Problem:
Scenario:1
User have a pair of 5525-X's that are needed to be configured for Active/Passive fail-over running 9.1(2). It's same as 8.x code so this is more as a reference. One thing that I did do different though is I configured the failover and stateful links to be a LAN to LAN IPsec tunnel. It encrypts all traffic (failover and state replication) between the two firewalls. You can never have enough security right? I also included a screenshot for you ASDM users.
Scenario 2:
User would like to do few clarification on ASA active/standby fail-over, involving CSC SSM module.Current status there is production firewall running in ASA8.3.1, along with CSC module 6.3 Purchase another identical unit of firewall, so these will do in Active/Standby fail-over mode.
Question 1
The new purchase ASA unit CSC module license was not activated and installed yet (customer misplace the PAK paper license). my question is it possible to set up the fail-over in the condition of one CSC SSM in operation mode, whilst another CSC status down because no license install on it?
Question 2
New firewall will the standby unit, beside configure on the fail-over, do we need to load Any-connect image to the new firewall as well?
Question 3
Can user just update the ASA version of the production firewall from 8.3.1 to 8.4.2? Would this cause any syntax error?
Solution:
Scenario:1
On the primary firewall-
failover lan unit primary
failover lan interface FAILOVER-INTF GigabitEthernet0/6
failover link STATEFUL-FAILOVER-INTF GigabitEthernet0/7
failover interface ip FAILOVER-INTF 169.254.254.1 255.255.255.252 standby 169.254.254.2
failover interface ip STATEFUL-FAILOVER-INTF 169.254.254.254 255.255.255.252 standby 169.254.254.253
failover ipsec pre-shared 0 #cheating?@ryanbraun-brewerfan
On the secondary firewall-
failover lan unit secondary
failover lan interface FAILOVER-INTF GigabitEthernet0/6
failover link STATEFUL-FAILOVER-INTF GigabitEthernet0/7
failover interface ip FAILOVER-INTF 169.254.254.1 255.255.255.252 standby 169.254.254.2
failover interface ip STATEFUL-FAILOVER-INTF 169.254.254.254 255.255.255.252 standby 169.254.254.253
failover ipsec pre-shared 0 #cheating?@ryanbraun-brewerfan
Then go back to the primary firewall and enable failover-
failover
Then go to the secondary firewall and do the same
failover
You should start seeing failover/replication messages. You can the check the status with show failover status
You can view the tunnel status and statistics like any other IPSec tunnel. Note that the tunnels are using IKEv2 as well!
FIREWALL# sh cry isa sa
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
64689923 169.254.254.1/500 169.254.254.2/500 READY INITIATOR
Encr: AES-GCM, keysize: 256, Hash: N/A, DH Grp:20, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/26298 sec
Child sa: local selector 169.254.254.0/0 - 169.254.254.3/65535
remote selector 169.254.254.0/0 - 169.254.254.3/65535
ESP spi in/out: 0x8f49e46a/0x791fb42f
IKEv2 SAs:
Session-id:2, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
65509395 169.254.254.254/500 169.254.254.253/500 READY RESPONDER
Encr: AES-GCM, keysize: 256, Hash: N/A, DH Grp:20, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/26051 sec
Child sa: local selector 169.254.254.252/0 - 169.254.254.255/65535
remote selector 169.254.254.252/0 - 169.254.254.255/65535
ESP spi in/out: 0x78ff2739/0xabc77154
Scenario 2:
- As long as the hardware is exactly the same you should be able to HA pair them however I'd strong suggest licensing both CSC modules.
- Yes, you need to have the same versions of the Any-connect image on both units since the version is listed in the running config under the webvpn section.
- Going from 8.3.1 to 8.4.2 will be fine, the syntax is similar.
