How to configure failover on Cisco ASA?
Cisco ASA failover prerequisites:
1. Both ASAs must be same hardware model.
2. Both ASAs must have same interfaces and modules (can be verified using "sh inventory" command)
3. Both ASAs must have same licenses.
4. Both must have failover license enabled.
5. It is recommended to have same software version for better stability.
6. They can have different amount of flash.
7. Flash content is not replicated during a stateful failover.
Below is an example configuration for "Stateful Failover" using 2 interfaces (one for LAN failover and other for stateful failover).
on Primary:
==============================================================================
failover lan unit primary
inter gi0/0
no shut
inter gi0/1
no shut
! note: There is no additional configuration required on physical interfaces. All other configuration such as assigning ip address and nameif will be done by "failover" comamnds shown below.
! Define interface for failover
! Syntx: failover lan interface <nameif> <name of physical innterface on which you would like to have this nameif assigned>
failover lan interface FAIL GigabitEthernet0/0
! Define interface for stateful data transfer
! Syntx: failover lan interface <nameif> <name of physical innterface on which you would like to have this nameif assigned>
failover link State GigabitEthernet0/1
! Assign IP for failover link
failover interface ip FAIL 10.10.10.1 255.255.255.0 standby 10.10.10.2
! Assign ip for stateful link
failover interface ip State 172.16.10.1 255.255.255.0 standby 172.16.10.2
failover
==============================================================================
On Secondary
==============================================================================
failover lan unit secondary
inter gi0/0
no shut
inter gi0/1
no shut
! Define interface for failover
failover lan interface FAIL GigabitEthernet0/0
! Define interface for stateful data transfer
failover link State GigabitEthernet0/1
! Assign IP for failover link
failover interface ip FAIL 10.10.10.1 255.255.255.0 standby 10.10.10.2
! Assign ip for stateful link
failover interface ip State 172.16.10.1 255.255.255.0 standby 172.16.10.2
Failover
==============================================================================
Useful debug comamnds:
To check failover LAN status:
debug fover cable
Working output:
fover_health_monitoring_thread: fover_luifc_check: skip lu ifc monitoring
fover_health_monitoring_thread: fover_lan_check() Failover LAN Check
fover_health_monitoring_thread: fover_lan_check() Failover Interface OK
When there is actually a problem with failover LAN link:
fover_health_monitoring_thread: fover_chk_my_down_ifcs() Local unit has 0 down ifcs
fover_health_monitoring_thread: fover_lan_check() Failover Interface TEST started
fover_health_monitoring_thread: send_mate_arp(0x2) - 10.10.10.1
fover_health_monitoring_thread: fover_luifc_check: skip lu ifc monitoring
fover_health_monitoring_thread: fover_lan_check() Failover LAN Check
fover_health_monitoring_thread: fover_chk_my_down_ifcs() Local unit has 0 down ifcs
fover_health_monitoring_thread: send_mate_arp(0x2) - 10.10.10.1
fover_health_monitoring_thread: fover_luifc_check: skip lu ifc monitoring
fover_health_monitoring_thread: fover_lan_check() Failover LAN Check
fover_health_monitoring_thread: fover_chk_my_down_ifcs() Local unit has 0 down ifcs
Debug fover tx
fover_health_monitoring_thread: send_msg_reliable_ip cmd = 1 seqNum = 0x2489 size = 32 bytes
fover_health_monitoring_thread: send_msg_reliable_ip cmd = 1 seqNum = 0x248a size = 32 bytes
fover_health_monitoring_thread: send_msg_reliable_ip cmd = 1 seqNum = 0x248b size = 32 bytes
Debug fover rx
fover_ip: HA TRANS: receive message for client Failover Control Module, length 200
fover_rx: rx msg: cmd 0x30, seqNum 0xce1
fover_rx: receive_msg(cmd=FXCHG_CARD_INFO), seqNum=0xce1, size=200
fover_parse: parse_thread_helper() - execute msg 48
fover_ip: HA TRANS: receive message for client Failover Control Module, length 28
1. Both ASAs must be same hardware model.
2. Both ASAs must have same interfaces and modules (can be verified using "sh inventory" command)
3. Both ASAs must have same licenses.
4. Both must have failover license enabled.
5. It is recommended to have same software version for better stability.
6. They can have different amount of flash.
7. Flash content is not replicated during a stateful failover.
Below is an example configuration for "Stateful Failover" using 2 interfaces (one for LAN failover and other for stateful failover).
on Primary:
==============================================================================
failover lan unit primary
inter gi0/0
no shut
inter gi0/1
no shut
! note: There is no additional configuration required on physical interfaces. All other configuration such as assigning ip address and nameif will be done by "failover" comamnds shown below.
! Define interface for failover
! Syntx: failover lan interface <nameif> <name of physical innterface on which you would like to have this nameif assigned>
failover lan interface FAIL GigabitEthernet0/0
! Define interface for stateful data transfer
! Syntx: failover lan interface <nameif> <name of physical innterface on which you would like to have this nameif assigned>
failover link State GigabitEthernet0/1
! Assign IP for failover link
failover interface ip FAIL 10.10.10.1 255.255.255.0 standby 10.10.10.2
! Assign ip for stateful link
failover interface ip State 172.16.10.1 255.255.255.0 standby 172.16.10.2
failover
==============================================================================
On Secondary
==============================================================================
failover lan unit secondary
inter gi0/0
no shut
inter gi0/1
no shut
! Define interface for failover
failover lan interface FAIL GigabitEthernet0/0
! Define interface for stateful data transfer
failover link State GigabitEthernet0/1
! Assign IP for failover link
failover interface ip FAIL 10.10.10.1 255.255.255.0 standby 10.10.10.2
! Assign ip for stateful link
failover interface ip State 172.16.10.1 255.255.255.0 standby 172.16.10.2
Failover
==============================================================================
Useful debug comamnds:
To check failover LAN status:
debug fover cable
Working output:
fover_health_monitoring_thread: fover_luifc_check: skip lu ifc monitoring
fover_health_monitoring_thread: fover_lan_check() Failover LAN Check
fover_health_monitoring_thread: fover_lan_check() Failover Interface OK
When there is actually a problem with failover LAN link:
fover_health_monitoring_thread: fover_chk_my_down_ifcs() Local unit has 0 down ifcs
fover_health_monitoring_thread: fover_lan_check() Failover Interface TEST started
fover_health_monitoring_thread: send_mate_arp(0x2) - 10.10.10.1
fover_health_monitoring_thread: fover_luifc_check: skip lu ifc monitoring
fover_health_monitoring_thread: fover_lan_check() Failover LAN Check
fover_health_monitoring_thread: fover_chk_my_down_ifcs() Local unit has 0 down ifcs
fover_health_monitoring_thread: send_mate_arp(0x2) - 10.10.10.1
fover_health_monitoring_thread: fover_luifc_check: skip lu ifc monitoring
fover_health_monitoring_thread: fover_lan_check() Failover LAN Check
fover_health_monitoring_thread: fover_chk_my_down_ifcs() Local unit has 0 down ifcs
Debug fover tx
fover_health_monitoring_thread: send_msg_reliable_ip cmd = 1 seqNum = 0x2489 size = 32 bytes
fover_health_monitoring_thread: send_msg_reliable_ip cmd = 1 seqNum = 0x248a size = 32 bytes
fover_health_monitoring_thread: send_msg_reliable_ip cmd = 1 seqNum = 0x248b size = 32 bytes
Debug fover rx
fover_ip: HA TRANS: receive message for client Failover Control Module, length 200
fover_rx: rx msg: cmd 0x30, seqNum 0xce1
fover_rx: receive_msg(cmd=FXCHG_CARD_INFO), seqNum=0xce1, size=200
fover_parse: parse_thread_helper() - execute msg 48
fover_ip: HA TRANS: receive message for client Failover Control Module, length 28
0 comments:
Post a Comment