Cisco ASA Active/Active Failover Configuration


Active/Active failover is only available to security appliances in multiple context mode. In an Active/Active failover configuration, both security appliances can pass network traffic.

In Active/Active failover, you divide the security contexts on the security appliance into failover groups. A failover group is simply a logical group of one or more security contexts. You can create a maximum of two failover groups on the security appliance. The admin context is always a member of failover group 1. Any unassigned security contexts are also members of failover group 1 by default.
We have already seen the configuration for Active/Standby failover in the previous article. This article focuses on how to configure an Active/Active Failover configuration on ASA Security Appliance.

Network Diagram 
(Physical Topology)
Active/Active Failover Physical Network Diagram
(Logical Topology)
Active/Active Failover Logical Network Diagram


You can download the GNS3 lab for this scenario from here
ASA Active-Active Failover.rar


Now let's dive into the configuration. To configure ASA Security Appliance for Active/Active Failover, first you need change the firewall mode to 'multiple' and configure contexts.

ASA1
! Enable auto generation of mac-address for shared physical interfaces

mac-address auto


! enable the physical interfaces

interface GigabitEthernet0
no shutdown
!
interface GigabitEthernet1
no shutdown
!
interface GigabitEthernet2
no shutdown

! Create and configure the contexts

context CTX-1
  allocate-interface GigabitEthernet0
  allocate-interface GigabitEthernet1
  config-url disk0:/CTX-1
!
context CTX-2
  allocate-interface GigabitEthernet0
  allocate-interface GigabitEthernet2
  config-url disk0:/CTX-2



Starting on the unit that will be the primary, and with multiple mode and context already in place.

ASA1

System
! Enable automatic assignment of private MAC address to each shared context interface

mac-address auto


! Create the first of the two failover groups

ASA1(config)# failover group 1


! Tell the failover system that the primary unit should be
! active for any contexts in this "failover group #1"

ASA1(config-fover-group)# primary


! Optionally, tell the system to take over the active role
! 2 minutes after a reboot by the primary unit for this group.

ASA1(config-fover-group)# preempt 120


! Do the same for failover group #2

ASA1(config)# failover group 2


! Tell the failover system that the secondary unit should be
! active for any contexts in this "failover group #2"
   
ASA1(config-fover-group)# secondary


! Request a preempt 2 minutes after reboot by the secondary unit for this group

ASA1(config-fover-group)# preempt 120


! By default all the contexts belongs to failover group 1.
! Tell the system that each of the contexts are assigned
! to 1 of the 2 failover groups

ASA1(config)# context CTX-1
ASA1(config-ctx)# join-failover-group 1

ASA1(config)# context CTX-2
ASA1(config-ctx)# join-failover-group 2



! Tell this physical box its "priority" or title (Primary or secondary).
! This priority (name) never changes for this physical unit

ASA1(config)# failover lan unit primary


! prepare the failover interfaces (the LAN fail and stateful link)

ASA1(config)# interface GigabitEthernet3
ASA1(config-if)# no shutdown
ASA1(config)# interface GigabitEthernet4
ASA1(config-if)# no shutdown



! configure the names and IP addresses for the 2 failover connections

ASA1(config)# failover lan interface LAN_FAIL GigabitEthernet3
ASA1(config)# failover link LINK_FAIL GigabitEthernet4
ASA1(config)# failover interface ip LAN_FAIL 10.1.1.1 255.255.255.252 standby 10.1.1.2
ASA1(config)# failover interface ip LINK_FAIL 10.2.2.1 255.255.255.252 standby 10.2.2.2



! set the prompt to include which context (if any) we are working in.
! Currently we are in the  "system" (top level) configuration area.

prompt hostname context

CTX-1
! change from the system execution space to the context CTX-1 in order to add the standby addresses

changeto context CTX-1


! Configure context interfacees

interface GigabitEthernet0
 nameif OUTSIDE
 security-level 0
 ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
!
interface GigabitEthernet1
 nameif INSIDE
 security-level 100
 ip address 172.16.0.1 255.255.255.0 standby 172.16.0.2
! Configure a default route for outgoing traffic
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.1.10 1

CTX-2
  ! Change from CTX-1 and move to the context of CTX-2 in order to do the interfac configuration of that virtual firewall

changeto context CTX-2

interface GigabitEthernet0
 nameif OUTSIDE
 security-level 0
 ip address 192.168.1.11 255.255.255.0 standby 192.168.1.12
!
interface GigabitEthernet2
 nameif DMZ
 security-level 50
 ip address 10.0.0.1 255.255.255.0 standby 10.0.0.


! Configure a default route for outgoing traffic

route OUTSIDE 0.0.0.0 0.0.0.0 192.168.1.10 1

 System
!move back to the system execution space

changeto system


!turn on the failover

failover


! save the system config, and all the context individual configs at the same time

write memory all


ASA1 is now seeing if there is an active failover devices for the 2 groups and when it see's that there isn't one, it will go active for both groups.

Moving over to  Physical ASA2

ASA2
! Change the firewall mode to 'muultiple'
CiscoASA(config)# mode multiple


! tell this ASA what priority (title) it will have, primary or secondary

ASA2(config)# failover lan unit secondary


! Make sure the failover interface is up
interface GigabitEthernet3
no shutdown


! define the failover interface name and IPs

ASA2(config)# failover lan interface LAN_FAIL GigabitEthernet3
ASA2(config)# failover interface ip LAN_FAIL 10.1.1.1 255.255.255.252 standby 10.1.1.2


! turn on the failover

failover


3 comments:

  1. Hi Prashant,

    Really informative post. I recently cleared my CCNA Securitytest and there i read about this term, prior i had no idea what this is all about till i read this post...now atleast i know that it is sort of same as HSRP/VRRP/GLBP (mainly in term of failover) functinality in ASA.
    Thanks!

    ReplyDelete
  2. IN THE SECOND FIREWALL, you would need to put failover lan unit secondary
    Also ts not failover link , should be failover lan interface.I guess you mistyped it

    ReplyDelete
  3. Thanks Ashwin for reporting the typo error. Now it's been corrected.

    ReplyDelete