Accepted Solutions
Hello Poiu,
The one link you have there is specific for Multiple context mode and Active/Active Failover, that is not what you are looking for as you want to cover Multiple context with Active/Standby mode....
So I took some time to build a Active/Standby lab for you
So here is the Scenario
So as You can see we have 2 contexts:
The Administration and Ventas Contexts ( Those will be the user created ones)
Ofcourse by default we will have the Admin and System contexts
Now, I will share the outside interface ( Just one link going to the ISP R1) to both the Administration and Ventas Contexts .
The Administration context will use the 123.1.1.1-2/27 While the Ventas context will use the 123.1.1.7-8/27
So, How Do I configure Active/Standby On this scenario:
Let's go first to ASA 1:
SYSTEM CONTEXT CONFIGURATION
interface GigabitEthernet0
no shut
!
interface GigabitEthernet1
no shut
!
interface GigabitEthernet2
no shut
description LAN/STATE Failover Interface
!
interface GigabitEthernet3
no shut
!
failover
failover lan unit primary
failover lan interface Failover GigabitEthernet2
failover key *****
failover link Failover GigabitEthernet2
failover interface ip Failover 192.168.100.1 255.255.255.0 standby 192.168.100.2
context Administration
allocate-interface GigabitEthernet0 OUTSIDE
allocate-interface GigabitEthernet1 Inside
config-url disk0:/Administration.cfg
!
context Ventas
allocate-interface GigabitEthernet0 OUTSIDE
allocate-interface GigabitEthernet3 Inside
config-url disk0:/ventas.cfg
So that is all the configuration for the System context on ASA 1, As you can see the Failover setup is done on the System context...
Let's go to the Administration context to see what we have done to make this work:
ADMINISTRATION CONTEXT ON ASA1
interface Inside
nameif inside
security-level 100
ip address 192.168.12.1 255.255.255.0 standby 192.168.12.2
!
interface OUTSIDE
nameif outside
security-level 0
ip address 123.1.1.1 255.255.255.224 standby 123.1.1.2
route outside 0.0.0.0 0.0.0.0 123.1.1.3 1
Any relevant configuration on this specific context for failover??? ONLY THE STANDBY IP ADDRESS
Finally let's move to the Ventas Context
interface OUTSIDE
nameif outside
security-level 0
ip address 123.1.1.7 255.255.255.224 standby 123.1.1.8
!
interface Inside
nameif INSIDE
security-level 100
ip address 192.168.13.1 255.255.255.0 standby 192.168.13.2
route outside 0.0.0.0 0.0.0.0 123.1.1.3 1
So, same thing right easy stuff so far...
So now that we have ASA1 configured we are going to move forward to ASA2 and configured it for failover,
What needs to be done on ASA2 to make failover work??:
Only the system failover configuration:
failover
failover lan unit secondary
failover lan interface Failover GigabitEthernet2
failover key *****
failover link Failover GigabitEthernet2
failover interface ip Failover 192.168.100.1 255.255.255.0 standby 192.168.100.2
interface gig 2
no shut
And that's it....... Failover on multiple context active/standby is done, the replication will start from the active (primary) to the secondary unit)
ASA1# sh fai
Failover On
Failover unit Primary
Failover LAN Interface: Failover GigabitEthernet2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 22:54:48 UTC Mar 10 2013
This host: Primary - Active
Active time: 1166 (sec)
Administration Interface inside (192.168.12.1): Normal (Monitored)
Administration Interface outside (123.1.1.1): Normal (Monitored)
Ventas Interface outside (123.1.1.7): Normal (Monitored)
Ventas Interface INSIDE (192.168.13.1): Normal (Waiting)
Other host: Secondary - Standby
Active time: 25 (sec)
Administration Interface inside (192.168.12.2): Normal (Monitored)
Administration Interface outside (123.1.1.2): Normal (Monitored)
Ventas Interface outside (123.1.1.8): Normal (Monitored)
Ventas Interface INSIDE (192.168.13.2): Normal (Monitored)
So what are the key points here:
1) All the failover setup is done on the system context, the only setup on each of the contexts is the IP address with the standby keyword
2) There is no need to use the Join command, that is use for active/active as each unit will be able to be active for one context and standby for the other context.
3) On active/stanby in multiple context each unit has to be the active of all of the context it's support or the secondary... We cannot set it to be active for one and stanby for the other ( That is the whole purpose of ACTIVE/ACTIVE)
And that's it.
Julio Carvajal
Advanced Security Trainer.
Hello Poiu,
The one link you have there is specific for Multiple context mode and Active/Active Failover, that is not what you are looking for as you want to cover Multiple context with Active/Standby mode....
So I took some time to build a Active/Standby lab for you
So here is the Scenario
So as You can see we have 2 contexts:
The Administration and Ventas Contexts ( Those will be the user created ones)
Ofcourse by default we will have the Admin and System contexts
Now, I will share the outside interface ( Just one link going to the ISP R1) to both the Administration and Ventas Contexts .
The Administration context will use the 123.1.1.1-2/27 While the Ventas context will use the 123.1.1.7-8/27
So, How Do I configure Active/Standby On this scenario:
Let's go first to ASA 1:
SYSTEM CONTEXT CONFIGURATION
interface GigabitEthernet0
no shut
!
interface GigabitEthernet1
no shut
!
interface GigabitEthernet2
no shut
description LAN/STATE Failover Interface
!
interface GigabitEthernet3
no shut
!
failover
failover lan unit primary
failover lan interface Failover GigabitEthernet2
failover key *****
failover link Failover GigabitEthernet2
failover interface ip Failover 192.168.100.1 255.255.255.0 standby 192.168.100.2
context Administration
allocate-interface GigabitEthernet0 OUTSIDE
allocate-interface GigabitEthernet1 Inside
config-url disk0:/Administration.cfg
!
context Ventas
allocate-interface GigabitEthernet0 OUTSIDE
allocate-interface GigabitEthernet3 Inside
config-url disk0:/ventas.cfg
So that is all the configuration for the System context on ASA 1, As you can see the Failover setup is done on the System context...
Let's go to the Administration context to see what we have done to make this work:
ADMINISTRATION CONTEXT ON ASA1
interface Inside
nameif inside
security-level 100
ip address 192.168.12.1 255.255.255.0 standby 192.168.12.2
!
interface OUTSIDE
nameif outside
security-level 0
ip address 123.1.1.1 255.255.255.224 standby 123.1.1.2
route outside 0.0.0.0 0.0.0.0 123.1.1.3 1
Any relevant configuration on this specific context for failover??? ONLY THE STANDBY IP ADDRESS
Finally let's move to the Ventas Context
interface OUTSIDE
nameif outside
security-level 0
ip address 123.1.1.7 255.255.255.224 standby 123.1.1.8
!
interface Inside
nameif INSIDE
security-level 100
ip address 192.168.13.1 255.255.255.0 standby 192.168.13.2
route outside 0.0.0.0 0.0.0.0 123.1.1.3 1
So, same thing right easy stuff so far...
So now that we have ASA1 configured we are going to move forward to ASA2 and configured it for failover,
What needs to be done on ASA2 to make failover work??:
Only the system failover configuration:
failover
failover lan unit secondary
failover lan interface Failover GigabitEthernet2
failover key *****
failover link Failover GigabitEthernet2
failover interface ip Failover 192.168.100.1 255.255.255.0 standby 192.168.100.2
interface gig 2
no shut
And that's it....... Failover on multiple context active/standby is done, the replication will start from the active (primary) to the secondary unit)
ASA1# sh fai
Failover On
Failover unit Primary
Failover LAN Interface: Failover GigabitEthernet2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 22:54:48 UTC Mar 10 2013
This host: Primary - Active
Active time: 1166 (sec)
Administration Interface inside (192.168.12.1): Normal (Monitored)
Administration Interface outside (123.1.1.1): Normal (Monitored)
Ventas Interface outside (123.1.1.7): Normal (Monitored)
Ventas Interface INSIDE (192.168.13.1): Normal (Waiting)
Other host: Secondary - Standby
Active time: 25 (sec)
Administration Interface inside (192.168.12.2): Normal (Monitored)
Administration Interface outside (123.1.1.2): Normal (Monitored)
Ventas Interface outside (123.1.1.8): Normal (Monitored)
Ventas Interface INSIDE (192.168.13.2): Normal (Monitored)
So what are the key points here:
1) All the failover setup is done on the system context, the only setup on each of the contexts is the IP address with the standby keyword
2) There is no need to use the Join command, that is use for active/active as each unit will be able to be active for one context and standby for the other context.
3) On active/stanby in multiple context each unit has to be the active of all of the context it's support or the secondary... We cannot set it to be active for one and stanby for the other ( That is the whole purpose of ACTIVE/ACTIVE)
And that's it.
Julio Carvajal
Advanced Security Trainer.
