cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1259
Views
0
Helpful
20
Replies

Failover using Cisco ASA 5500- need help please...

m-abooali
Level 4
Level 4

Hi,

we have purchased these two Cisco ASA 5500 series ASA for a customer who has requested active/standby failover. I have gone through these Cisco documentation explaning the failover configuration and the fact that there are twp methods, statfull and regular.

I am confused about the "Serial Cable" and Also the LAN based failover since there is a switch between the two ASAs for LAN based failover.

these ASA has 4 ethernet ports, 0 through 3 a total of 4. I assume just like PIXs, ethernet 0 is inside interface and ethernet 1 is outside but I am not sure how to use the other two ports(interfaces) for faulover?

what is the serial cable for this type of failover ? and what is the port on teh appliance for this to hapen? I have not seen serlial ports in the back of these appliances?

can someone please help me uderstand this and wht i need t make this happen using the two ASA appliances that the have purchased?

I don't even kno wif thry are the right ones for this job but I know they got the unrestricted license to support failover?

how do I use these 4 ethernet Interfaces?

there are aslo console and managemnet Interfaces as well plus some USB ports, 2 of them.

Please advise.

Regards,

Masood

20 Replies 20

bhatok
Level 1
Level 1

Masood,

The Serial Cable for failover is only used with the PIX firewalls. The ASA use the LAN based failover.

The 4 interfaces can be used any way you would like. You specify which is outside and which is inside during configuration.

For failover, you can use any of the interfaces except what you are using for inside and outside and any DMZs. You just have to specify which interface during the failover configuration.

You should do a show version on the ASA to confirm the failover licensing.

Brandon

Thanks Brandon,

so, it is going to be LAN Base Failover/stateful?

as far as licensing, we made sure that they come with unrestricted but I will check and this is a ggod idea.

in the Picture in Cisco document, i saw a switch between the connection between the two ASA for failover!? is that only logical? so I just need to choose an Interface say; etherner3 and connect both with a x-over CAT 5 rj45 cables i.e. ethernet3 to ethernet 3 and specify that in the configuration?

Please advise.

Regards,

Masood

Masood,

You can connect them with a x-over cable or you can connect them with a switch. I typically use a switch with designated VLANs for the failover and state.

Below is a typical configuration using the management interface for failover. I created subinterfaces so that we don't have to use 2 physical interfaces (1 for failover and 1 for state).

interface Management0/0

!

interface Management0/0.10

description LAN Failover Interface

vlan 110

!

interface Management0/0.11

description STATE Failover Interface

vlan 111

failover

failover lan unit primary

failover lan interface failover Management0/0.10

failover replication http

failover link state Management0/0.11

failover interface ip failover 192.168.96.1 255.255.255.0 standby 192.168.96.2

failover interface ip state 192.168.97.1 255.255.255.0 standby 192.168.97.2

Brandon

hi Brandon,

Thanks very mush for this- this helps me alot.

I have one problem though, They have not purchased a Switch for this and this is for a customer who has been colo to thius point with us and now have changed to some kind of a managed security.

Since I don't have a switch, how can I use the two interfaces that I have (two physical ones, ethernet 3 and ethernet 4) for lan and state interfaces for thois failover setup?

I have the insode and outside interfaces and the other two can be used with x-over cables for the failover.

if I go with the actual physical interfaces ethernet 3 and 4, how this configuration changes?

i am also kind of confused on th elan and state interfaces, of whoic one resides on which unit?

this has arrived in the middle of that Backbone deisgn that I had some posting on and i need to get it over today and go back to the backbone design/implementation again.

I guess, I have to read on this.

Regards,

Masood

Brandon,

the documentation say sthat for LAN base failover one needs to bootstrap th esecondary before the secondaty can obtail running configuration from the promary devices, what bootstraping means here?

so, they don't want to give away a switch to thos customer for free so I need to use the physical interfaces on both the ASA nd use x-over cable to get them to owrk, how can I achive that please?

I have not done thi sbefore although I have educated myself on it reading a very usefull Cisco Document.

Please dvise,

Regards,

Masood

Brandon,

I am confused between the STATE link and the LAN link failover.

both the inside and outside interfaces of these ASA will have public IP addreses.

I am using IPs from the same segment as the servers (customers servers ) as the inside interface and use IPs from our backbone segment as the IPS for the OUTside interfaces.

now, given that I need two interfaces on each ASA devices to this Failover, say ethernet3 and ether 4 on eachone, I am now confused on what IPs must go on the these failover Interfaces Link and state?

Please advise as this had made me so confused, th efact that both inside and outside have public IP addresses? but defferent segments.

Regards,

Masood

Hi Brandon,

I am sorry for all these replies.

Ok, I will be using the interfaces on the two ASA devices.

ethernet0====> inside

ethernet1====> outside

ethernet 3 and 4 for failover but I ineed to know the followings please:

1- do I need both ports one for LAN on Unit Primary? or both ethernet 3 and 4 on each unit for LAN link and for State link?

2- I assume I need to put the IPs on the interfaces for Failover and then the rest of teh configuration will get replicated (Transfered over) to the secondar unit from Primary after both devices are up and running?

Please advise, if I have got it all wrong!?

Based on the readings:

ethernet3 on both devices for LAN, i.e.

ASA-1-ethernet3======> to====> ASA-2-ethernet 3, for LAN

ASA-1-ethernet4=====>to=======>ASA-2-ethernet4, foe link state - using x-over cables.

Do I need to create VLANs on teh ASA devices?

IPs for failover must be from the same block as the IPS on the "INSIDE" interfaces?

This is how I have understood it. Please advise if I have missed something or if I have gotten it all wrong?

Regards,

Masood

Well, I did what I had to do earlier. I went through the Interactive Cisco Training fo rthe active/active and active/passive leassons and found it to be very usefull.

Althouh they had a demonstration using the ASDM but I now kno wthat I can use the streight link between the two devices since I don't have a switch.

what I need to also understand is, if I need to woul it be better to create vlans on these devices in the absense of the switch or not.?

I am sorry of all of these replies but it had been veruy educational being the the first time dealing with ASA for failover.

I still can use any help that you may be able to extend to me given that I want to do active / Passive and also use one interface for the lan base and another one fo rthe state. this way all the 4 interfaces on both devices will be used but this is ow thay want it and this is how I will do it.

'Now this is the actual questions?

now, the IP addressing scheme is making me confused oer my one of my last replies, I stated that both inside and outside interfaces will have Public IP addressing. now I wonder if I cna have the failover IPs for ethernet3 and ethernet 4 on both devices using private IP addresses or not?

Regards,

Masood

Masood,

You can use private IP addresses for the failover links, both LAN and STATE. These addresses are only used between the two devices and you can you any addresses you like. If you are using Ethernet 3 and 4 for LAN and STATE just substitute those in for the configuration above. On your primary ASA the config will look like:

failover

failover lan unit primary

failover lan interface failover Ethernet0/3

failover replication http

failover link state Ethernet0/4

failover interface ip failover 192.168.96.1 255.255.255.0 standby 192.168.96.2

failover interface ip state 192.168.97.1 255.255.255.0 standby 192.168.97.2

Brandon

Hi Brandon,

Thanks very much for the information. It is very good to know that I can use the private Ip addresses for the LAN and State links on the twp ethetnet3 and ethernet4 interfaces.

I will go ahead and console to the Devices, primary and assign the IP addrsses and I assume when I bring up the secondary the configuration must replicate over to the seconday!?

Unless I need to consoile to both primary and secondary, assign inside and outsie Ip addresses to inside and out side Interfaces on each device and then apply the failover configuration on the primary!?

Plrease advise if this proceess is the right?

Regards,

Masood

Brandon,

You mention configuration "Above"!? what I have from you above, is the configuration for when one uses a Switch and you gave it to me in you very first response as listed below:

interface Management0/0

!

interface Management0/0.10

description LAN Failover Interface

vlan 110

!

interface Management0/0.11

description STATE Failover Interface

vlan 111

failover

failover lan unit primary

failover lan interface failover Management0/0.10

failover replication http

failover link state Management0/0.11

failover interface ip failover 192.168.96.1 255.255.255.0 standby 192.168.96.2

failover interface ip state 192.168.97.1 255.255.255.0 standby 192.168.97.2

I don't think that I need to follow this configuration but the latest one that yopu sent me?

Please advise.

Regards,

Masood

Hi Brandon,

I am about to assign IP addreses to the inside and outside interfaces of these twp ASA devices. you mentioned that these configuration will go on the Primary ASA for Failover but whatI don't know is that the secondary will take its failpver ocnfiguration from the promary and I have do the same as stated in your response for the secondary ASA?

Please advise.

Regards,

Masood

Hi Branon,

I did configure the Primary ASA for LAN and State failove but it wasn't able to replicate the configuration to the secondar as it was off! my bad.

I have a very silly question?

do I need to configure the Inside and Outside Interfaces on the Secondar ASA manually or even these information will replicate automatically over to ASA 2 by the promart ASA, i.e. ASA 1?

I am confused here and may be this is why failover configuration didn't replicated ovet to ASA2 or secondary!

Please advise so that I can get this done and over with.

Regards,

Masood

Hi Brandon,

Please see the configuration below and if what you see , you think is alright?

iscoasa# sh failover int

interface paclotus-Failover Ethernet0/3

System IP Address: 10.10.1.1 255.255.255.0

My IP Address : 10.10.1.1

Other IP Address : 10.10.1.2

interface StatFailover Ethernet0/2

System IP Address: 10.10.3.1 255.255.255.0

My IP Address : 10.10.3.1

Other IP Address : 10.10.3.2

ciscoasa#

Also here what I have in the primary configuration. I did assign IPs ot the Inside and Outside of the Secondary ASA maually. I used same subnet for the Inside Interface as I did for Priomary but just dofferent IP and same subnet for the Outside interface on teh seconday but different IPs. I think th erest of the configuration must take place from replication from primary to secondar after they are racked and Ethernet interfaces (insode and outside) are connected.

Currently on teh bench I only have managemnet to my laptop and ethernet 3 as LAN failover and ethetnet2 as State failover connected via x-over cables.

iscoasa# sh failover int

interface paclotus-Failover Ethernet0/3

System IP Address: 10.10.1.1 255.255.255.0

My IP Address : 10.10.1.1

Other IP Address : 10.10.1.2

interface StatFailover Ethernet0/2

System IP Address: 10.10.3.1 255.255.255.0

My IP Address : 10.10.3.1

Other IP Address : 10.10.3.2

ciscoasa#

tu inside 1500

mtu Ouside 1500

failover

failover lan unit primary

failover lan interface paclotus-Failover Ethernet0/3

failover polltime unit 10 holdtime 30

failover polltime interface 10

failover replication http

failover link StatFailover Ethernet0/2

failover interface ip paclotus-Failover 10.10.1.1 255.255.255.0 standby 10.10.1.

2

failover interface ip StatFailover 10.10.3.1 255.255.255.0 standby 10.10.3.2

asdm image disk0:/asdm-507.bin

no asdm history enable

tu inside 1500

mtu Ouside 1500

failover

failover lan unit primary

failover lan interface paclotus-Failover Ethernet0/3

failover polltime unit 10 holdtime 30

failover polltime interface 10

failover replication http

failover link StatFailover Ethernet0/2

failover interface ip paclotus-Failover 10.10.1.1 255.255.255.0 standby 10.10.1.

2

failover interface ip StatFailover 10.10.3.1 255.255.255.0 standby 10.10.3.2

asdm image disk0:/asdm-507.bin

no asdm history enable

have I missed anything here?

Please advise.

Regards,

Masood

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: