Configuring Cisco ASA active standby failover

5 (100%) 6 votes

6,409 views

cisco

Overview

In modern datacenters one of the most important things that needs to be addressed is uptime. Cisco ASA offers high availability mechanisms like failover in order to provide network uptime and redundancy. In order to configure failover we need two identical ASA devices connected to each other through a dedicated failover link and, optionally, a stateful failover link. There are two different failover modes that are supported on the ASA platform: active/standby and active/active. In this article we will focus only on configuring active/standby failover. In an active/standby failover setup only one unit called the active unit is passing traffic. The standby unit is used as a backup of the active unit and only accepts management connections (all transit traffic is dropped). When the active unit fails, it changes to the standby state while the standby unit changes to the active state.

ASA failover requirements

Before configuring active/standby failover failover there are some requirements which need to be met:

  • Both ASA failover units must be the same model and have same number and types of interfaces
  • Both ASA failover units must have the same amount of RAM installed
  • Both ASA failover units must have the same modules installed (if any)
  • Both ASA failover units must use the same firewall mode (routed or transparent).
  • Both ASA failover units must be in the same context mode (single or multiple).

Failover and stateful failover links

Before configuring the ASA failover we need to allocate one physical interface on each ASA device which will be used for the failover link. This link will be used to determine the operating status of each unit and to replicate state information between the appliances, like the conn and xlate tables. The connection can be made directly between two ASA devices or through an external switch because failover needs a dedicated subnet with layer 2 connectivity between peers.

By default failover communication is stateless. This means that the in the case of a failover event all connections between peers must be re-established. When stateful failover is enabled, the active unit continually passes per-connection state information to the standby unit. If a failover occurs, the same connection information is available at the new active unit. One important thing to take into consideration regarding the stateful failover link is latency which should not exceed 10 ms otherwise performance degradation might occur due to retransmission of failover messages.

In my scenario I’ll use two dedicated interfaces on each ASA appliance one for the LAN failover link and the second for the stateful failover link.

ASA interfaces configuration

For the purpose of my demonstration I’ll use two ASAv devices running versions 9.5(2). Looking at the configuration scenario below (click to zoom) I’ll setup device ASA1-FW as the active firewall and ASA2-FW as the standby firewall. On both firewalls the interfaces will be setup like this:

  • interface Gi0/0 used for the inside networks (172.16.100.0/24 -> VLAN 100) and (172.16.200.0/24 -> VLAN200)
  • interface Gi0/1 used for the outside network (77.77.77.0/24).
  • interface Gi0/2 used for the Failover link between both firewalls (10.1.1.0/24).
  • interface Gi0/3 used for the Stateful failover link between both firewalls (10.2.2.0/24).

Failover

Before starting to setup the primary unit we need to configure the standby IP addresses for all interfaces except for the failover and state links. According to the topology the inside networks are split into 2 VLANs so in this case we need to enable the Gi0/0 interface without any configuration and the setup 2 subinterfaces corresponding to each VLAN.

ASA1-FW(config)# interface GigabitEthernet0/0
ASA1-FW(config-if)# no shutdown
ASA1-FW(config)# interface GigabitEthernet0/0.100
ASA1-FW(config-if)# vlan 100
ASA1-FW(config-if)# nameif inside_1
ASA1-FW(config-if)# security-level 100
ASA1-FW(config-if)# ip address 172.16.100.1 255.255.255.0 standby 172.16.100.2
ASA1-FW(config)# interface GigabitEthernet0/0.200
ASA1-FW(config-if)# vlan 200
ASA1-FW(config-if)# nameif inside_2
ASA1-FW(config-if)# security-level 100
ASA1-FW(config-if)# ip address 172.16.200.1 255.255.255.0 standby 172.16.200.2

Configuration for outside interface Gi0/1 is listed below

ASA1-FW(config)# interface GigabitEthernet0/1
ASA1-FW(config-if)# nameif outside
ASA1-FW(config-if)# security-level 0
ASA1-FW(config-if)# ip address 99.99.99.2 255.255.255.248 standby 99.99.99.3
ASA1-FW(config-if)# no shutdown

We also need to configure the default route to allow connections to the outside world.

ASA1-FW(config)# route outside 0.0.0.0 0.0.0.0 99.99.99.1

We can verify that all interfaces have been configured properly by running the following command:

ASA1-FW# show interface ip brief | grep -v down
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         unassigned      YES unset  up                    up  
GigabitEthernet0/0.100     172.16.100.1    YES CONFIG up                    up  
GigabitEthernet0/0.200     172.16.200.1    YES CONFIG up                    up  
GigabitEthernet0/1         99.99.99.2      YES manual up                    up

Configuring the primary unit

Now that the interfaces are configured let’s proceed and setup the failover configuration and designate ASA1-FW as the primary unit.

ASA1-FW(config)# failover lan unit primary

Next we need to specify the interface which will be used for failover communication in our case Gi0/2.

ASA1-FW(config)# failover lan interface Fail-link GigabitEthernet0/2

Here I have used Fail-link as the interface name used for failover. You can use any name you want for this interface but it’s recommended to choose a suggestive name. Then we need to assign the active and standby IP addresses to the failover link. Both the active and the standby IP address must be in the same subnet because failover needs layer 2 adjancency in order to work.

ASA1-FW(config)# failover interface ip Fail-link 10.1.1.1 255.255.255.0 standby 10.1.1.2

I used 10.1.1.1 for the active IP address and 10.1.1.2 for the standby IP address. Since our topology uses a second link for the stateful failover we need to setup failover on interface Gi0/3. The stateful failover active and standby IP addresses are configured to be in the subnet 10.2.2.0/24.

ASA1-FW(config)# failover link State-link GigabitEthernet0/3
ASA1-FW(config)# failover interface ip State-link 10.2.2.1 255.255.255.0 standby 10.2.2.2

By default HTTP replication in Stateful failover is not enabled. You can replicate HTTP connections using the following command:

ASA1-FW(config)# failover replication http

Right now both failover interfaces are configured but are not enabled. We need to issue a no shutdown command to enable them.

ASA1-FW(config)# interface Gi0/2
ASA1-FW(config-if)# no shutdown
ASA1-FW(config)# interface Gi0/3
ASA1-FW(config-if)# no shutdown

The failover communication between the primary and secondary unit is sent in clear text. We can secure this communication by using a shared_secret key. The shared_key can have between 1 and 63 characters and must be the same on both units. For the shared_secret, you can use any combination of numbers, letters, or punctuation. The configuration command is listed below.

ASA1-FW(config)# failover key C!sc0F@il0v3r

The failover key command is the legacy method used for securing failover communication. Beginning with version 9.1.2 Cisco introduced the failover ipsec pre-shared-key command which allows you to establish an IPSec encrypted tunnel between the two units.

ASA1-FW(config)# failover ipsec pre-shared-key C!sc0F@il0v3r

If both method are configured at the same time, IPSec will be preferred. The shared_secret is not visible in the running configuration , it’s hidden under asterisks (*****). The last step is to enable failover on the primary unit by using the failover command.

ASA1-FW(config)# failover

With the configuration of the primary unit being complete let’s save the running configuration to flash and continue with the configuration of the secondary unit.

ASA1-FW(config)# write memory

Configuring the secondary unit

On the secondary unit we only need to configure the failover links. The failover configuration on the secondary firewall is almost the same as that on the primary one, the only permanent difference between the two configurations is the failover lan unit command, which identifies this unit as secondary. The secondary unit requires these commands to communicate initially with the primary unit. The failover configuration on the secondary unit is listed below.

ASA2-FW(config)# failover lan unit secondary
ASA2-FW(config)# failover lan interface Fail-link GigabitEthernet0/2
ASA2-FW(config)# failover interface ip Fail-link 10.1.1.1 255.255.255.0 standby 10.1.1.2
ASA2-FW(config)# interface Gi0/2
ASA2-FW(config-if)# no shutdown
ASA2-FW(config)# failover link State-link GigabitEthernet0/3
ASA2-FW(config)# failover interface ip State-link 10.2.2.1 255.255.255.0 standby 10.2.2.2
ASA2-FW(config)# interface Gi0/3
ASA2-FW(config-if)# no shutdown
ASA2-FW(config)# failover key C!sc0F@il0v3r
ASA2-FW(config)# failover

As soon as you enter the last failover command on the secondary unit it will start and communicate with the primary unit and you’ll see on the console the syncronization messages.

Failover LAN became OK
Switchover enabled
Configuration has changed, replicate from mate.

        Detected an Active mate
Beginning configuration replication from mate.
End configuration replication from mate.

After the failover configuration syncs, save the configuration to flash memory.

ASA2-FW(config)# write memory

We notice that on the secondary unit the hostname changes to ASA1-FW due to configuration replication from the primary unit. In order to differentiate which unit is primary/secondary or active/standby we can use the prompt hostname priority state command on the primary unit.

ASA1-FW(config)# prompt hostname priority state

After entering this command the prompt changes on the primary unit like below.

ASA1-FW/pri/act(config)#

On the secondary unit the prompt should look like this:

ASA1-FW/sec/stby/(config)#

From now on configuration changes should be applied only on the active unit. If you enter the configuration mode on the standby unit a warning message will issued that configuration will no longer be synchronized.

**** WARNING **** 
        Configuration Replication is NOT performed from Standby unit to Active unit.
        Configurations are no longer synchronized.

You can prevent accidental changes on the standby unit by disabling the ability to make any configuration changes using the following command on the active unit.

ASA1-FW/pri/act(config)# failover standby config-lock

Now the following message will be displayed on the standby unit console.

The configuration on the Standby has been locked for changes. Configuration commands can not be executed on standby.

Monitoring failover status

We can verify the failover status and configuration by using the show failover command.

ASA1-FW/pri/act# show failover
Failover On 
Failover unit Primary
Failover LAN Interface: Fail-link GigabitEthernet0/2 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 36 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.5(2)204, Mate 9.5(2)204
Last Failover at: 06:49:53 UTC Jul 14 2016
  This host: Primary - Active
                Active time: 7733 (sec)
                slot 0: empty
                  Interface inside_linux (172.16.100.1): Normal (Monitored)
                  Interface inside_win (172.16.200.1): Normal (Monitored)
                  Interface outside (99.99.99.2): Normal (Monitored)
  Other host: Secondary - Standby Ready
                Active time: 22 (sec)
                  Interface inside_linux (172.16.100.2): Normal (Monitored)
                  Interface inside_win (172.16.200.2): Normal (Monitored)
                  Interface outside (99.99.99.3): Normal (Monitored)

From the output of this command I highlighted in red some useful information like the role and the status of each unit, the version of the OS, the status of the failover interface. For a detailed explanation of the output of the show failover command you can check this page on the Cisco documentation website. Another useful command to display information about the interfaces monitored for failover, is the show monitor-interface command.

Testing the failover functionality

Now that the configuration is complete let’s test if the failover is working properly. First let’s try to force a manual failover to check if the secondary unit becomes active. This can be done by running the following command on the active unit.

ASA1-FW/pri/act(config)# no failover active

This will make both units to switch failover roles so the primary unit will become standby and the secondary unit will be in active mode. The prompt on the primary unit will look like below:

ASA1-FW/pri/stby(config)#

You can do this also the reverse way by running the failover active command on the standby unit. Now let’s test a real world failover scenario by simulating a hardware failure on the primary ASA unit. Looking at the topology above I’ll connect to the console of Win-PC host and run a continuous ping to the IP address of the remote webserver 123.123.123.123 and then turn off the primary unit.

Win-PC> ping 123.123.123.123 -t

From the ping statistics output we can see that we only lost 4 pings during which the standby unit became active.

  Ping statistics for 123.123.123.123:
    Packets: Sent = 29, Received = 25, Lost = 4 (13% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 4ms, Average = 2ms

One important thing to mention is that ASA failover does not use preemption mechanisms. This means that if the primary unit will be back online it will switch to standby mode and the secondary unit will keep it’s active role. Switching back the primary unit to the active role requires performing a manual failover. If you have a planned maintenance you can temporary disable the failover mechanism so the standby firewall remains in standby mode and you don’t end up in a situation where you have two active firewalls. This can be done using the no failover command.

ASA2-FW/sec/stby(config)# no failover

Summary

In this article we have discussed the basic concepts of active/standby failover using a simple topology. We have focused only on CLI failover configuration but Cisco ASA also support failover configuration through ASDM (Cisco Adaptive Security Device Manager) which is the GUI interface of Cisco ASA. Depending on your environment you might need to tweak this configuration to suit your needs.

4 comments

  • Awal

    Hi,

    Thanks for this great write up and explanation. The lab is really self explanatory and in-detail. I am wondering if you just explain a little bit about the purpose of using two link for LAN and STATE failover. Is it possible to do the same thing by using only one link? What is the difference?

    Thanks in advance.

  • Sorry for the late response.
    LAN failover interface is used for stateless connections. This means that when a failover occurs all connections need to be re-established.
    STATEFUL failover interface maintains a state table with all active connections and replicates the table to the standby ASA. So in case of a failover the standby ASA which has a copy of the state table will take over without any service disruption.
    For the second question sure you can use the same interface for the LAN and STATE failover interfaces. You can use separate interfaces if you have high volume of stateful data to synchronize between your ASAs and you do not want to affect failover.

  • Tawhid

    Nice explanation. Can you please write more about ASA firewall about acceess-list.

  • Ian

    This is a really good article.
    Thanks a ton…

Leave a Reply

Your email address will not be published. Required fields are marked *