Solved: Active Active ASA design questions

mahesh18 · ‎05-25-2013

Hi Everyone,

Need to confirm few things when ASA is in Multicontext mode and Active Active failover.

1>IF we do not put any time value in preempt does this mean that other ASA will take if it is active for that group immediately?

Normally if we put time say 120 secs then the ASA has to wait for 120 before it becomes active for that group?

2>Commands like dir or sh flash only works in when we are in system config right?

I tried these commands in context modes it do not work

3>When i fo sh failover in context mode and system context it shows the interfaces in the context and all the interfaces are shown as not monitored is this ok?

So does it mean that it only monitors the lan failover interface by default?

4>Is it possible to use the single physical interface for Lan and stateful failover?

Thanks

Mahesh

Jouni Forss · ‎05-25-2013

Hi Mahesh,

1.) To my understanding without the timevalue the "preempt" configuration will mean that it will automatically Active role will be automatically switched to the unit that is configured to be the primary for that failover group when the unit has recovered from whatever caused the failover. I use a timevalue with the "preempt" command.

2.) This makes sense as you set the whole devices used software and ASDM software images on the System Context for the whole ASA device. It would be pretty nice to be able to have virtual firewalls at several software levels though

3.) To my understanding if you are using a Physical interface in a Failover setup without any subinterfaces then it should be automatically monitored for the failover. Otherwise you will have to use the "monitor-interface " command to enable the monitoring of the interfaces you want to monitor. This is done inside each Security Context.

To my understanding it the amount of monitored depends on the type of interface configuration you have. If all interfaces are trunks then I would imagine that only the failover interface is monitored. Unless you ofcourse use the "monitor-interface" command.

4.) Should be no problem. Here is one example configuration

failover

failover lan unit primary

failover lan interface failover GigabitEthernet0/7

failover key *****

failover replication http

failover link failover GigabitEthernet0/7

failover interface ip failover x.x.x.x 255.255.255.252 standby y.y.y.y

Hope this helps

- Jouni

View solution in original post

Jouni Forss · ‎05-25-2013

Hi,

3.) It might be an oversight when the Failover was originally configured. I mean I remember configuring my first few failovers wihtout knowing anything about the fact that by default logical interfaces are not monitored without the "monitor-interface" configuration. So it might just be that when it was originally configured the fact that the logical interfaces are not monitored by default was missed by the configuring engineer.

Though, in some cases it might be ok to leave some interface unmonitored. You might have some interface that isnt actively participating in the network all the time and therefore it going down shouldnt cause a Failover to trigger.

4.) I think the interfaces have to be named the same if you are using the same physical interface.

There was actually a post about this today. Check the correct reply of this thread

https://supportforums.cisco.com/thread/2219186?tstart=0

Hope this helps

- Jouni

View solution in original post

Jouni Forss · ‎05-25-2013

Hi Mahesh,

1.) To my understanding without the timevalue the "preempt" configuration will mean that it will automatically Active role will be automatically switched to the unit that is configured to be the primary for that failover group when the unit has recovered from whatever caused the failover. I use a timevalue with the "preempt" command.

2.) This makes sense as you set the whole devices used software and ASDM software images on the System Context for the whole ASA device. It would be pretty nice to be able to have virtual firewalls at several software levels though

3.) To my understanding if you are using a Physical interface in a Failover setup without any subinterfaces then it should be automatically monitored for the failover. Otherwise you will have to use the "monitor-interface " command to enable the monitoring of the interfaces you want to monitor. This is done inside each Security Context.

To my understanding it the amount of monitored depends on the type of interface configuration you have. If all interfaces are trunks then I would imagine that only the failover interface is monitored. Unless you ofcourse use the "monitor-interface" command.

4.) Should be no problem. Here is one example configuration

failover

failover lan unit primary

failover lan interface failover GigabitEthernet0/7

failover key *****

failover replication http

failover link failover GigabitEthernet0/7

failover interface ip failover x.x.x.x 255.255.255.252 standby y.y.y.y

Hope this helps

- Jouni

mahesh18 · ‎05-25-2013

Hi Jouni,

For question 3

We are using physical interface for failover seems that why we are not monitoring any other interfaces.

For questions 4

I checked it is possible to use same interface for Lan and stateful failover.

Also is this ok if both Lan and stateful failover have same physical link and same name?

Thanks

MAhesh

Jouni Forss · ‎05-25-2013

Hi,

3.) It might be an oversight when the Failover was originally configured. I mean I remember configuring my first few failovers wihtout knowing anything about the fact that by default logical interfaces are not monitored without the "monitor-interface" configuration. So it might just be that when it was originally configured the fact that the logical interfaces are not monitored by default was missed by the configuring engineer.

Though, in some cases it might be ok to leave some interface unmonitored. You might have some interface that isnt actively participating in the network all the time and therefore it going down shouldnt cause a Failover to trigger.

4.) I think the interfaces have to be named the same if you are using the same physical interface.

There was actually a post about this today. Check the correct reply of this thread

https://supportforums.cisco.com/thread/2219186?tstart=0

Hope this helps

- Jouni

mahesh18 · ‎05-25-2013

Hi Jouni,

You answered all my questions.

Best Regards

Mahesh