topic Re: Active/Passive failover help in Network Security

Active/Passive failover help

John Blakley — Mon, 11 Mar 2019 17:32:06 GMT

All,

I have a 5550 that I'm going to be setting up failover on when we get our second one soon. I have a couple of questions:

1.) The current 5550 that we have has a public presence. Do I need to configure the standby with a physical public address also?

2.) I would also think that if I had to do the above, I would also need to configure for internal.

The configs that I've found haven't been clear on how to configure active/standby on these units. I've got the following:

Current 5550 (primary):

eth0: ip 5.5.5.5 255.255.255.252

eth1: ip 192.168.1.1

To configure the above existing firewall in failover, I've been finding configs that are applying the failover and state interfaces to interfaces that don't look like they're being addressed. In reality, does the standby need an ip address that faces the lan, or do the only addresses that need to be configured are the ones that are configured to look for failover?

Example standby:

eth0: connected to public switch (no ip)

eth1: connected to failover (10.0.0.2/30)

eth2: connected to state (10.0.0.6/30)

eth3: connected to lan (no ip)

The above would be communicated from the primary with:

eth0: public address

eth1: connected to failover (10.0.0.1/30)

eth2: connected to state (10.0.0.5/30)

eth3: internal lan (192.168.1.1)

Am I on the right track?

Thanks,

John

Re: Active/Passive failover help

Jon Marshall — Mon, 12 Apr 2010 21:55:01 GMT

John

There are 2 reasons to configure an interface with a standby ip address -

1) so you can connect to the standby firewall on that interface

2) so the firewalls can monitor each others state on those interfaces

You don't need to configure every interface with a standby address if you don't want to and sometimes you don't if you are using public IP addressing on the interfaces.

Jon

Re: Active/Passive failover help

John Blakley — Mon, 12 Apr 2010 23:12:58 GMT

Do I need to put an address on the outside and inside interfaces on the secondary at all?

Re: Active/Passive failover help

Jennifer Halim — Mon, 12 Apr 2010 23:22:22 GMT

No, the configuration is automatically synchronised once you have the failover configured on both firewalls.

Re: Active/Passive failover help

John Blakley — Tue, 13 Apr 2010 15:43:32 GMT

So, on my secondary, I don't have to set a public address on the outside interface or a private address on the inside interface. I only have to have addressing that is used between the primary and secondary units to talk to, more than likely a /30 for both the failover and state interfaces? What about telnetting into the secondary? As long as I can route to it, that should be fine too, right?

Re: Active/Passive failover help

Jon Marshall — Tue, 13 Apr 2010 17:18:32 GMT

j.blakley wrote:
So, on my secondary, I don't have to set a public address on the outside interface or a private address on the inside interface. I only have to have addressing that is used between the primary and secondary units to talk to, more than likely a /30 for both the failover and state interfaces? What about telnetting into the secondary? As long as I can route to it, that should be fine too, right?

John

You don't need addresses but personally on the the private addressed interface i would use one. Then you can telnet into the device on that address. And as private addresses are not in short supply i can't see a huge advantage to not using one.

Jon

Re: Active/Passive failover help

John Blakley — Tue, 13 Apr 2010 17:26:25 GMT

Jon,

What happens if I put a private address on the inside interface of the secondary unit when it fails over? Here's the part that I'm not understanding:

My gateway is 10.10.10.54 (primary ASA)

If I put a private address on the secondary, say 10.10.10.55, and configure failover, what happens if the primary dies and all of my workstations are set up to .54 for the gateway?

Do I need to change the internal address of the primary to be something else and then set up a virtual address to be .54 (like hsrp)?

Thanks!

John

Re: Active/Passive failover help

Jon Marshall — Tue, 13 Apr 2010 17:30:29 GMT

j.blakley wrote:
Jon,
What happens if I put a private address on the inside interface of the secondary unit when it fails over? Here's the part that I'm not understanding:
My gateway is 10.10.10.54 (primary ASA)
If I put a private address on the secondary, say 10.10.10.55, and configure failover, what happens if the primary dies and all of my workstations are set up to .54 for the gateway?
Do I need to change the internal address of the primary to be something else and then set up a virtual address to be .54 (like hsrp)?
Thanks!
John

Ahh, i see.

The firewall failover works slightly differently than HSRP for example. With HSRP you have a 3rd address ie. the VIP that can move between the routers. With the firewall the address assigned to the active firewall is simply moved across to the secondary firewall so your clients would still send traffic to the same gateway, it's just that the traffic would now go to the new active firewall ie. the one that was standby before the failover.

The standby address is never used as a gateway for end clients. It is simply for monitoring and being able to remotely manage the standby firewall.

Jon

Re: Active/Passive failover help

John Blakley — Tue, 13 Apr 2010 17:38:46 GMT

Okay, so let's see if I have this right then

I'm going to set up a /30 between the two ASAs for failover connection.

I'm going to set up a /30 between the two ASAs for the state connection.

I'm also going to put the secondary internal interface on any address that doesn't conflict with the current internal address of the primary.

When the secondary comes up, the primary will copy it's config over to the secondary, and if that primary dies, everyone will still be able to get to the internal address? I'm still not clear about what happens to the internal address on the secondary after it becomes the primary. Is there a separate config that gets copied over that will overwrite the secondary's internal address to be the primary's internal address so users can still see it? The documentation that Cisco has about Pix/ASA configurations isn't clear about what's happening behind the scenes....that's the part that I need to know.

Thanks!

Re: Active/Passive failover help

rwoerner1 — Tue, 13 Apr 2010 18:26:01 GMT

I'm running active/standby on 2 ASAs now and after you do the basic config for the primary, you in put 1 or 2 commands into a factory default of the secondary and it tells you that it has found a mate and the config is copying. Once its done there is nothing more that should be done.

If the primary dies (depending on what specifically dies ie power, line, etc. ) it takes a few moments to flip the IPs around and then the secondary effectively becomes your primary. Once you get the new firewall, or just fix what the problem is, as long as it has those few lines specified for the secondary you did in the previous steps it checks if there is a working primary and will then turn it self to secondary.

The switch should be completely seamless to users, other than the few moments of downtime while the secondary becomes active. No traffic should ever be going to the standby IPs or the device, other than the heartbeat & config. I've tested it by pulling the power out of the primary, unplugging interfaces and it works very well.

I hope this answered some of your questions.

-Rus

Re: Active/Passive failover help

John Blakley — Tue, 13 Apr 2010 18:52:39 GMT

For your externally facing public addresses, did you assign a public address at all on the standby, or are you just using your failover link? I'm getting the impression that the config on the standby is invalid if it becomes the primary, i.e., the assigned internal address is the standby's own address until it goes primary and then that address is overwritten for the moment with the primary's address.

I've seen configs that show two separate public addresses and two separate internal addresses, but I don't think I need the second public address on an interface at all. I just don't need to assign anything to eth0, but have eth1 has my lan and state failover, and eth2 as my lan interface. That should be it, hopefully.

Thanks!

John

Re: Active/Passive failover help

rwoerner1 — Tue, 13 Apr 2010 20:00:59 GMT

I did actually use a second public address for the standby ASA, but as it was mentioned before I don't think you don't need to. You can monitor whichever interfaces you want.

i.e., the assigned internal address is the standby's own address until it goes primary and then that address is overwritten for the moment with the primary's address.

This is true, after it goes primary, I'm pretty sure any reference to it being the original secondary is gone. It is your new primary.

Also I just wanted to mention I'm not doing stateful failover. I don't think it makes too much of a difference for the purpose of this thread but I figured I should say so. I didn't catch that part in the beginning.

Re: Active/Passive failover help

John Blakley — Tue, 13 Apr 2010 21:11:38 GMT

Works for me! I'll configure a public address on the secondary to be on the safe side.

Thanks everyone!