Failover using Cisco ASA 5500- need help please...

Unanswered Question
May 15th, 2008

Hi,

we have purchased these two Cisco ASA 5500 series ASA for a customer who has requested active/standby failover. I have gone through these Cisco documentation explaning the failover configuration and the fact that there are twp methods, statfull and regular.

I am confused about the "Serial Cable" and Also the LAN based failover since there is a switch between the two ASAs for LAN based failover.

these ASA has 4 ethernet ports, 0 through 3 a total of 4. I assume just like PIXs, ethernet 0 is inside interface and ethernet 1 is outside but I am not sure how to use the other two ports(interfaces) for faulover?

what is the serial cable for this type of failover ? and what is the port on teh appliance for this to hapen? I have not seen serlial ports in the back of these appliances?

can someone please help me uderstand this and wht i need t make this happen using the two ASA appliances that the have purchased?

I don't even kno wif thry are the right ones for this job but I know they got the unrestricted license to support failover?

how do I use these 4 ethernet Interfaces?

there are aslo console and managemnet Interfaces as well plus some USB ports, 2 of them.

Please advise.

Regards,

Masood

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bhatok Thu, 05/15/2008 - 11:53

Masood,

The Serial Cable for failover is only used with the PIX firewalls. The ASA use the LAN based failover.

The 4 interfaces can be used any way you would like. You specify which is outside and which is inside during configuration.

For failover, you can use any of the interfaces except what you are using for inside and outside and any DMZs. You just have to specify which interface during the failover configuration.

You should do a show version on the ASA to confirm the failover licensing.

Brandon

m-abooali Thu, 05/15/2008 - 13:29

Thanks Brandon,

so, it is going to be LAN Base Failover/stateful?

as far as licensing, we made sure that they come with unrestricted but I will check and this is a ggod idea.

in the Picture in Cisco document, i saw a switch between the connection between the two ASA for failover!? is that only logical? so I just need to choose an Interface say; etherner3 and connect both with a x-over CAT 5 rj45 cables i.e. ethernet3 to ethernet 3 and specify that in the configuration?

Please advise.

Regards,

Masood

bhatok Fri, 05/16/2008 - 05:20

Masood,

You can connect them with a x-over cable or you can connect them with a switch. I typically use a switch with designated VLANs for the failover and state.

Below is a typical configuration using the management interface for failover. I created subinterfaces so that we don't have to use 2 physical interfaces (1 for failover and 1 for state).

interface Management0/0

!

interface Management0/0.10

description LAN Failover Interface

vlan 110

!

interface Management0/0.11

description STATE Failover Interface

vlan 111

failover

failover lan unit primary

failover lan interface failover Management0/0.10

failover replication http

failover link state Management0/0.11

failover interface ip failover 192.168.96.1 255.255.255.0 standby 192.168.96.2

failover interface ip state 192.168.97.1 255.255.255.0 standby 192.168.97.2

Brandon

m-abooali Fri, 05/16/2008 - 10:43

hi Brandon,

Thanks very mush for this- this helps me alot.

I have one problem though, They have not purchased a Switch for this and this is for a customer who has been colo to thius point with us and now have changed to some kind of a managed security.

Since I don't have a switch, how can I use the two interfaces that I have (two physical ones, ethernet 3 and ethernet 4) for lan and state interfaces for thois failover setup?

I have the insode and outside interfaces and the other two can be used with x-over cables for the failover.

if I go with the actual physical interfaces ethernet 3 and 4, how this configuration changes?

i am also kind of confused on th elan and state interfaces, of whoic one resides on which unit?

this has arrived in the middle of that Backbone deisgn that I had some posting on and i need to get it over today and go back to the backbone design/implementation again.

I guess, I have to read on this.

Regards,

Masood

m-abooali Fri, 05/16/2008 - 11:35

Brandon,

the documentation say sthat for LAN base failover one needs to bootstrap th esecondary before the secondaty can obtail running configuration from the promary devices, what bootstraping means here?

so, they don't want to give away a switch to thos customer for free so I need to use the physical interfaces on both the ASA nd use x-over cable to get them to owrk, how can I achive that please?

I have not done thi sbefore although I have educated myself on it reading a very usefull Cisco Document.

Please dvise,

Regards,

Masood

m-abooali Fri, 05/16/2008 - 11:54

Brandon,

I am confused between the STATE link and the LAN link failover.

both the inside and outside interfaces of these ASA will have public IP addreses.

I am using IPs from the same segment as the servers (customers servers ) as the inside interface and use IPs from our backbone segment as the IPS for the OUTside interfaces.

now, given that I need two interfaces on each ASA devices to this Failover, say ethernet3 and ether 4 on eachone, I am now confused on what IPs must go on the these failover Interfaces Link and state?

Please advise as this had made me so confused, th efact that both inside and outside have public IP addresses? but defferent segments.

Regards,

Masood

m-abooali Fri, 05/16/2008 - 18:23

Hi Brandon,

I am sorry for all these replies.

Ok, I will be using the interfaces on the two ASA devices.

ethernet0====> inside

ethernet1====> outside

ethernet 3 and 4 for failover but I ineed to know the followings please:

1- do I need both ports one for LAN on Unit Primary? or both ethernet 3 and 4 on each unit for LAN link and for State link?

2- I assume I need to put the IPs on the interfaces for Failover and then the rest of teh configuration will get replicated (Transfered over) to the secondar unit from Primary after both devices are up and running?

Please advise, if I have got it all wrong!?

Based on the readings:

ethernet3 on both devices for LAN, i.e.

ASA-1-ethernet3======> to====> ASA-2-ethernet 3, for LAN

ASA-1-ethernet4=====>to=======>ASA-2-ethernet4, foe link state - using x-over cables.

Do I need to create VLANs on teh ASA devices?

IPs for failover must be from the same block as the IPS on the "INSIDE" interfaces?

This is how I have understood it. Please advise if I have missed something or if I have gotten it all wrong?

Regards,

Masood

m-abooali Sat, 05/17/2008 - 00:02

Well, I did what I had to do earlier. I went through the Interactive Cisco Training fo rthe active/active and active/passive leassons and found it to be very usefull.

Althouh they had a demonstration using the ASDM but I now kno wthat I can use the streight link between the two devices since I don't have a switch.

what I need to also understand is, if I need to woul it be better to create vlans on these devices in the absense of the switch or not.?

I am sorry of all of these replies but it had been veruy educational being the the first time dealing with ASA for failover.

I still can use any help that you may be able to extend to me given that I want to do active / Passive and also use one interface for the lan base and another one fo rthe state. this way all the 4 interfaces on both devices will be used but this is ow thay want it and this is how I will do it.

'Now this is the actual questions?

now, the IP addressing scheme is making me confused oer my one of my last replies, I stated that both inside and outside interfaces will have Public IP addressing. now I wonder if I cna have the failover IPs for ethernet3 and ethernet 4 on both devices using private IP addresses or not?

Regards,

Masood

bhatok Sat, 05/17/2008 - 09:36

Masood,

You can use private IP addresses for the failover links, both LAN and STATE. These addresses are only used between the two devices and you can you any addresses you like. If you are using Ethernet 3 and 4 for LAN and STATE just substitute those in for the configuration above. On your primary ASA the config will look like:

failover

failover lan unit primary

failover lan interface failover Ethernet0/3

failover replication http

failover link state Ethernet0/4

failover interface ip failover 192.168.96.1 255.255.255.0 standby 192.168.96.2

failover interface ip state 192.168.97.1 255.255.255.0 standby 192.168.97.2

Brandon

m-abooali Sat, 05/17/2008 - 18:36

Hi Brandon,

Thanks very much for the information. It is very good to know that I can use the private Ip addresses for the LAN and State links on the twp ethetnet3 and ethernet4 interfaces.

I will go ahead and console to the Devices, primary and assign the IP addrsses and I assume when I bring up the secondary the configuration must replicate over to the seconday!?

Unless I need to consoile to both primary and secondary, assign inside and outsie Ip addresses to inside and out side Interfaces on each device and then apply the failover configuration on the primary!?

Plrease advise if this proceess is the right?

Regards,

Masood

m-abooali Sat, 05/17/2008 - 18:40

Brandon,

You mention configuration "Above"!? what I have from you above, is the configuration for when one uses a Switch and you gave it to me in you very first response as listed below:

interface Management0/0

!

interface Management0/0.10

description LAN Failover Interface

vlan 110

!

interface Management0/0.11

description STATE Failover Interface

vlan 111

failover

failover lan unit primary

failover lan interface failover Management0/0.10

failover replication http

failover link state Management0/0.11

failover interface ip failover 192.168.96.1 255.255.255.0 standby 192.168.96.2

failover interface ip state 192.168.97.1 255.255.255.0 standby 192.168.97.2

I don't think that I need to follow this configuration but the latest one that yopu sent me?

Please advise.

Regards,

Masood

m-abooali Mon, 05/19/2008 - 09:53

Hi Brandon,

I am about to assign IP addreses to the inside and outside interfaces of these twp ASA devices. you mentioned that these configuration will go on the Primary ASA for Failover but whatI don't know is that the secondary will take its failpver ocnfiguration from the promary and I have do the same as stated in your response for the secondary ASA?

Please advise.

Regards,

Masood

m-abooali Mon, 05/19/2008 - 15:47

Hi Branon,

I did configure the Primary ASA for LAN and State failove but it wasn't able to replicate the configuration to the secondar as it was off! my bad.

I have a very silly question?

do I need to configure the Inside and Outside Interfaces on the Secondar ASA manually or even these information will replicate automatically over to ASA 2 by the promart ASA, i.e. ASA 1?

I am confused here and may be this is why failover configuration didn't replicated ovet to ASA2 or secondary!

Please advise so that I can get this done and over with.

Regards,

Masood

m-abooali Mon, 05/19/2008 - 16:20

Hi Brandon,

Please see the configuration below and if what you see , you think is alright?

iscoasa# sh failover int

interface paclotus-Failover Ethernet0/3

System IP Address: 10.10.1.1 255.255.255.0

My IP Address : 10.10.1.1

Other IP Address : 10.10.1.2

interface StatFailover Ethernet0/2

System IP Address: 10.10.3.1 255.255.255.0

My IP Address : 10.10.3.1

Other IP Address : 10.10.3.2

ciscoasa#

Also here what I have in the primary configuration. I did assign IPs ot the Inside and Outside of the Secondary ASA maually. I used same subnet for the Inside Interface as I did for Priomary but just dofferent IP and same subnet for the Outside interface on teh seconday but different IPs. I think th erest of the configuration must take place from replication from primary to secondar after they are racked and Ethernet interfaces (insode and outside) are connected.

Currently on teh bench I only have managemnet to my laptop and ethernet 3 as LAN failover and ethetnet2 as State failover connected via x-over cables.

iscoasa# sh failover int

interface paclotus-Failover Ethernet0/3

System IP Address: 10.10.1.1 255.255.255.0

My IP Address : 10.10.1.1

Other IP Address : 10.10.1.2

interface StatFailover Ethernet0/2

System IP Address: 10.10.3.1 255.255.255.0

My IP Address : 10.10.3.1

Other IP Address : 10.10.3.2

ciscoasa#

tu inside 1500

mtu Ouside 1500

failover

failover lan unit primary

failover lan interface paclotus-Failover Ethernet0/3

failover polltime unit 10 holdtime 30

failover polltime interface 10

failover replication http

failover link StatFailover Ethernet0/2

failover interface ip paclotus-Failover 10.10.1.1 255.255.255.0 standby 10.10.1.

2

failover interface ip StatFailover 10.10.3.1 255.255.255.0 standby 10.10.3.2

asdm image disk0:/asdm-507.bin

no asdm history enable

tu inside 1500

mtu Ouside 1500

failover

failover lan unit primary

failover lan interface paclotus-Failover Ethernet0/3

failover polltime unit 10 holdtime 30

failover polltime interface 10

failover replication http

failover link StatFailover Ethernet0/2

failover interface ip paclotus-Failover 10.10.1.1 255.255.255.0 standby 10.10.1.

2

failover interface ip StatFailover 10.10.3.1 255.255.255.0 standby 10.10.3.2

asdm image disk0:/asdm-507.bin

no asdm history enable

have I missed anything here?

Please advise.

Regards,

Masood

alanajjar Mon, 05/19/2008 - 23:59

Hi,

I have some notes:

- You can use the same interface for lan failover and stateful failover.

- To get the configuration replicated to the secondary ASA, you need to configure failover configuration on the secondary ASA.

My suggession for your configuration are:

for the primary ASA:

failover

failover lan unit primary

failover lan interface Failover Ethernet0/3

failover link Failover Ethernet0/3

failover replication http

failover interface ip Failover 10.10.1.1 255.255.255.0 standby 10.10.1.2

For the secondary ASA:

failover

failover lan unit secondary

failover lan interface Failover Ethernet0/3

failover link Failover Ethernet0/3

failover interface ip Failover 10.10.1.1 255.255.255.0 standby 10.10.1.2

you dont need to configurer interfaces on secondary, just add the standby option to ip address in the primary, i.e:

ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2

with regards

m-abooali Thu, 05/22/2008 - 11:32

Hi,

I followed Cisco training on this and configured the inisde and outside interfaces on the primary and secondary and then, on thr Primary, I configured the Lan failover and State failover using two Interfaces ethernet03 and ethernet 02. based on Cisco, the configuration mustget replicated on the secondary from the primary ASA.

here is my configuration on the primary but i still need to connect the devices to the netrwork and see how it behaves.

I am going to do this in the next hour or so, here is my configuration:

iscoasa# sh failover int

interface paclotus-Failover Ethernet0/3

System IP Address: 10.10.1.1 255.255.255.0

My IP Address : 10.10.1.1

Other IP Address : 10.10.1.2

interface StatFailover Ethernet0/2

System IP Address: 10.10.3.1 255.255.255.0

My IP Address : 10.10.3.1

Other IP Address : 10.10.3.2 ciscoasa#

Please let me kno wif yoy think this is alright.

Regards,

Masood

CSCO10320953 Fri, 05/23/2008 - 01:41

HI All,

1.What is the status now ?

2.Can we use fiber cable(sfb)in between ASA5520 to Switch 6509

3.SSM-4GE. ASA 5500 4-Port Gigabit Ethernet SSM (RJ-45+SFP).

IS it used for CAT 5 CABLE or fiber cable

m-abooali Fri, 05/23/2008 - 14:10

the Status?

well, I used cables between ethernet 2 and ethernet3 for failover and the configutation seems to be working, listening and no errors but I have not tested the actula failing over just yet, may be tonight.

about you second question, why switching betn ASA nd 6506 switch?

Thx,

Masood

CSCO10320953 Fri, 05/23/2008 - 23:30

IN Active Standby Method,MY nework is having Two 6509 switch and Two Asa .

m-abooali Sat, 05/24/2008 - 05:04

so, you are usig one of the switches for failover used by the two ASAs?

LAN Base Failove/State failover,usually the failover connect to two vlans, one for LAN and one for state. I have done that ASA to ASA consuming all the ports on the two ASA just becaus they didn't want to buy a switch!

Regards,

Masood

Actions

This Discussion