active

(Requires  Multi-­‐Context  Mode)

Outside

Inside

Outside

InsideCTX-­‐ACTX-­‐B CTX-­‐A  CTX-­‐B

3/ Failover Deployment

Failover  link

State  link

Failover  link

State  link

Page 6: Deploy Failover/High Availability in ASA Firewall

4/ How failover works in active/standby

Primary ASA (Active) Secondary ASA (Standby)

Hello

If no respond Hello…

Hello

Failover

State

outside

Inside Inside

outside

After three missed hellos, standby unit will send hellos over all interface to check health of its peer and if still no longer respond it will takes

over IP addresses and MAC addresses.

Hello

Page 7: Deploy Failover/High Availability in ASA Firewall

Primary ASA (Active) Secondary ASA (Standby)

Hello

Hello

Failover

State

outside

Inside Inside

outside

Hello

Failover link passes Hellos between active and standby until very 15

second

Hello

How failover works in active/standby

Page 8: Deploy Failover/High Availability in ASA Firewall

5/ Failover Requirements

Software requirement : - Be in the same firewall mode (routed or transparent)- Be in the same context mode (Single or multiple)- Have the same version firmware

- Have the same Any connect image (if configured)Licensing requirement :- License the same security plus require (5505,5506, 55010,5512x)Hardware requirement - Failover require two identical ASAs connected each otherthrough dedicated failover link or optional state link- Number and type of interfaces

- Amount of RAM installed - Module installed

ASA-­‐1 ASA-­‐2

Outside

Inside

Page 9: Deploy Failover/High Availability in ASA Firewall

6/ Failover Active/Standby Configuration

Internet  

Primary ASA (Active)

Secondary ASA (Standby)

State link11.11.0/32

Failover link10.10.10.0/32

.1

.2

192.168.1.1/24

192.168.1.2/24

172.16.1.1/24

172.16.1.2/24

172.16.1.0/24

G0/1

G0/0

G0/0

G0/1

G0/2

G0/2

.1

.2G0/3

G0/3

outside

outsideinside

inside

Page 10: Deploy Failover/High Availability in ASA Firewall

ASA(config)# failover lan unit primary # Enable ASA to be the Primary device

ASA(config)# failover lan interface FAILOVER GigabitEthernet0/2 # Specifies interface Gi0/2 as failover interface

INFO: Non-­‐failover interface config is cleared on Ethernet0/2 and its subinterfaces

ASA(config)# failover interface ip FAILOVER 10.10.10.1 255.255.255.252 10.10.10.2 # Assigns the active and standby IP addresses to the failover link

ASA(config)# failover link STATE GigabitEthernet0/3 # Specifies interface Gi0/3 as state interface (Optional)

ASA(config)# failover interface ip STATE 11.11.11.1 255.255.255.252 11.11.11.2 #Assigns the active and standby IP addresses the State interface

ASA(config)# failover key KHNOG # Configure security key

ASA(config)# failover # Enable failover

ASA-­Primary Configuration

Page 11: Deploy Failover/High Availability in ASA Firewall

ASA(config)# interface GigabitEthernet0/0

ASA(config)# nameif OUTSIDE

ASA(config)# ip address ip address 192.168.1.1 255.255.255.0 192.168.1.2

# Assign ip address for primary and secondary

ASA(config)#no shut

ASA(config)# interface GigabitEthernet0/1

ASA(config)# nameif INSIDE

ASA(config)# ip address ip address 172.16.1.1 255.255.255.0 172.16.1.2

#Assign ip address for primary and secondary

ASA(config)#no shut

ASA(config)# prompt hostname context priority state # Enable host prompt

Page 12: Deploy Failover/High Availability in ASA Firewall

ASA-­Secondary Configuration

ASA(config)# failover lan unit secondary # Enable ASA to be Secondary device

ASA(config)# failover lan interface FAILOVER GigabitEthernet0/2 # Specifies interface Gi0/2 as failover interface

INFO: Non-­‐failover interface config is cleared on Ethernet0/2 and its subinterfaces

ASA(config)# failover interface ip FAILOVER 10.10.10.1 255.255.255.252 10.10.10.2 #Assigns the active and standby IP addresses to the failover link

ASA(config)# failover link STATE GigabitEthernet0/3 #Specifies interface Gi0/3 as state interface

ASA(config)# failover interface ip STATE 11.11.11.1 255.255.255.252 11.11.11.2 #Assigns the active and standby IP addresses to the state link

ASA(config)# failover key KHNOG # Configure security key

ASA(config)# failover # Enable failover

Page 13: Deploy Failover/High Availability in ASA Firewall

ASA/Pri/act(config)# Beginning configuration replication: Sending to mate.

End Configuration Replication to mate

ASA/Sec/stby# Failover LAN became OK

Switchover enabled

Configuration has changed, replicate to mate.

State check detected an Active mate

Beginning configuration replication from mate.

End configuration replication from mate.

Switching to Standby

Page 14: Deploy Failover/High Availability in ASA Firewall

ASA/Pri/act(config)# show failover

Failover On

Failover unit Primary

Last Failover at: 12:23:34 UTC Junly 27 2017

This host: Primary - Active

Active time: 1664 (sec)

slot 0: ASA5510 hw/sw rev (2.0/9.1(5)) status (Up Sys)

Interface INSIDE (192.168.1.1): Normal (Monitored)

Interface OUTSIDE (172.16.1.1): Normal (Monitored)

Other host: Secondary - Standby Ready

Active time: 31 (sec)

slot 0: ASA5510 hw/sw rev (1.1/9.1(5)) status (Up Sys)

Interface INSIDE (192.168.1.2): Normal (Monitored)

Interface OUTSIDE (172.16.1.2): Normal (Monitored)

ASA/Sec/stby(config)# show failover

Failover On

Failover unit secondary

Last Failover at: 12:23:34 UTC Junly 27 2017

This host: secondary – Standby ready

Active time: 1664 (sec)

slot 0: ASA5510 hw/sw rev (2.0/9.1(5)) status (Up Sys)

Interface INSIDE (192.168.1.2): Normal (Monitored)

Interface OUTSIDE (172.16.1.2): Normal (Monitored)

Other host: primary – Active

Active time: 31 (sec)

slot 0: ASA5510 hw/sw rev (1.1/9.1(5)) status (Up Sys)

Interface INSIDE (192.168.1.1): Normal (Monitored)

Interface OUTSIDE (172.16.1.1): Normal (Monitored)

Page 15: Deploy Failover/High Availability in ASA Firewall

7/ Failover BehaviorsFailover trigger condition

- The active unit has a hardware failure or a power failure.

- Direct connected interfaces are monitored fail

- Manually force by no failover active command is entered on the

active unit, or the failover active command is entered on the standby unit.

- The unit has a software failure.

Failover Condition Minimum Default MaximumActive unit loses power or stops normal operation.

800 milliseconds 15 seconds 45 seconds

Active unit main board interface link down.

500 milliseconds 5 seconds 15 seconds

Active unit 4GE module interface link down.

2 seconds 5 seconds 15 seconds

Active unit IPS or CSC module fails. 2 seconds 2 seconds 2 seconds

Failover timers

Page 16: Deploy Failover/High Availability in ASA Firewall

Recommended