Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ASA-X 9.x failover

 

Problem:

Scenario:1

User have a pair of 5525-X's that are needed to be configured for Active/Passive fail-over running 9.1(2). It's same as 8.x code so this is more as a reference. One thing that I did do different though is I configured the failover and stateful links to be a LAN to LAN IPsec tunnel. It encrypts all traffic (failover and state replication) between the two firewalls. You can never have enough security right? I also included a screenshot for you ASDM users.

Scenario 2:

User would like to do few clarification on  ASA active/standby fail-over, involving CSC SSM module.Current status there is production firewall running in ASA8.3.1, along with CSC module 6.3 Purchase another identical unit of firewall, so these will do in Active/Standby fail-over mode.

Question 1
The new purchase ASA unit CSC module license was not activated and installed yet (customer misplace the PAK paper license). my question is it possible to set up the fail-over in the condition of one CSC SSM in operation mode, whilst another CSC status down because no license install on it?

Question 2
New firewall will the standby unit, beside configure on the fail-over, do we need to load Any-connect image to the new firewall as well?

Question 3
Can user just update the ASA version of the production firewall from 8.3.1 to 8.4.2? Would this cause any syntax error?

 

 

Solution:

Scenario:1

On the primary firewall-

failover lan unit primary

failover lan interface FAILOVER-INTF GigabitEthernet0/6

failover link STATEFUL-FAILOVER-INTF GigabitEthernet0/7

failover interface ip FAILOVER-INTF 169.254.254.1 255.255.255.252 standby 169.254.254.2

failover interface ip STATEFUL-FAILOVER-INTF 169.254.254.254 255.255.255.252 standby 169.254.254.253

failover ipsec pre-shared 0 #cheating?@ryanbraun-brewerfan

 

On the secondary firewall-

failover lan unit secondary

failover lan interface FAILOVER-INTF GigabitEthernet0/6

failover link STATEFUL-FAILOVER-INTF GigabitEthernet0/7

failover interface ip FAILOVER-INTF 169.254.254.1 255.255.255.252 standby 169.254.254.2

failover interface ip STATEFUL-FAILOVER-INTF 169.254.254.254 255.255.255.252 standby 169.254.254.253

failover ipsec pre-shared 0 #cheating?@ryanbraun-brewerfan

 

Then go back to the primary firewall and enable failover-

failover

 

Then go to the secondary firewall and do the same

failover

 

You should start seeing failover/replication messages. You can the check the status with show failover status

 

You can view the tunnel status and statistics like any other IPSec tunnel. Note that the tunnels are using IKEv2 as well!

 

FIREWALL# sh cry isa sa

 

IKEv2 SAs:

 

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

 

Tunnel-id                 Local                Remote     Status         Role

64689923     169.254.254.1/500     169.254.254.2/500      READY    INITIATOR

      Encr: AES-GCM, keysize: 256, Hash: N/A, DH Grp:20, Auth sign: PSK, Auth verify: PSK

      Life/Active Time: 86400/26298 sec

Child sa: local selector  169.254.254.0/0 - 169.254.254.3/65535

          remote selector 169.254.254.0/0 - 169.254.254.3/65535

          ESP spi in/out: 0x8f49e46a/0x791fb42f

 

IKEv2 SAs:

 

Session-id:2, Status:UP-ACTIVE, IKE count:1, CHILD count:1

 

Tunnel-id                 Local                Remote     Status         Role

65509395   169.254.254.254/500   169.254.254.253/500      READY    RESPONDER

      Encr: AES-GCM, keysize: 256, Hash: N/A, DH Grp:20, Auth sign: PSK, Auth verify: PSK

      Life/Active Time: 86400/26051 sec

Child sa: local selector  169.254.254.252/0 - 169.254.254.255/65535

          remote selector 169.254.254.252/0 - 169.254.254.255/65535

          ESP spi in/out: 0x78ff2739/0xabc77154

 

Scenario 2:

  1. As long as the hardware is exactly the same you should be able to HA pair them however I'd strong suggest licensing both CSC modules.
  2.  Yes, you need to have the same versions of the Any-connect image on both units since the version is listed in the running config under the webvpn section.
  3. Going from 8.3.1 to 8.4.2 will be fine, the syntax is similar.
Version history
Revision #:
2 of 2
Last update:
‎08-28-2017 10:19 PM
Updated by:
 
Labels (1)
Contributors
Everyone's tags (5)