Simple Networking

Failover on Cisco ASA

25.02.2017

Before getting into the configuration details of Cisco ASA backup scheme (called failover), I would like to point out a few rules regarding the technology itself:

– Of the two Cisco ASA devices that have been combined into a cluster and configured to work in the failover mode, only one (!) device will be active and forward traffic.
– In order to create a Cisco ASA failover cluster, you need to have two devices of the exact same model, for example Cisco ASA 5515X
– both devices need to have the same IOS image installed, for example 9.4(2)6
failover WILL NOT work if your Cisco ASA is configured to connect to the ISP through PPPoE protocol

There are exceptions to these rules, but I am deliberately not mentioning them in this article, so that the possible problems with the configuration can be brought to a minimum.

Please pay attention!
When configuring failover, the order in which you enter the configuration commands, as well as the order in which you connect two Cisco ASA devices together, is more important than the configuration itself.

Failover on Cisco ASA

Step 0. Verification

Before you begin to connect and configure your Cisco ASA devices, make sure that the IOS versions on both ASA are identical and supports the failover mode. Use the “sh ver” command for that

FW-DELTACONFIG-1# sh ver
Cisco Adaptive Security Appliance Software Version 9.4(2)6
...
Failover : Enabled

If you have different versions of IOS installed, upgrade it on one of the devices.

Step 1. Choose the synchronization interface

Connect to your first Cisco ASA device, that we will call Cisco ASA #1. Choose one of its free interfaces so that it can be used for synchronizing with the Cisco ASA  #2 device. For clarity, add a description to the interface (STATE Failover Interface). You should remove all other configuration from the interface, if any has been entered. Activate the interface with the “no shutdown” command.
FW-DELTACONFIG (config)#
interface GigabitEthernet0/3
description STATE Failover Interface
no nameif
no security-level
no ip address
no shutdown

deltaconfig cisco outsourcing

Step 2.

Activate the failover mode on Cisco ASA #1
FW-DELTACONFIG (config)#
failover
failover lan unit primary
failover lan interface STATE GigabitEthernet0/3
failover polltime unit 1 holdtime 3
failover link STATE GigabitEthernet0/3
failover interface ip STATE 10.0.0.1 255.255.255.252 standby 10.0.0.2

A brief explanation:
STATE – the name of the interface
primary – indicates that this is the primary device. Should not be confused with the device’s current role – active or standby. A device may be currently in standby mode for passing traffic, but will be the primary device in the cluster.
10.0.0.1 and 10.0.0.2 – these are the IP addresses for the synchronization interfaces on both Cisco ASA. You can enter any address pair that you want, but make sure that they are from the same network and are unique to your LAN.
Warning!
At this point of configuration, both Cisco ASA devices should NOT be connected to each other in any way. ONLY the device Cisco ASA #1 should be powered on. The second device should be set aside, waiting for its turn to be configured.

Step 3. Preparing Cisco ASA #2

Before configuring the second Cisco ASA, erase all configuration on it and disconnect all patch cords.
FW-DELTACONFIG (config)#
clear configure all

Step 4. Configuring Cisco ASA #2

Activate the failover mode on Cisco ASA #2. The synchronization interface and failover configuration commands will be identical to the ones entered on Cisco ASA #1, with the exception of the device sequence. Here you should specify “secondary“.
FW-DELTACONFIG (config)#
interface GigabitEthernet0/3
description STATE Failover Interface
no nameif
no security-level
no ip address
no shutdown

failover
failover lan unit secondary
failover lan interface STATE GigabitEthernet0/3
failover polltime unit 1 holdtime 3
failover link STATE GigabitEthernet0/3
failover interface ip STATE 10.0.0.1 255.255.255.252 standby 10.0.0.2

Save the configuration and turn off the device completely.
FW-DELTACONFIG (config)#
write

Step 5. Connecting devices

At this moment, you should have the following:
Cisco ASA #1 is turned on and configured for failover
Cisco ASA #2 is turned off and configured for failover

Connect the synchronization interfaces (Gi0/3 or the ones you have chosen in Step 1) on both devices to each other and turn on Cisco ASA #2. When it boots, you should see an informational message on the console stating that it has found a mate for synchronizing configuration:
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate

Cisco ASA #2 will the copy the entire configuration of Cisco ASA #1 into its memory.
From this moment on you need to make all any any configuration changes only(!) on Cisco ASA #1.

Step 6. Checking the failover operation

Besides initial synchronization interface configuration and connection you need to connect all other interfaces on both devices in an identical fashion. In the most general case this will be a LAN interface (inside) and WAN interface that connects to your ISP or dedicated line (outside). You need to connect the internal and external interfaces on Cisco ASA #2 in the same exact way that you did on the first device.
In order to check the current failover state, use the “sh failover” command. It will output the device role for the device that you are currently consoled into, the IOS version on both Cisco ASA devices and the operational state of all interfaces.
FW-DELTACONFIG# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: STATE Gigabitethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 3 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 110 maximum
Version: Ours 9.4(2)6, Mate 9.4(2)6
Last Failover at: 02:31:53 time Jul 7 2016
This host: Primary – Active
Active time: 95079907 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.2(1)11) status (Up Sys)
Interface inside (10.0.0.1): Normal
Interface outside (192.168.0.1): Normal
slot 1: empty
Other host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5515 hw/sw rev (1.0/9.4(2)6) status (Up Sys)
Interface inside (10.0.0.2): Normal
Interface outside (192.168.0.2): Normal
slot 1: empty

Note the state of the Secondary device. In our example it is Standby Ready. This means that everything works as it should.
If the state is shown as “Other host: Secondary – Failed“, then your failover is not working. Check that the Cisco ASA #2 device is powered on, that all its interfaces are connected in the same manner as Cisco ASA #1 and whether you have identical IOS versions on your devices.

Important!

The failover algorithm
1) When powered on, a Cisco ASA device checks if there are cluster neighbors available, and if it finds one, it enters the Standby role and copies the entire running configuration from the Active device. After this it becomes the standby devices and waits.

2) If the just powered Cisco ASA device does not find a cluster neighbor, it will enter the Active state and work as a standalone device.

3) If everything is configured correctly and the devices states are Active/Standby, then the roles will switch upon following events:

– you manually switch the role from the console of the active device through issuing the command “no failover active“. This forces the devices to switch their Active and Standby roles and the traffic starts flowing through the neighbor device.
– automatic failover occurs if the Active device experiences a failure of at least one interface. If the same interface on the Standby device was already inactive, the failover will not happen.

Important!

If one of the interfaces on the Active unit (Cisco ASA #1) has experienced a failure and the devices have switched their roles, with #1 becoming the Standby unit, and then the failed interface is restored, there will be no automatic switch back to the original state. The Secondary device will remain in the Active state up until it experiences a failure itself or you manually switch the roles (see “no failover active” above). You do not have to do anything about this.

Important!

Primary and Secondary – are the index numbers of the devices. They have no specific impact on your network.
Active and Standby – are the device’s roles. They define which device is currently being used to pass traffic.

For reference:
A common question that comes up with failover usage is: how do you connect the external ISP link into both firewalls at the same time? How do you make two cables from one?
The answer is rather simple – use a switch. Take a LAN switch that you are already using and connect Cisco ASA #2 to ports that have the same VLAN configuration as those, to which Cisco ASA #1 is connected. Or use a separate device.
A simple 8-port switch for $10-$20 is sufficient. Connect the ISP cable into port 1 and use ports 2 and 3 to connect to both Cisco ASA devices. This option is the simplest, cheapest and easiest to implement. If your switch goes out of order, you can easily replace it with a similar one within 5 minutes. You need to have one such switch or a Vlan for every common interface on the ASA devices.
If your budget allows it, I would recommend getting a Cisco 2960 switch for reliability and configuring the needed number of VLANs for each pair Cisco ASA interfaces.

Important!

Do not forget to save your configuration on the Active devices with the “write” or “copy run start” command. Otherwise all your changes will be lost upon reload.
FW-DELTACONFIG-1#write
Building configuration...
[OK]

 
This article was written by Alexey Yurchenko
 

Back to Table of contents

avatar
×

How can I help you?