07-03-2014 06:13 PM - edited 03-11-2019 09:25 PM
Hi Guys,
We have two Cisco 5525X ASA firewalls and they are in a Active/Standby failover cluster. At the moment each ASA is using Gig 0/3 plugged into a 6509 switch as part of the failover link. Each ASA are at different data centres. I need to add another physical interface Gig 0/4 in the ASA's and have this part of the failover between the existing Gig 0/3 interface. I have been reading about configuring redundant links and adding the two physical interfaces as part of a redundant group. Can someone let me know how to configure two physical interface as a redundant group and have them part of the failover between two ASA's?
See below existing config for our failover:
Primary ASA
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover mac address GigabitEthernet0/0 001b.54f7.1a2b 001b.54f7.2a2b
failover mac address GigabitEthernet1/0 001b.54f7.3a2d 001b.54f7.4a2d
failover mac address GigabitEthernet1/1 001b.54f7.4a2e 001b.54f7.5a2e
failover link failover GigabitEthernet0/3
failover interface ip failover 10.10.10.1 255.255.255.252 standby 10.10.10.2
Secondary ASA
failover
failover lan unit secondary
failover lan interface failover GigabitEthernet0/3
failover mac address GigabitEthernet0/0 001b.54f7.1a2b 001b.54f7.2a2b
failover mac address GigabitEthernet1/0 001b.54f7.3a2d 001b.54f7.4a2d
failover mac address GigabitEthernet1/1 001b.54f7.4a2e 001b.54f7.5a2e
failover link failover GigabitEthernet0/3
failover interface ip failover 10.10.10.1 255.255.255.252 standby 10.10.10.2
Cheers,
Ross.
07-03-2014 11:37 PM
Hi Ross,
If you want LAN and stateful fail over then you can use like the below. One will be for the failover of the LAN part and other one will for the stateful failover for the un interuppted return traffic.
interface GigabitEthernet0/2
description STATE Failover Interface
!
interface GigabitEthernet0/3
description LAN Failover Interface
!
failover
failover lan unit primary or secondary
failover lan interface failover GigabitEthernet0/3
failover key *****
failover link stateful GigabitEthernet0/2
failover interface ip failover 10.10.10.1 255.255.255.0 standby 10.10.10.2
!
Regards
Karthik
07-03-2014 11:50 PM
So with the config you provided the failover link stateful Gig 0/2 will this be a backup link for the ASA cluster failover?
Thanks,
Ross.
07-04-2014 12:14 AM
Hi Ross,
If you have a regular/LAN failover alone configured in your firewall.... actually it waits for the idle time and it becomes active firewall... but however that doesn't have any information on the active connections going through firewall..... if you have stateful failover configured.... active unit replicate the state connection table of every connections to the standby unit... so when failover happens it will not have any interruption for the active connections in most cases.....
LAN failover will take care of the new connections that flows through the other firewall in case of failover and stateful failover will take care of the active connection that was going through primary and if failover happens it still continue to allow the active connection through the secondary unit, which is active during failover.
The security appliance supports two types of failover, regular and stateful. This section includes these topics:
When a failover occurs, all active connections are dropped. Clients need to reestablish connections when the new active unit takes over.
When stateful failover is enabled, the active unit continually passes per-connection state information to the standby unit. After a failover occurs, the same connection information is available at the new active unit. Supported end-user applications are not required to reconnect to keep the same communication session.
The state information passed to the standby unit includes these:
The NAT translation table
The TCP connection states
The UDP connection states
The ARP table
The Layer 2 bridge table (when it runs in the transparent firewall mode)
The HTTP connection states (if HTTP replication is enabled)
The ISAKMP and IPSec SA table
The GTP PDP connection database
The information that is not passed to the standby unit when stateful failover is enabled includes these:
The HTTP connection table (unless HTTP replication is enabled)
The user authentication (uauth) table
The routing tables
State information for security service modules
Note: If failover occurs within an active Cisco IP SoftPhone session, the call remains active because the call session state information is replicated to the standby unit. When the call is terminated, the IP SoftPhone client loses connection with the Call Manager. This occurs because there is no session information for the CTIQBE hang-up message on the standby unit. When the IP SoftPhone client does not receive a response back from the Call Manager within a certain time period, it considers the Call Manager unreachable and unregisters itself.
Regards
Karthik
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: