Preliminary Remarks: This text is a summary of an ASA admin beginner, who was confronted with the following Problem
HowTo change Failoverlink on ASA from indirectly(using external switch) to directly connected using ports located on SSP and IPS SSP
This summary is based on many helpful hints posted in this community !
We are having a pair of Cisco ASA 5585-X running on 9.10(1)40 . Both Appliances are equipped with
1 Security Service Processor-60 (ASA-SSP-60) located in Slot 0
1 IPS Security Service Processor-60 (ASA-SSP-IPS60) located in Slot 1
Note: IPS module is not in use !
Security context mode is multiple
Firewall mode is Router
Failover mode is Active/Active
Initial Topology: Failoverlink with two 1GigE copper Ports(Port-channel located on SSP-60 using intermediate switches
On both Appliances we are using two 1GigE copper Ports Gig0/4 and Gig0/5 located on SSP-60 as our failover+stateful link
bundled as Port-channel(Po 8). We are using two intermediate switches (Switch 1 and Switch 2) connected between the ASA Units
for the Fail-over interfaces.
Primary Unit -------- Po 8 --------- Switch 1 --------- Switch 2 -------- Po 8 -------- Secondary Unit
ASA 5585-X ASA 5585-X
Target topology: Failoverlink directly connected via two fibre optic 10GigE Ports (Port-channel 10) located on SSP-60 and IPS SSP
We need 6 10GigE fibre optic ports; two for inside, two for outside and two for failover+stateful link; SSP 60 has only 4 TenGigE fibre optic ports
IPS SSP the same; we dont use the IPS SSP and the question was
Can Traffic ports located on the IPS SSP be used as additional firewall interfaces which are allowed to use them as failover interfaces ?
Exception from Cisco Documentation:
The IPS module runs a separate application from the ASA. The IPS module might include an external management interface so you can connect to the IPS module directly; if it does not have a management interface, you can connect to the IPS module through the ASA interface. Any other interfaces on the IPS module, if available for your model, are used for ASA traffic only.
The ASA SSP resides in slot 0 (bottom). A second SSP (or network module) can be installed in slot 1 (top). When you install a non-ASA SSP in slot 1, all non-management interfaces belong to the ASA in slot 0, while the management interfaces belong to the module. If you install dual ASA SSPs, then they are completely independent systems.
Answer is YES
Before doing anything:
1) Check if Console connection to Primary and Secondary Unit works
2) Check if Fallback Login with local Account works on Primary and Secondary
in our case the first test was unsuccessful; we had to change our configuration see below
On Primary (admin context) check:
ASA/pri/act# changeto context admin
ASA/pri/act/admin# sh run aaa-serv
aaa-server uklantacacs protocol tacacs+
aaa-server TACACS+ protocol tacacs+
reactivation-mode timed
aaa-server TACACS+ (inside) host xx.xx.xx.xx
key *****
aaa-server TACACS+ (inside) host xx.xx.xx.xx
key *****
ASA/pri/act/admin# conf t
ASA/pri/act/admin(config)# aaa-server TACACS+ protocol tacacs+
ASA/pri/act/admin(config-aaa-server-group)# no reactivation-mode timed
ASA/pri/act/admin(config-aaa-server-group)# reactivation-mode depletion deadtime 10
ASA/pri/act/admin(config-aaa-server-group)# end
ASA/pri/act/admin# changeto context admin
ASA/pri/act/admin# sh run all aaa-serv
aaa-server uklantacacs protocol tacacs+
accounting-mode single
reactivation-mode depletion deadtime 10
max-failed-attempts 3
aaa-server TACACS+ protocol tacacs+
accounting-mode single
reactivation-mode depletion deadtime 10
max-failed-attempts 3
aaa-server TACACS+ (inside) host xx.xx.xx.xx
timeout 10
key *****
Note: In our case we are using Port-channel 5 for inside on Secondary connected to Switch 2 and Port-Channel 5 for inside on Primary connected to Switch 1.
We have tested the functionality of Local Fallback Account on Secondary in order to avoid user impact; Secondary is Standby for both failover groups 1 and 2. We disabled Po 5 (inside) on Switch 2 in order to disconnect Secondary from our TACACS Servers and tried to login successfully with local Account.
3) Save initial configuration to disk0: (same like copy run start on Cisco Routers or Switches)
On Primary(system context) write mem all
Note: Using write mem all Configuration of all existing contexts are saved on both appliances Primary AND Secondary on disk0:
4) save initial configuration on usb-stick (disk1:) (optional)
first attempt was without success; USB-stick was inserted and not detected
Note: Cisco ASA5585-X support external USB as disk1; when inserted usb-stick is not detected during normal operation; usb-stick is detected only if inserted after Reboot of appliance
5)take a backup of the firewall. Save initial configuration on i.e. tftp-server
ASA/pri/act# copy disk0:contextname.cfg tftp://xx.xx.xx.xx/config/contextname.cfg
5) In order to avoid confusion, make sure on which ASA(Primary or Secondary), in which context, active or passive Unit you are working !
For Beginners, the situation is a little bit confusing; you have admin, system and usercontexts; each context may be active or passive on Primary exclusiveor Secondary; changes must be done in active context; system context is changed on Primary and synchronized to Secondary. If you connect via Console you are automatically in system context; if you connect via i.e. ssh you are automatically connected to admin context.
ASA# conf t
ASA(config)# prompt hostname ?
Configure mode commands / options: context Display the context in the session prompt (multimode only) domain Display the domain in the session prompt priority Display the priority in the session prompt state Display the traffic passing state in the session prompt ASA(config)# prompt hostname priority state context
ASA/pri/act (config)# end
ASA/pri/act# changeto context A
ASA/pri/act/A#
6) Move all Usercontexts to Primary ; Secondary becomes standby for both failover groups 1 and 2
In our case Usercontexts associated to failover group 2 were initially active on Secondary, usercontexts associated to failovergroup 1 were active on Primary
ASA/pri/act# sh failover | in Group|host
Group 1 last failover at: 06:04:11 CEST Nov 11 2020
Group 2 last failover at: 06:35:37 CEST Nov 11 2020
This host: Primary
Group 1 State: Active
Group 2 State: Standby Ready
Other host: Secondary
Group 1 State: Standby Ready
Group 2 State: Active
Force failover group 2 to be active on Primary by using following command
On Primary (system context) failover active group 2
alternative is
On Secondary (system context) failover active group 2
Note: moving contexts between Primary and Secondary may result in little packet loss (user impact) !
7) Patch new Failoverlink fibre optics on Secondary and Primary; test new link and shutdown new Port-channel (in our case Po10) on Primary and Secondary
Note: When you use a redundant or EtherChannel interface as a failover link, it must be pre-configured on both units in the failover pair; you cannot
configure it on the primary unit and expect it to replicate to the secondary unit because the failover link itself is required for replication.
Be aware that all configuration changes must be done in system context !
Use Console for doing changes !
Step by Step:
! Get a maintenance window.
Duration time step 1. to 8. about 20 minutes; no user impact
1. disconnect Secondary from Network either unplug the cables from the firewall or in our case disable all Ports on Switch 2 connecting to Secondary
Note: Disconnecting from Network results in Secondary changes from standby to active mode
2. On Secondary(system context) - disable failover with command no failover
3. On Secondary(system context) - disable old Port-Channel and its associated physical interfaces with shutdown
4. On Secondary(system context) - Change Failoverlink in configuration from old Port-Channel Po 8 to new Port-channel Po10
5. On Secondary(system context) - enable failover on Secondary with command failover
6. On Secondary(system context) - enable new Port-Channel and its associated physical interfaces with no shutdown
7. On Secondary(system context) - Save new configuration write mem
8. power off the secondary firewall
Do not disconnect Primary from Network ! Continue with change on Primary !
9. On Primary(system context) - disable failover with command no failover
10. On Primary(system context) - disable old Port-Channel and its associated physical interfaces with shutdown
11. On Primary(system context) - Change Failoverlink in configuration from old Port-Channel Po 8 to new Port-channel Po10
12. On Primary(system context) - enable failover on Secondary with command failover
13. On Primary(system context) - enable new Port-Channel and its associated physical interfaces with no shutdown
14. power on the secondary firewall (it will take 7 to 10 minutes to power up the unit)
Note: as soon as the standby firewall bootup and new failoverlink is seen by both Secondary and Primary you get a message on Secondary
Console Screen "Detected an Active mate" The statement implies that Secondary detects Primary as Active Mate(new failoverlink works) and goes into Standby mode.
Now replication will start from Primary to Secondary. you will see a messge on the Active firewall "Beginning configuration replication: Sending to mate" . On the standby firewall you will see the message "Beginning configuration replication from mate".
When replication is finished you get a message on Active "End Configuration Replication to mate" and standby firewall "End configuration replication from mate"
15. On Primary(system context) - check failover status command "ASA/pri/act# show failover | in Group|host" it will show you both unit see each other and both failovergroups are active on Primary and Standby on Secondary
16. continue with your normal netowk tests
17. Save configuration change on Primary
Duration time step from 9. up to 17. about 20 minutes; no user impact
