ASA5510 standy by failover

jlthorsell · ‎05-10-2012

Trying to set up a stateful failover with two. asa5510

Here is what I have so far, tell me if this looks right. The ip address are set to 0.0.0.0 only for this discussion.

Config Primary Firewall:

config t

interface management 0/0 ip address 0.0.0.0 255.255.255.252 standby 0.0.0.0

interface eth 0/0

ip address 0.0.0.0 255.255.255.224 standby 0.0.0.0

exit

interface eth 0/1

ip address 0.0.0.0 255.255.255.0 standby 0.0.0.0

exit

interface eth 0/2

ip address 0.0.0.0 255.255.255.248 standby 0.0.0.0

exit

interface eth 0/3
no ip address

exit

failover lan primary

failover lan interface failover eth 0/3

failover link statelink management 0/0

failover lan enable

failover replication http

failover mac address eth 0/0 mac primary (fo mac eth 0)

failover mac address eth 0/1 mac primary (fo mac eth 1)

failover mac address eth 0/2 mac primary (Fo mac eth 2)

failover link failover eth 0/3

failover interface ip failover 0.0.0.0 255.255.255.252 standby 0.0.0.0

failover

CONFIG OF SECONDARY (FAILOVER DEVICE)

config t
interface eth 0/3
no shut
exit
interface management 0/0
no shut
exit
failover lan unit secondary
failover lan interface failover eth 0/3
failover lan enable
failover interface ip failover 0.0.0.0 255.255.255.252 standby 0.0.0.0
failover

Maykol Rojas · ‎05-10-2012

Hi,

Looks ok, make sure you understand the pro/cons of having replication http.

Mike

jlthorsell · ‎05-10-2012

I am trying to make eth 0/3 the fail over link and using the management 0/0 for stateful info. I wanted to replicate http so the remote users in theory won't know that change happened other than refreshing thier page or so. I was confused on the commands

failover lan interface failover eth 0/3

failover link statelink management 0/0

beacuse it sounds like one is overiding the other. I believe it to say the eth 0/3 carries the command and device replications and management 0/0 carries the stateful info including the http.

Is this correct?

Maykol Rojas · ‎05-10-2012

Yup that is correct.

Mike

jlthorsell · ‎05-16-2012

The above commands work great aside for the commands for the mangement interface. I could not configure the stateful link, it kept giving me an error. so i gave up to finish the config. See readout below.(again ips changed to 0 for this discussion). Any suggestions?

asa5510# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.2(1), Mate 8.2(1)
Last Failover at: 16:02:56 EDT May 10 2012
        This host: Primary - Active
                Active time: 516535 (sec)
                slot 0: ASA5510 hw/sw rev (2.0/8.2(1)) status (Up Sys)
                  Interface outside1 (0.0.0.0): Normal (Not-Monitored)
                  Interface inside1 (0.0.0.0): Normal
                  Interface outside2 (0.0.0.0): Normal (Not-Monitored)
                  Interface management (0.0.0.0): Normal
                slot 1: empty
        Other host: Secondary - Standby Ready
                Active time: 1574 (sec)
                slot 0: ASA5510 hw/sw rev (2.0/8.2(1)) status (Up Sys)
                  Interface outside1 (0.0.0.0): Normal (Not-Monitored)
                  Interface inside1 (0.0.0.0): Normal
                  Interface outside2 (0.0.0.0): Normal (Not-Monitored)
                  Interface management (0.0.0.0): Normal
                slot 1: empty

Stateful Failover Logical Update Statistics
Link : Unconfigured.

asa5510# wr mem
Building configuration...
Cryptochecksum: cbd18ba4 e9f555d7 401182a2 cc4a5f11

20547 bytes copied in 3.700 secs (6849 bytes/sec)
[OK]
asa5510#

battanc · ‎05-18-2012

why waste two interfaces, when you can have the same statefull failover with only ONE interface, using sub-interface?

For example:

!

interface Ethernet0/3

description FAILOVER

!

interface Ethernet0/3.1

description LAN Failover Interface

vlan 490

!

interface Ethernet0/3.2

description STATE Failover Interface

vlan 491

!

failover

failover lan unit primary

failover lan interface FAILOVER Ethernet0/3.1

failover link STATE Ethernet0/3.2

failover interface ip FAILOVER 192.168.254.1 255.255.255.252 standby 192.168.254.2

failover interface ip STATE 192.168.254.5 255.255.255.252 standby 192.168.254.6

!

Obviously VLAN-ID and IP-Address can be modified as needed

Claudio

netdood · ‎06-13-2012

Is this config for a direct ethernet cable between the firewalls or through a switch? I've got a similar config. I cannot figure out if it's a direct connection or through the switch. If it is through the switch I would expect the two ports that connect to one device each to have a switchport access vlan 490, 491 config, but I am not seeing those vlans on my switch. So I'm leaning more towards the asa devices being directly connected and somehow the vlans are local to that connection only?

battanc · ‎06-18-2012

You can have the connection or direct or though a switch - I have succesfully tested both the scenarios.

Obviously, if you go though a switch (one ore MORE Switches, if you need), you have to configure the ports connected to tha ASA as

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 490,491

switchport mode trunk

Generaly speaking, you don't need a Switch between the ASA if you can have direct connection (and this is the BEST solution).

You have to use a Switch ONLY if the ASA are fare away from each other and the only way to connect the failover ports is to share an existing connection (uplink, fiber, etc.)

Hoping to have been of some help

Claudio