topic Re: Replication of interfaces on active standby multi context in Network Security

Replication of interfaces on active standby multi context

sidcracker — Mon, 11 Mar 2019 18:35:50 GMT

Hello All,

When I am configuring a Active/Standby multiple context firewall, is it enough only to configure the interface only on the primary device (specific context) so that it will get replicated on to the secondary firewall (specific context) or do we also configure it on the secondary box (specific context)?

Thanks

Re: Replication of interfaces on active standby multi context

praprama — Tue, 07 Sep 2010 02:59:09 GMT

Hey,

Yes its enough to configure interfaces only on the primary device and it should get copied to the secondary automatically. The pre-requisites for that are:

1) "failover lan unit primary" on primary device and "failover lan unit secondary" on secondary device.

2) configure failover LAN interface on both the devices. (the commands will be the same on both the devices for this)

3) enable failover on the primary firewall first and then the secondary firewall.

Let me know if this helps!

Regards,

Prapanch

Re: Replication of interfaces on active standby multi context

sidcracker — Tue, 07 Sep 2010 03:02:10 GMT

Hi Prapanch,

Thanks for the reply. The interfaces are already configured but there is no standby IP for the admin context in the primary context and hence I cannot ssh to the secondary context. So i can just add the "standby IP Address" command on the primary device and it should get replicated to the secondary box.

Thanks again

Re: Replication of interfaces on active standby multi context

praprama — Tue, 07 Sep 2010 03:11:14 GMT

Hey,

Yeah!! So if i am understanding it right, right now under the interface you have something like "ip address 10.1.1.1 255.255.255.0". So if you want to give it a standby IP address say 10.1.1.2, you just need to change it to "ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2".

Regards,

Prapanch

Re: Replication of interfaces on active standby multi context

paultribe — Tue, 07 Sep 2010 13:24:55 GMT

You mentioned you were using multiple context firewalls in which case you can only configure Active/Active failover, the main failover configuration is done in the system execution space, preempt is used so that once a failover condition is cleared that unit takes over again as the active firewall for the failover group (Therefore on your secondary unit there would be no preempt):

failover

failover lan unit primary

failover lan interface LAN_Failover GigabitEthernet3/3

failover link STATE_Failover GigabitEthernet4/3

failover interface ip LAN_Failover 10.1.1.1 255.255.255.252 standby 10.1.1.2

failover interface ip STATE_Failover 10.1.1.3 255.255.255.252 standby 10.1.1.4

failover group 1

preempt 15

failover group 2

secondary

preempt 15

Also within the system execution space, within each context you add which failover group the context should join, If you wish your firewalls to act like Active/Standby then make all contexts join the same failover group:

admin-context admin

context admin

allocate-interface Management0/0

config-url disk0:/admin.cfg

join-failover-group 1

Then configure failover within the context including the monitoring of interfaces, for example:

interface Management0/0

description Entire ASA 5580 Appliance Management

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.240 standby 192.168.1.2

management-only

monitor-interface management

I just thought you may be interested.