The Cisco ASA firewall is often an important device in the network. We use it for (remote access) VPNs, NAT/PAT, filtering and more. Since it’s such an important device it’s a good idea to have a second ASA in case the first one fails.
The ASA supports active/standby failover which means one ASA becomes the active device, it handles everything while the backup ASA is the standby device. It doesn’t do anything unless the active ASA fails.
The failover mechanism is stateful which means that the active ASA sends all stateful connection information state to the standby ASA. This includes TCP/UDP states, NAT translation tables, ARP table, VPN information and more.
When the active ASA fails, the standby ASA will take over and since it has all connection information, your users won’t notice anything…
There are a number of requirements if you want to use failover:
- Platform has to be the same: for example 2x ASA 5510 or 2x ASA 5520.
- Hardware must be the same: same number and type of interfaces. Flash memory and RAM has to be the same.
- Same operating mode: routed or transparent mode and single or multiple context mode.
- License has to be the same..number of VPN peers, encryption supported, etc.
- Correct license. Some of the “lower” models require the Security Plus license for failover (the ASA 5510 is an example).
In this lesson we’ll take a look how to configure active/standby failover. Here’s the topology I will use:
We have two ASA firewalls…ASA1 and ASA2. ASA1 will be the active firewall and ASA2 will be in standby mode. Their Ethernet 0/0 interfaces are connected to the “INSIDE” security zone while the Ethernet 0/1 interfaces are connected to the “OUTSIDE” security zone. The Ethernet 0/3 interface in the middle will be used to synchronize connection information for failover. R1 and R2 are only used so we can generate some traffic.
We will start with the failover interface on ASA1. Make sure it’s not shut:
ASA1(config)# interface Ethernet 0/3 ASA1(config-if)# no shutdown
And then we configure this ASA to be the active (primary) device:
ASA1(config)# failover lan unit primary
Now we will configure Ethernet 0/3 to be the failover interface:
ASA1(config)# failover lan interface FAILOVER Ethernet 0/3 INFO: Non-failover interface config is cleared on Ethernet0/3 and its sub-interfaces
And we'll tell the ASA to use this interface for stateful failover:
ASA1(config)# failover link FAILOVER Ethernet 0/3
We can now configure the IP addresses on the failover interface. We need to use a dedicated subnet for this:
ASA1(config)# failover interface ip FAILOVER 192.168.12.1 255.255.255.0 standby 192.168.12.2
ASA1 (active) will use IP address 192.168.12.1 and ASA2 (standby) will use 192.168.12.2. Now we can enable failover:
Failover is now configured on ASA1. Let's configure some security zones and IP addresses on the "normal" Interfaces:
ASA1(config)# interface Ethernet 0/0 ASA1(config-if)# no shutdown ASA1(config-if)# nameif INSIDE ASA1(config-if)# ip address 192.168.1.254 255.255.255.0 standby 192.168.1.253
ASA1(config)# interface Ethernet 0/1 ASA1(config-if)# nameif OUTSIDE ASA1(config-if)# ip address 192.168.2.254 255.255.255.0 standby 192.168.2.253
The ASA requires something that triggers the failover mechanism. An interface that fails is a good trigger. When the inside or outside interface fails, we should failover. By default all physical interfaces are monitored but let me show you the command anyway:
ASA1(config)# monitor-interface INSIDE ASA1(config)# monitor-interface OUTSIDE
This is all we have to configure. We can now configure ASA2:
ASA2(config)# failover lan unit secondary ASA2(config)# failover lan interface FAILOVER Ethernet 0/3 ASA2(config)# failover link FAILOVER Ethernet 0/3 ASA2(config)# failover interface ip FAILOVER 192.168.12.1 255.255.255.0 standby 192.168.12.2 ASA2(config)# failover
We configure ASA2 to be the standby device, its Ethernet 0/3 interface will be used for failover and we configure the active and standby IP addresses. Let's enable this interface so that the ASA's can talk with each other:
ASA2(config)# interface Ethernet 0/3 ASA2(config-if)# no shutdown
This is what you will see on ASA1 and ASA2:
ASA1# Beginning configuration replication: Sending to mate. End Configuration Replication to mate
ASA2# Failover LAN became OK Switchover enabled Configuration has changed, replicate to mate. State check detected an Active mate Beginning configuration replication from mate. End configuration replication from mate. Switching to Standby
Failover is up and running, the configuration has been replicated from ASA1 to ASA2. Whenever you make changes to the configuration, you only have to save on the active ASA and it will be replicated to the standby ASA:
ASA1# write memory Building configuration... Cryptochecksum: 690a4de8 e1179377 f8eabae6 8cf5242e 3372 bytes copied in 3.240 secs (1124 bytes/sec)
After saving the configuration you will see this on the standby ASA:
ASA1# Cryptochecksum: 5739e8f7 32355bc0 a97e7dfa dd54ad71 3373 bytes copied in 3.240 secs (1124 bytes/sec)
Let's see if failover is really working shall we?
A simple method to verify if its working is to check the show failover command:
ASA1# show failover Failover On Failover unit Primary Failover LAN Interface: FAILOVER Ethernet0/3 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 2 of 110 maximum Version: Ours 9.1(5), Mate 9.1(5) Last Failover at: 12:23:34 UTC Dec 19 2014 This host: Primary - Active Active time: 1664 (sec) slot 0: ASA5510 hw/sw rev (2.0/9.1(5)) status (Up Sys) Interface INSIDE (192.168.1.254): Normal (Monitored) Interface OUTSIDE (192.168.2.254): Normal (Monitored) slot 1: empty Other host: Secondary - Standby Ready Active time: 31 (sec) slot 0: ASA5510 hw/sw rev (1.1/9.1(5)) status (Up Sys) Interface INSIDE (192.168.1.253): Normal (Monitored) Interface OUTSIDE (192.168.2.253): Normal (Monitored) slot 1: empty Stateful Failover Logical Update Statistics Link : FAILOVER Ethernet0/3 (up) Stateful Obj xmit xerr rcv rerr General 90 0 89 0 sys cmd 89 0 89 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 0 0 0 0 UDP conn 0 0 0 0 ARP tbl 0 0 0 0 Xlate_Timeout 0 0 0 0 IPv6 ND tbl 0 0 0 0 VPN IKEv1 SA 0 0 0 0 VPN IKEv1 P2 0 0 0 0 VPN IKEv2 SA 0 0 0 0 VPN IKEv2 P2 0 0 0 0 VPN CTCP upd 0 0 0 0 VPN SDI upd 0 0 0 0 VPN DHCP upd 0 0 0 0 SIP Session 0 0 0 0 Route Session 0 0 0 0 User-Identity 1 0 0 0 CTS SGTNAME 0 0 0 0 CTS PAC 0 0 0 0 TrustSec-SXP 0 0 0 0 IPv6 Route 0 0 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 2 91 Xmit Q: 0 25 482
This gives us a nice overview, you can see which device is active/standby but also what kind of stateful information is being exchanged. Let's create some telnet traffic between R1 and R2 so that you can see that the firewalls are exchanging TCP connection information:
R1#telnet 192.168.2.2 Trying 192.168.2.2 ... Open User Access Verification Password: R2>enable Password: R2#
When we check the show failover command again you will see this:
ASA1# show failover | include TCP TCP conn 5 0 0 0
The connection information for my TCP session has been exchanged between the two ASAs. To really test our failover, we have to simulate a link failure. I'll shut the interface on my switch that connects to the Ethernet 0/0 interface of ASA1:
SW1(config)#interface FastEthernet 0/14 SW1(config-if)#shutdown
Now you will see this on the active ASA:
Switching to Standby
And the standby ASA will tell us:
Switching to Active
Of course we can also check the show failover command again:
ASA1# show failover | include This host This host: Primary - Failed
ASA1# show failover | include This host This host: Secondary - Active
This proves that failover is working as it should, the standby ASA has become active after the link failure.
That's all there is for now! I hope you enjoyed this lesson, if you have any questions...feel free to leave a comment!