topic How to trigger failover in a multi context ASA firewall environm in Network Security

How to trigger failover in a multi context ASA firewall environment?

aimarchitect — Mon, 11 Mar 2019 21:54:09 GMT

Hi,

What is the most common way to configure failover triggers on two ASA running in multiple context mode?

It seems that there is any easy approach in which the standby takes over only if it loses connection with the primary on the configured "failover lan interface".

What kind of other options are there? What about configuring failover if either the trunking uplink (to WAN) or trunking downlink (to LAN) interfaces on the primary go down?

Thanks

How to trigger failover in a multi context ASA firewall environm

mirober2 — Tue, 22 Nov 2011 21:11:11 GMT

Hi Greg,

The various failover triggers are listed here:

Active/Standby:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_active_standby.html#wp1079547

Active/Active:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_active_active.html#wp1080167

-Mike

How to trigger failover in a multi context ASA firewall environm

aimarchitect — Tue, 22 Nov 2011 21:55:01 GMT

Mike,

Thanks for the info.

Say I want to configure the standby to take over if the either the e0/0 trunk uplink to the WAN or the e0/1 trunk downlink to the LAN get disconnected (accidentally unplugged) on the primary...

I would confugrure that in the system context, right? If so, what would I add to the current primary system configuration to make that happen?

ASA Version 8.2(2)

hostname firewall001

interface Ethernet0/0

description Uplink to WAN

interface Ethernet0/0.14

description DMZ

vlan 14

interface Ethernet0/0.104

description Outside-104

vlan 104

interface Ethernet0/0.200

description Outside-200

vlan 200

interface Ethernet0/1

description Downlink to LAN

interface Ethernet0/1.23

description MGMT-23

vlan 23

interface Ethernet0/1.24

description MGMT-24

vlan 24

interface Ethernet0/1.500

description Client1-Inside

vlan 500

interface Ethernet0/2

shutdown

interface Ethernet0/3

description LAN/STATE Failover Interface

interface Management0/0

shutdown

failover

failover lan unit primary

failover lan interface ASA-Failover Ethernet0/3

failover link ASA-Failover Ethernet0/3

failover interface ip ASA-Failover 10.0.1.1 255.255.255.252 standby 10.0.1.2

no asdm history enable

arp timeout 14400

console timeout 0

admin-context MAIN

context MAIN

allocate-interface Ethernet0/0.14

allocate-interface Ethernet0/0.200

allocate-interface Ethernet0/1.23-Ethernet0/1.24

allocate-interface Management0/0

config-url disk0:/MAIN.cfg

context CLIENT1

allocate-interface Ethernet0/0.104

allocate-interface Ethernet0/1.500

config-url disk0:/CLIENT1.cfg

prompt hostname context

Re: How to trigger failover in a multi context ASA firewall envi

mirober2 — Wed, 23 Nov 2011 13:01:38 GMT

Hi Greg,

You just need to enable interface monitoring for your sub-interfaces in the context where they are allocated. The ASA will then failover if the e0/0 link goes down or if the devices can't send/receive interface monitoring packets on any of the enabled subinterfaces. For example:

firewall001# changeto context MAIN

firewall001/MAIN# conf t

firewall001/MAIN(config)# monitor-interface inside

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/m.html#wp2123112

-Mike

Re: How to trigger failover in a multi context ASA firewall envi

aimarchitect — Wed, 23 Nov 2011 22:15:15 GMT

Thanks Mike,

I see now that monitoring is configured within the context. Failover from primary to standby in one context doesn't affect another context, right?

Re: How to trigger failover in a multi context ASA firewall envi

mirober2 — Thu, 24 Nov 2011 12:58:08 GMT

Hi Greg,

It depends if you are using Active/Standby failover or Active/Active failover. With Active/Standby, all contexts are Active on the same unit at the same time and a failover event affects the entire unit. With Active/Active, you can assign your contexts to failover groups and a failover event may only affect one group and not the other. With Active/Active, one group is Active on one unit and the other group is Active on the second unit.

-Mike