Reg. converting virtual fw to Active - Active

Unanswered Question
May 30th, 2010

Hi halijenn / pkampana / all


Consider a firewall is running as a Virtual firewall in a Multiple context mode .


a) If now i want to introduce another firewall and configure active - active is it possible without any downtime considering that both firewalls have same license , h/w and s/w features


b) Also i want to know that in the Primary firewall system context , there are descriptions given to the firewall interfaces for eg:


interface GigabitEthernet0/1
description connected to Gig3/3 SW


Hence please let me know now as to if i want to put cabling descriptions to the second firewall (which is about to be put in active-active failover) for the same corresponding interface [I will do so with it being offline before introducing it to the network] and once i bring it to the network , is it that the primary firewall will synchronize its system context to the secondary one and secondary firewall corresponding interface descriptions will wipe off ?I donot want that to happen . Is it possible both should have its own descriptions


c) Also what failover commands i need to configure in the secondary firewall before making it in active-active , is it the same one which are configured for the normal active-standby .Also i do not want the touch the current setup of virtual firewall (primary firewall)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Jennifer Halim Mon, 05/31/2010 - 06:27

Let me start with the definition of Active-Active failover. Please kindly note that Active-Active does not mean that 1 context is active on both firewalls. Active-Active means that you can configure 1 context to be active on 1 firewall, and another (different) context to be active on the other firewall.


For example:

If you have 8 contexts all together, you can configure 4 contexts to be assigned to 1 firewall (failover group 1) and the other 4 contexts to be assigned to the other firewall (failover group 2).


Where the failover comes into play is if one the firewalls fails, the 4 contexts on the failed firewall will failover to the other firewall, so now the active firewall is passing traffic for 8 contexts.


Here is the sample configuration with more explaination on Active/Active failover for your reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml


To answer your questions:

a) To introduce Active/Active failover, I would strongly recommend that you organise for a maintenance window for possible down time.

b) Configuration of both firewalls on active/active failover will be synchronized and both will have the same configuration. The only difference would be some contexts will be assigned to and active on 1 firewall, and some others would be assigned and active on another firewall.

c) Majority of the commands for failover will be the same as the Active/Standby failover, with the addition of assigning failover group to each context in Active/Active failover. The above sample configuration will give you the specific commands.


Hope that helps.

ankurs2008 Mon, 05/31/2010 - 10:24

hi


thanks for the reply . I can understand that right now for both the contexts on single firewall which are active , once i put the second firewall i would like to have 1st context as active on the primary (and standby on secondary firewall) and second context (which is active currently in the primary) need to be active on the secondary firewall (and standby on primary firewall) ; however i dont think any downtime will be required ; though i can take the downtime


Also how can i acheive labeling the physical interfaces via description as if the failover will replicate the system context of primary to secondary , then how will one recognize as to with which interfaces which corresponding downstreamswitchport is associated . There has to be some way , need your guidance on this

Federico Coto F... Mon, 05/31/2010 - 10:28

You use the ''prompt'' command.


If for example you do:


ASA(config)# prompt hostname context state

Then, the prompt will be changed to the hostname of the ASA, the context in which it resides and the failover state.

Even though the configuration is replicated, the active unit will show as active state and the standby unit will show as the standby state.


Federico.

ankurs2008 Mon, 05/31/2010 - 11:41

Hi


I didnt understand your explanation , please let me know as to what i have mentioned above is the exact thing which you have understood


My question :


System context of ASA 1 will be replicated to ASA 2 System context or not as soon as both devices are configured in Active-Active

Federico Coto F... Mon, 05/31/2010 - 12:22


You asked more than one question and I answered the last one:


''Also how can i acheive labeling the physical interfaces via description as if the failover
will replicate the system context of primary to secondary , then how will one recognize as
to with which interfaces which corresponding downstreamswitchport is associated ''

Isn't that what you were asking?


About your other question:


''System context of ASA 1 will be replicated to ASA 2 System context or not as soon as both devices are configured in Active-Active''


I believe not.

You need to configure the contexts on each box since both ASAs will be primary/active for their corresponding contexts.


Federico.

ankurs2008 Mon, 05/31/2010 - 17:38

Hi halijenn


can u please clear my doubt as i believe we need not configure anything on the secondary ASA apart from making its "mode" as multiple , followed by unshutting the interfaces and then assigning failover commands . Hence the system context will be exactly same on both firewalls .Please correct me if i am incorrect .

Federico Coto F... Mon, 05/31/2010 - 19:57

It seems you're right and the configuration of failover active/active is pretty much as the active/standby in that you have a

primary unit that replicates the configuration to the secondary unit.


If having one context active in each unit (two failover groups), then ''The commands from a security context are replicated from the unit on which the security context appears in the active state to the peer unit''


This seems a good link:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml


Federico.

Jennifer Halim Tue, 06/01/2010 - 04:55

Ankur, you are absolutely correct.

You would only need to configure the primary ASA (currently active) system context with all the configuration, and everything will be replicated to the secondary ASA (standby).


On the primary ASA, you would need to cofnfigure the 2 failover group (group 1 - primary, and group 2 - secondary), then assign all context to failover group 1 first, and making sure all contexts are active on primary ASA.


Then on secondary ASA, change it to multiple context mode, and configure the failover command, and turn on failover. The configuration will replicate from Active primary ASA towards the Standby secondary ASA.


Once the failover is up on both ASA, then you can slowly migrate some context to failover group 2, and make group 2 active on the secondary ASA.


Hope that answers your question.

ankurs2008 Tue, 06/01/2010 - 17:39

hi halijenn


Thanks a ton ! i would like to ask that currently there are 2 contexts (A and B) on a single firewall , hence once i enable the active - active FO by introducing new device , then only i should put the context B in the failover group 2 (active for the Secondary) ?? Please correct me if i am wrong ,

i am going to perform the following


1) Do a show failover on Primary and both contexts in the Primary will show as Active (sample below )


This host:    Primary

  Group 1       State:          Active

                Active time:    2896 (sec)

  Group 2       State:          Active

                Active time:    2896 (sec)


  Other host:   Secondary

  Group 1       State:          Standby Ready

                Active time:    190 (sec)

  Group 2       State:           Standby Ready

                Active time:    190 (sec)


2) Will configure the following in the system execution space of Primary for the group 2

    no failover active group 2


3) Do a show failover again and verify if the context B has switched over as active on secondary


  This host:    Primary

  Group 1       State:          Active

                Active time:    2896 (sec)

  Group 2       State:          Standby Ready

                Active time:    2896 (sec)


  Other host:   Secondary

  Group 1       State:          Standby Ready

                Active time:    190 (sec)

  Group 2       State:          Active

                Active time:    190 (sec)

Actions

This Discussion