Configuring ‘Stateless’ Active/Standby failover on an ASA 5505


This post covers the Stateless Active/Standby failover configuration that would normally be done on an ASA 5505 which does not support Stateful failover. ASA 5505 and 5510 are the most commonly used firewalls in the small-medium sized businesses, with the later one supporting Stateful failover. This post only covers the Stateless or Regular failover that would be configured on a ASA 5505 device.

Here’s the network diagram of a typical stateless active/standby failover:

Click to enlarge

FW1 and FW2 will be configured to work in an active/standby failover mode, FW1 being the primary unit and FW2 being the secondary unit of the High Availability pair. Ethernet0/3 on both the firewalls will be serving as the LAN failover interface to propagate the communication between the firewalls about their failover status, synchronizing configuration/commands, etc. You can either use a single switch, two switches or an ethernet crossover cable for you LAN failover interface.

Primary unit configuration (FW1):

1. Configure the device to be the primary unit in the HA pair.

asa(config)# failover lan unit primary

2. Name interface ethernet0/3 as int_fo and this will be the LAN failover interface which will check the health of a failover peer ASA and pass configuration updates between the peers.

asa(config)# failover lan interface int_fo Ethernet0/3

3. Configures LAN failover encryption. Data passing through the failover cable will be encrypted.

asa(config)# failover key mysecretkey

4. Define the failover interface IP for the primary unit (10.2.2.1) as well as the secondary unit (10.2.2.2).

asa(config)# failover interface ip int_fo 10.2.2.1 255.255.255.0 standby 10.2.2.2

5. With this we enable the failover feature on the primary unit

asa(config)# failover

6. Assign IPs to the interfaces. The standby keyword assigns the IP that will be used on the secondary unit’s inside/outside interface.

asa(config)# interface Ethernet0/0
asa(config-if)# nameif outside
asa(config-if)# security-level 0
asa(config-if)# ip address 1.1.1.1 255.255.255.0 standby 1.1.1.2
asa(config-if)# interface Ethernet0/1
asa(config-if)# nameif inside
asa(config-if)# security-level 100
asa(config-if)# ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2

The reason you configure the IP of the secondary unit from the primary using the standby keyword is because, if you configure the IPs on the secondary unit directly, it is any way going to get erased as soon as it starts replicating the config from the primary unit.

The standby values defined in the above configuration will be applied to the secondary units respective interfaces.

Secondary unit configuration (FW2):

1. Below are the only commands you would need on the secondary unit to enable HA/Failover feature between the primary and secondary firewall. Rest of the configuration will be replicated from the primary unit.

asa(config)# failover lan unit secondary
asa(config)# failover lan interface int_fo Ethernet0/3
asa(config)# failover key mysecretkey
asa(config)# failover interface ip int_fo 10.2.2.1 255.255.255.0 standby 10.2.2.2
asa(config)# failover

The “failover interface ip” command needs to be put in the exactly same manner on both, the primary and secondary unit. While configuring the secondary unit, you may think of using the 10.2.2.2 first and the 10.2.2.1 at the end, but that is not the case. You have to specify the active IP first and then the standby IP.

Things to note:

  • The terms Primary and Secondary are used only to determine the addressing provided to the firewalls. They do not define the active or standby roles. Either the primary or secondary unit can be in active or standby state.
  • It is recommended that a dedicated interface must be used for the LAN Failover interface. The interface can be connected to an intermediary switch or directly with a crossover cable.
  • By default, all the ASA interfaces are monitored for their health with hello packets. Use the no monitoring-interface int_name global command if you want to remove monitoring for a particular interface.
  • Upon failover, the standby ASA (now active) swaps all interface IP addresses and mac-addresses with the previously active ASA to maintain consistency in the ARP cache.
  • Any command that is explicitly configured on the standby unit will be deleted when the active unit sends its configuration file to the standby unit for replication.
  • Once the devices are in the active/standby mode, changes done on the standby unit will not be replicated on the active unit. If changes are made on the standby unit, they can be discarded when you issue the write standby exec command on the active unit. It discards all the configuration except the failover commands on the standby unit.

 

Advertisements

18 thoughts on “Configuring ‘Stateless’ Active/Standby failover on an ASA 5505

  1. Great post. I was checking constantly this weblog and I’m impressed! Very helpful information specifically the remaining part :) I care for such information a lot. I was seeking this certain information for a very long time. Thank you and best of luck.

  2. Dear can you please explain the sateful failover Active/Active configuration .i am searching lot of blogs i didnt get any of them about this configuration.nd please let me know connetivity between the firewall.and also i would like to know the sample design lease its really helpfull pleaseee…

  3. Hi, what will be the config looks like if the there are two switch for the internal network.. with 2 also two inside interface connecting to the 2 switch in full mesh..

  4. Hi Hughuss,

    I’m on a time crunch right now so I won’t be able to put up a post on that, at least not for the next 1-2 months. However here’s a link from Cisco showing an ideal Active/Active failover configuration with a diagram.

    The least that I can tell you right now is that you need to make your firewall work in multiple mode to support multiple security contexts and create failover groups accordingly. And one thing you need to be aware of is that it won’t support Dynamic Routing Pprotocols, VPNs and Multicast. So to Me, the cons outweigh the pros of it. I haven’t yet seen an Active/Active failover in a production environment but it certainly is used in cases where its absolutely required.

  5. Hi,

    Yes that is correct, ther is inside 1 and inside 2 in each asa and 1 outside interface. Inside 1 will be connected to the switch1 3750x and inside 2 will be connected to switch2 3750x.. The 2 3750x switch will be stacked together.

    Thanks,

  6. Well, in that case only an additional interface configuration will be required as shown below;

    interface Ethernet0/3
    nameif inside2
    security-level 90
    ip address 10.3.3.1 255.255.255.0 standby 10.3.3.2

  7. Thank you so mcuh Shoib.
    And i also want to know .how about the other interface configuration in active /standby ?i mean the public interface and internal ,do i want to configure the ip address in stand by unit manually or it will take it through replication?
    ex:
    primary unit:
    int internal
    ip add 10.1.2.1 standby 10.1.2.2

    int public
    ip add 10.3.1.1 stndby 10.3.1.2

    and then standby unit do i want configure the ip address of 10.1.2.2 and 10.3.1.2
    for example like wise in stanby unit
    int internal
    ip add 10.1.2.2 standby 10.1.2.1

    int public
    ip add 10.3.1.2 standby 10.3.1.1

    for the other interface configuration please let me know .iis it right way to confgiure or just leave all the confiuration of standby unit.

  8. You need not manually configure those IPs on the standby unit. It will assign those standby IPs to the standby unit while replication.

    I’m glad I could help you out on this. :) Keep visiting!

  9. Sorry – damn auto correct on previous one, let me try again…
    Great post! Thanks for taking the time. What would be useful is in the initial diagram you put the IP addresses up. The failover ip part is confusing :/ for me anyway!
    Does the failover interface IP need to be completely separate and unique, or is this the primary IP of the internal network for example (ie. if you fail, your IP address needs to be x.x.x.x).
    Cool post tho though, keep up the good work.

  10. Hey Bob,

    The failover interface IP has to be unique than any of your internal or interface IPs.

    Yeah, I agree it can be confusing at first. Happened to me too while I started with ASAs. :)

    I’m not sure if I still have that diagram with me :D Will have to create another one with the IPs.

    Thank you!

  11. Hi, great post. I thought I’d add the following, since it was something I was looking for initially.

    ” So, what communications are moved over the ‘stateless failover’ link and the ‘stateful failover’ link? Good question. Here is what Cisco says for both:

    Failover Link
    The two units in a failover pair constantly communicate over a failover link to determine the operating status of each unit. The following information is communicated over the failover link: the unit state (active or standby), hello messages (keep-alives), network link status, MAC address exchange, and configuration replication and synchronization

    Stateful Link
    NAT translation table, TCP connection states, UDP connection states, the ARP table, the Layer 2 bridge table (when running in transparent firewall mode), the HTTP connection states (if HTTP replication is enabled), the ISAKMP and IPSec SA table, GTP PDP connection database, and the SIP signalling sessions. “

  12. Hi, I would like to know that should we have the the internet connectivity already setup? I have the same project for my class! Please can you help me how to set up the configuration to have access to internet. Your tutorial is very helpful. Thank you

  13. Hello Dardan,

    I cannot give you a whole set of configuration but a starting point would be to ensure you have a publicly routeable IP address on one of the interfaces of your firewall, and do a Dynamic PAT with that interface. You can get config examples over the internet if you look for ‘Cisco ASA Dynamic PAT’.

    Hope that helps a little.

    Regards,
    Shoaib

  14. Really good doc. thx you so much for your hard work. Do you also have a doc on configuring ASA HA or active/active with context?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s