Configuring and Cabling of Stateful Active/Standby Failover on a Cisco ASA 5510 Firewall

From NesevoWiki
Revision as of 11:06, 23 January 2012 by Philipp (talk | contribs) (→‎Pitfalls)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

These steps were tested under IOS 8.2(2).

Prerequisites

  • You need two identical Cisco ASA 5510 appliances
  • Both appliances must be running the identical IOS version
  • You need at least IOS version 7.0. If you want to use IPv6, you need at least IOS version 8.2(2).
  • You need an ASA 5510 Security Plus license on both appliances.
  • Both appliances must be in the same mode (single|multiple|transparent|routed). This tutorial uses routed mode. (You can tell the mode your appliance is running under issuing the show firewall command in enable mode.)

Assumptions

In this tutorial we assume the following target configuration:

  • One interface (Ethernet0/0) named outside which will be attached to the internet in your target environment
  • One interface (Ethernet0/1) named inside which will be attached to the internal LAN in your target environment
  • One interface (Ethernet0/2) named tmplan which will temporarily be attached to your LAN in the test environment (for setup and testing purposes)
  • One interface (Ethernet0/3) named failoverlink which will serve as the interface for failover and stateful failover
  • The hosts within the LAN in your target environment are configured to use a default gateway with the IP address of 10.0.0.1

Configuration steps

In an ASA 5510 failover configuration scenario one appliance is the primary one, the other one is the secondary one. You can read about the meaning of this in Cisco's official documentation.

Configuring the primary appliance

  • Power up your primary appliance (i.e. the one that is to become the primary appliance). Leave the other one switched off.
  • Connect to the primary appliance via console.
  • Enter enable, then the conf t command to get to the config prompt. Depending on your configuration you may have to enter a password.
fw> enable
fw#
fw# conf t
fw(config)#
  • In a failover scenario you have to apply a standby ip address to each data interface you want to have taken over by the secondary appliance in case of a failure on the primary one. We want all of our data interfaces to be covered.
    • Configure interface outside (use the network parameters valid for the external ip range in your target environment)
fw(config)# interface Ethernet0/0
fw(config-if)# nameif outside
fw(config-if)# ip address 111.222.111.222 255.255.255.192 standby 111.222.111.223
fw(config-if)# no shutdown
fw(config-if)# exit
fw(config)#
    • Configure interface inside (use the network parameters valid for the internal ip range in your target environment)
fw(config)# interface Ethernet0/1
fw(config-if)# nameif inside
fw(config-if)# ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2
fw(config-if)# no shutdown
fw(config-if)# exit
fw(config)#
    • Configure interface tmplan (use the network parameters valid for the internal ip range in your test environment)
fw(config)# interface Ethernet0/2
fw(config-if)# nameif tmplan
fw(config-if)# ip address 192.168.0.250 255.255.255.0 standby 192.168.0.251
fw(config-if)# no shutdown
fw(config-if)# exit
fw(config)#
  • Make the appliance the primary failover unit
fw(config)# failover lan unit primary
  • Configure the failover interface.
    • We will assign the name failoverlink to it.
fw(config)# failover lan interface failoverlink Ethernet0/3
    • Assign IP addresses to the failoverlink interface. Note that the network segments assigned to the interfaces of the firewall must not overlap. We will use the 10.0.1.0/24 network for the failover ip addresses.
fw(config)# failover interface ip failoverlink 10.0.1.1 255.255.255.0 standby 10.0.1.2
    • Enable the failoverlink interface
fw(config)# interface Ethernet0/3
fw(config-if)# no shutdown 
fw(config-if)# exit
fw(config)#
  • Configure the failoverlink interface to be used for stateful failover as well
fw(config)# failover link failoverlink
  • Enable failover
fw(config)# failover
  • Enable http replication (optional, causes a lot of traffic on the failoverlink interface)
fw(config)# failover replication http
  • Save system config
fw(config)# write mem
fw(config)# copy running-config startup-config
  • Exit config mode
fw(config)# exit
fw#
  • Check the failover status. It should now show up as the primary unit in active state and be complaining about it's mate missing.
fw# show failover

Configuring the secondary appliance

  • Power up the secondary unit (leave the primary unit running)
  • Connect to the seconary unit via console
  • Connect the Ethernet0/3 ports of the two appliances using an ethernet crossover cable. Do not use a regular patch cable!
  • Enter config mode.
fw> enable
fw#
fw# conf t
fw(config)#
  • Configure the failover interface. It must be done in exactly the same way as on the primary unit. Do not switch the ip addresses used on the primary unit.
fw(config)# failover lan interface failoverlink Ethernet0/3
fw(config)# failover interface ip failoverlink 10.0.1.1 255.255.255.0 standby 10.0.1.2
fw(config)# interface Ethernet0/3
fw(config-if)# no shutdown 
fw(config-if)# exit
fw(config)#
  • Make this unit the secondary unit
fw(config)# failover lan unit secondary
  • Enable failover
fw(config)# failover
  • Watch the secondary unit automagically recognise it's primary mate and take over the configuration. When done, save the configuration:
 fw(config)# copy running-config startup-config

Put it to the test

Now you can switch of the primary unit and watch the secondary become active (indicated by a LED on the appliance (amber = inactive, green = active) or on the console by the show failover command).

Pitfalls

  • The standby unit occasionally writes the following error message to the console: WARNING: The UDP port 161 is in use by another feature. SNMP requests to the device will fail until the snmp-server listen-port command is configured to use a different port. This shouldn't be an issue as you will normally only monitor the active one (in case of failover the standby unit becomes active and takes over the IP address of the failed unit, so it will automatically show up in the monitoring once it becomes active).
  • In case you've got only one internet line available, you need another switch in front of the two ASAs as the internet connection must available to both appliances. That said, if - by setting up failover for the ASA - it was your aim to avoid a single point of failure, there's now one more component to think of (as the additional switch, of course, can fail, too).
  • Genrally speaking, the standby unit will always pick up the complete configuratuion of the active one There are exceptions to this rule, however:
    • The failover part of the config is not synchronized. This is because only one appliance can be the primary one and the other one has to be the secondary one.
    • The SSH Configuration: If you have configured the primary unit to allow SSH connections, this part of the config will not be synchronized. If you want to be able to acces the secondary unit via SSH as well, you will have to repeat the configuration there.
Retrieved from "http://wiki.nesevo.com/index.php?title=Configuring_and_Cabling_of_Stateful_Active/Standby_Failover_on_a_Cisco_ASA_5510_Firewall&oldid=2367"