Cisco ASA Active/Active Failover Configuration


Active/Active failover is only available to security appliances in multiple context mode. In an Active/Active failover configuration, both security appliances can pass network traffic.

In Active/Active failover, you divide the security contexts on the security appliance into failover groups. A failover group is simply a logical group of one or more security contexts. You can create a maximum of two failover groups on the security appliance. The admin context is always a member of failover group 1. Any unassigned security contexts are also members of failover group 1 by default.
We have already seen the configuration for Active/Standby failover in the previous article. This article focuses on how to configure an Active/Active Failover configuration on ASA Security Appliance.

Network Diagram 
(Physical Topology)
Active/Active Failover Physical Network Diagram
(Logical Topology)
Active/Active Failover Logical Network Diagram


You can download the GNS3 lab for this scenario from here
ASA Active-Active Failover.rar


Now let's dive into the configuration. To configure ASA Security Appliance for Active/Active Failover, first you need change the firewall mode to 'multiple' and configure contexts.

ASA1
! Enable auto generation of mac-address for shared physical interfaces

mac-address auto


! enable the physical interfaces

interface GigabitEthernet0
no shutdown
!
interface GigabitEthernet1
no shutdown
!
interface GigabitEthernet2
no shutdown

! Create and configure the contexts

context CTX-1
  allocate-interface GigabitEthernet0
  allocate-interface GigabitEthernet1
  config-url disk0:/CTX-1
!
context CTX-2
  allocate-interface GigabitEthernet0
  allocate-interface GigabitEthernet2
  config-url disk0:/CTX-2



Starting on the unit that will be the primary, and with multiple mode and context already in place.

ASA1

System
! Enable automatic assignment of private MAC address to each shared context interface

mac-address auto


! Create the first of the two failover groups

ASA1(config)# failover group 1


! Tell the failover system that the primary unit should be
! active for any contexts in this "failover group #1"

ASA1(config-fover-group)# primary


! Optionally, tell the system to take over the active role
! 2 minutes after a reboot by the primary unit for this group.

ASA1(config-fover-group)# preempt 120


! Do the same for failover group #2

ASA1(config)# failover group 2


! Tell the failover system that the secondary unit should be
! active for any contexts in this "failover group #2"
   
ASA1(config-fover-group)# secondary


! Request a preempt 2 minutes after reboot by the secondary unit for this group

ASA1(config-fover-group)# preempt 120


! By default all the contexts belongs to failover group 1.
! Tell the system that each of the contexts are assigned
! to 1 of the 2 failover groups

ASA1(config)# context CTX-1
ASA1(config-ctx)# join-failover-group 1

ASA1(config)# context CTX-2
ASA1(config-ctx)# join-failover-group 2



! Tell this physical box its "priority" or title (Primary or secondary).
! This priority (name) never changes for this physical unit

ASA1(config)# failover lan unit primary


! prepare the failover interfaces (the LAN fail and stateful link)

ASA1(config)# interface GigabitEthernet3
ASA1(config-if)# no shutdown
ASA1(config)# interface GigabitEthernet4
ASA1(config-if)# no shutdown



! configure the names and IP addresses for the 2 failover connections

ASA1(config)# failover lan interface LAN_FAIL GigabitEthernet3
ASA1(config)# failover link LINK_FAIL GigabitEthernet4
ASA1(config)# failover interface ip LAN_FAIL 10.1.1.1 255.255.255.252 standby 10.1.1.2
ASA1(config)# failover interface ip LINK_FAIL 10.2.2.1 255.255.255.252 standby 10.2.2.2



! set the prompt to include which context (if any) we are working in.
! Currently we are in the  "system" (top level) configuration area.

prompt hostname context

CTX-1
! change from the system execution space to the context CTX-1 in order to add the standby addresses

changeto context CTX-1


! Configure context interfacees

interface GigabitEthernet0
 nameif OUTSIDE
 security-level 0
 ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
!
interface GigabitEthernet1
 nameif INSIDE
 security-level 100
 ip address 172.16.0.1 255.255.255.0 standby 172.16.0.2
! Configure a default route for outgoing traffic
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.1.10 1

CTX-2
  ! Change from CTX-1 and move to the context of CTX-2 in order to do the interfac configuration of that virtual firewall

changeto context CTX-2

interface GigabitEthernet0
 nameif OUTSIDE
 security-level 0
 ip address 192.168.1.11 255.255.255.0 standby 192.168.1.12
!
interface GigabitEthernet2
 nameif DMZ
 security-level 50
 ip address 10.0.0.1 255.255.255.0 standby 10.0.0.


! Configure a default route for outgoing traffic

route OUTSIDE 0.0.0.0 0.0.0.0 192.168.1.10 1

 System
!move back to the system execution space

changeto system


!turn on the failover

failover


! save the system config, and all the context individual configs at the same time

write memory all


ASA1 is now seeing if there is an active failover devices for the 2 groups and when it see's that there isn't one, it will go active for both groups.

Moving over to  Physical ASA2

ASA2
! Change the firewall mode to 'muultiple'
CiscoASA(config)# mode multiple


! tell this ASA what priority (title) it will have, primary or secondary

ASA2(config)# failover lan unit secondary


! Make sure the failover interface is up
interface GigabitEthernet3
no shutdown


! define the failover interface name and IPs

ASA2(config)# failover lan interface LAN_FAIL GigabitEthernet3
ASA2(config)# failover interface ip LAN_FAIL 10.1.1.1 255.255.255.252 standby 10.1.1.2


! turn on the failover

failover


Comments

  1. Hi Prashant,

    Really informative post. I recently cleared my CCNA Securitytest and there i read about this term, prior i had no idea what this is all about till i read this post...now atleast i know that it is sort of same as HSRP/VRRP/GLBP (mainly in term of failover) functinality in ASA.
    Thanks!

    ReplyDelete
  2. IN THE SECOND FIREWALL, you would need to put failover lan unit secondary
    Also ts not failover link , should be failover lan interface.I guess you mistyped it

    ReplyDelete
  3. Thanks Ashwin for reporting the typo error. Now it's been corrected.

    ReplyDelete
  4. HI,

    Why Cant ping from DMZ to INSIDE network?

    ReplyDelete

Post a Comment

Popular posts from this blog

Anyconnect SSL-Client VPN with Self-signed Certificate on Cisco ASA

Filtering Routes in BGP using Route-maps and Prefix-list

Open Shortest Path First (OSPF)

IKEv2 IPsec Site-to-Site VPN configuration on Cisco ASA 8.4(x)

IPsec VPN as a Backup for Point-to-Point Link using IP SLA

Border Gateway Protocol (BGP)

Bypassing Proxy Server in Google Chrome

Cisco ASA Active/Standby Failover Configuration