03-09-2013 01:53 PM - edited 03-11-2019 06:12 PM
Hello,
I need to configure multiple context mode with active/standby failover solution.
Even after reading some Cisco documents I still can't understand if active/standby failover configuration has to be done within the admin context only or also within every single context (context-1, context-2 for example). In this case I have to allocate as failover interface a subinterface for each context (admin, context-1, context-2), right ?
Therefore a I have an other question: within the admin context, in a failover solution, do I have to allocate all interfaces I want to be moniotred, even though some will be used by context-1 only context and some others will be used by context-2 only context ?
An other question is: if active/standby failover configuration has to be done within each context, can I set regular failover within context-1 while stateful failover within context-2 ?
The last question is: can I use management interface within all 3 contexts ?
Is there any configuration example cause I couldn't find it.
Thanks for your support !
Jay
Solved! Go to Solution.
03-10-2013 02:06 PM
Hello Poiu,
The one link you have there is specific for Multiple context mode and Active/Active Failover, that is not what you are looking for as you want to cover Multiple context with Active/Standby mode....
So I took some time to build a Active/Standby lab for you
So here is the Scenario
So as You can see we have 2 contexts:
The Administration and Ventas Contexts ( Those will be the user created ones)
Ofcourse by default we will have the Admin and System contexts
Now, I will share the outside interface ( Just one link going to the ISP R1) to both the Administration and Ventas Contexts .
The Administration context will use the 123.1.1.1-2/27 While the Ventas context will use the 123.1.1.7-8/27
So, How Do I configure Active/Standby On this scenario:
Let's go first to ASA 1:
SYSTEM CONTEXT CONFIGURATION
interface GigabitEthernet0
no shut
!
interface GigabitEthernet1
no shut
!
interface GigabitEthernet2
no shut
description LAN/STATE Failover Interface
!
interface GigabitEthernet3
no shut
!
failover
failover lan unit primary
failover lan interface Failover GigabitEthernet2
failover key *****
failover link Failover GigabitEthernet2
failover interface ip Failover 192.168.100.1 255.255.255.0 standby 192.168.100.2
context Administration
allocate-interface GigabitEthernet0 OUTSIDE
allocate-interface GigabitEthernet1 Inside
config-url disk0:/Administration.cfg
!
context Ventas
allocate-interface GigabitEthernet0 OUTSIDE
allocate-interface GigabitEthernet3 Inside
config-url disk0:/ventas.cfg
So that is all the configuration for the System context on ASA 1, As you can see the Failover setup is done on the System context...
Let's go to the Administration context to see what we have done to make this work:
ADMINISTRATION CONTEXT ON ASA1
interface Inside
nameif inside
security-level 100
ip address 192.168.12.1 255.255.255.0 standby 192.168.12.2
!
interface OUTSIDE
nameif outside
security-level 0
ip address 123.1.1.1 255.255.255.224 standby 123.1.1.2
route outside 0.0.0.0 0.0.0.0 123.1.1.3 1
Any relevant configuration on this specific context for failover??? ONLY THE STANDBY IP ADDRESS
Finally let's move to the Ventas Context
interface OUTSIDE
nameif outside
security-level 0
ip address 123.1.1.7 255.255.255.224 standby 123.1.1.8
!
interface Inside
nameif INSIDE
security-level 100
ip address 192.168.13.1 255.255.255.0 standby 192.168.13.2
route outside 0.0.0.0 0.0.0.0 123.1.1.3 1
So, same thing right easy stuff so far...
So now that we have ASA1 configured we are going to move forward to ASA2 and configured it for failover,
What needs to be done on ASA2 to make failover work??:
Only the system failover configuration:
failover
failover lan unit secondary
failover lan interface Failover GigabitEthernet2
failover key *****
failover link Failover GigabitEthernet2
failover interface ip Failover 192.168.100.1 255.255.255.0 standby 192.168.100.2
interface gig 2
no shut
And that's it....... Failover on multiple context active/standby is done, the replication will start from the active (primary) to the secondary unit)
ASA1# sh fai
Failover On
Failover unit Primary
Failover LAN Interface: Failover GigabitEthernet2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 22:54:48 UTC Mar 10 2013
This host: Primary - Active
Active time: 1166 (sec)
Administration Interface inside (192.168.12.1): Normal (Monitored)
Administration Interface outside (123.1.1.1): Normal (Monitored)
Ventas Interface outside (123.1.1.7): Normal (Monitored)
Ventas Interface INSIDE (192.168.13.1): Normal (Waiting)
Other host: Secondary - Standby
Active time: 25 (sec)
Administration Interface inside (192.168.12.2): Normal (Monitored)
Administration Interface outside (123.1.1.2): Normal (Monitored)
Ventas Interface outside (123.1.1.8): Normal (Monitored)
Ventas Interface INSIDE (192.168.13.2): Normal (Monitored)
So what are the key points here:
1) All the failover setup is done on the system context, the only setup on each of the contexts is the IP address with the standby keyword
2) There is no need to use the Join command, that is use for active/active as each unit will be able to be active for one context and standby for the other context.
3) On active/stanby in multiple context each unit has to be the active of all of the context it's support or the secondary... We cannot set it to be active for one and stanby for the other ( That is the whole purpose of ACTIVE/ACTIVE)
And that's it.
Julio Carvajal
Advanced Security Trainer.
03-09-2013 03:09 PM
Hi,
In multiple Context Mode the Failover configurations are done in the System Context space where you configure interfaces and Contexts.So not under any certain context.
You should be able to share the Management interface between the Contexts.
By default Physical interfaces are monitored by the Failover when again Subinterfaces are no monitored by default.
- Jouni
03-10-2013 06:39 AM
ok, I see that failover configuration has to be done in the System Context space . However it is not easy form me to understand how I can assigne a certain context to failover.
03-10-2013 07:03 AM
I've found the following document regarding context join failover group (assuming group1 is for active unit and group 2 is for standby unit)
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml
03-10-2013 02:06 PM
Hello Poiu,
The one link you have there is specific for Multiple context mode and Active/Active Failover, that is not what you are looking for as you want to cover Multiple context with Active/Standby mode....
So I took some time to build a Active/Standby lab for you
So here is the Scenario
So as You can see we have 2 contexts:
The Administration and Ventas Contexts ( Those will be the user created ones)
Ofcourse by default we will have the Admin and System contexts
Now, I will share the outside interface ( Just one link going to the ISP R1) to both the Administration and Ventas Contexts .
The Administration context will use the 123.1.1.1-2/27 While the Ventas context will use the 123.1.1.7-8/27
So, How Do I configure Active/Standby On this scenario:
Let's go first to ASA 1:
SYSTEM CONTEXT CONFIGURATION
interface GigabitEthernet0
no shut
!
interface GigabitEthernet1
no shut
!
interface GigabitEthernet2
no shut
description LAN/STATE Failover Interface
!
interface GigabitEthernet3
no shut
!
failover
failover lan unit primary
failover lan interface Failover GigabitEthernet2
failover key *****
failover link Failover GigabitEthernet2
failover interface ip Failover 192.168.100.1 255.255.255.0 standby 192.168.100.2
context Administration
allocate-interface GigabitEthernet0 OUTSIDE
allocate-interface GigabitEthernet1 Inside
config-url disk0:/Administration.cfg
!
context Ventas
allocate-interface GigabitEthernet0 OUTSIDE
allocate-interface GigabitEthernet3 Inside
config-url disk0:/ventas.cfg
So that is all the configuration for the System context on ASA 1, As you can see the Failover setup is done on the System context...
Let's go to the Administration context to see what we have done to make this work:
ADMINISTRATION CONTEXT ON ASA1
interface Inside
nameif inside
security-level 100
ip address 192.168.12.1 255.255.255.0 standby 192.168.12.2
!
interface OUTSIDE
nameif outside
security-level 0
ip address 123.1.1.1 255.255.255.224 standby 123.1.1.2
route outside 0.0.0.0 0.0.0.0 123.1.1.3 1
Any relevant configuration on this specific context for failover??? ONLY THE STANDBY IP ADDRESS
Finally let's move to the Ventas Context
interface OUTSIDE
nameif outside
security-level 0
ip address 123.1.1.7 255.255.255.224 standby 123.1.1.8
!
interface Inside
nameif INSIDE
security-level 100
ip address 192.168.13.1 255.255.255.0 standby 192.168.13.2
route outside 0.0.0.0 0.0.0.0 123.1.1.3 1
So, same thing right easy stuff so far...
So now that we have ASA1 configured we are going to move forward to ASA2 and configured it for failover,
What needs to be done on ASA2 to make failover work??:
Only the system failover configuration:
failover
failover lan unit secondary
failover lan interface Failover GigabitEthernet2
failover key *****
failover link Failover GigabitEthernet2
failover interface ip Failover 192.168.100.1 255.255.255.0 standby 192.168.100.2
interface gig 2
no shut
And that's it....... Failover on multiple context active/standby is done, the replication will start from the active (primary) to the secondary unit)
ASA1# sh fai
Failover On
Failover unit Primary
Failover LAN Interface: Failover GigabitEthernet2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 22:54:48 UTC Mar 10 2013
This host: Primary - Active
Active time: 1166 (sec)
Administration Interface inside (192.168.12.1): Normal (Monitored)
Administration Interface outside (123.1.1.1): Normal (Monitored)
Ventas Interface outside (123.1.1.7): Normal (Monitored)
Ventas Interface INSIDE (192.168.13.1): Normal (Waiting)
Other host: Secondary - Standby
Active time: 25 (sec)
Administration Interface inside (192.168.12.2): Normal (Monitored)
Administration Interface outside (123.1.1.2): Normal (Monitored)
Ventas Interface outside (123.1.1.8): Normal (Monitored)
Ventas Interface INSIDE (192.168.13.2): Normal (Monitored)
So what are the key points here:
1) All the failover setup is done on the system context, the only setup on each of the contexts is the IP address with the standby keyword
2) There is no need to use the Join command, that is use for active/active as each unit will be able to be active for one context and standby for the other context.
3) On active/stanby in multiple context each unit has to be the active of all of the context it's support or the secondary... We cannot set it to be active for one and stanby for the other ( That is the whole purpose of ACTIVE/ACTIVE)
And that's it.
Julio Carvajal
Advanced Security Trainer.
03-11-2013 01:36 PM
WOW! thanks, configuration is really explanatory. Lert me add two more questions please,
1. if I only want Ventas Context to be in active/standby mode while not Administration Context (it means Administration Context will be configured only on ASA1), I just have to configure ip address on Administration Context without standby ip?
2. I need both Ventas Context and Administration Context with management interface so I suppose I need to create management0/0.2 and management0/0.3. Do I have to configure management0/0.1 on System Context or Admin Context (Admin Context which is created by default if I understand correctly)?
03-12-2013 06:13 PM
Hello,
1) Exactly, and from the system context you will need to say no monitor interface gig whatever assigned to the context where the is no failover
2) Yes, you can. As I did with the outside, Same thing here,
Regards,
Remember to share all of the helpful posts
03-22-2013 07:50 AM
Really thanks for your help !
03-22-2013 11:51 AM
Hi,
My pleasure
06-29-2017 06:39 AM
Hi Julio, fantastic explanation!
I have queries regarding multiple context. I want to create portchannel of firewall with sub-interfaces and assign it to contexts. example po1.10 to .20 for context1 and PO.30 to .40 for context 2.
1. Is such configuration supported?
2. Should I allocate Po1 to each context and create the subinterface at context level or create it in system context and allocate each sub interface to context? Does it matter either ways?
Thanks in advance
Krishna
04-24-2017 07:45 AM
Nice work ill try this out ASAP
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide