This post covers the Stateless Active/Standby failover configuration that would normally be done on an ASA 5505 which does not support Stateful failover. ASA 5505 and 5510 are the most commonly used firewalls in the small-medium sized businesses, with the later one supporting Stateful failover. This post only covers the Stateless or Regular failover that would be configured on a ASA 5505 device.
Here’s the network diagram of a typical stateless active/standby failover:
FW1 and FW2 will be configured to work in an active/standby failover mode, FW1 being the primary unit and FW2 being the secondary unit of the High Availability pair. Ethernet0/3 on both the firewalls will be serving as the LAN failover interface to propagate the communication between the firewalls about their failover status, synchronizing configuration/commands, etc. You can either use a single switch, two switches or an ethernet crossover cable for you LAN failover interface.
Primary unit configuration (FW1):
1. Configure the device to be the primary unit in the HA pair.
asa(config)# failover lan unit primary
2. Name interface ethernet0/3 as int_fo and this will be the LAN failover interface which will check the health of a failover peer ASA and pass configuration updates between the peers.
asa(config)# failover lan interface int_fo Ethernet0/3
3. Configures LAN failover encryption. Data passing through the failover cable will be encrypted.
asa(config)# failover key mysecretkey
4. Define the failover interface IP for the primary unit (10.2.2.1) as well as the secondary unit (10.2.2.2).
asa(config)# failover interface ip int_fo 10.2.2.1 255.255.255.0 standby 10.2.2.2
5. With this we enable the failover feature on the primary unit
6. Assign IPs to the interfaces. The standby keyword assigns the IP that will be used on the secondary unit’s inside/outside interface.
asa(config)# interface Ethernet0/0 asa(config-if)# nameif outside asa(config-if)# security-level 0 asa(config-if)# ip address 220.127.116.11 255.255.255.0 standby 18.104.22.168 asa(config-if)# interface Ethernet0/1 asa(config-if)# nameif inside asa(config-if)# security-level 100 asa(config-if)# ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2
The reason you configure the IP of the secondary unit from the primary using the standby keyword is because, if you configure the IPs on the secondary unit directly, it is any way going to get erased as soon as it starts replicating the config from the primary unit.
The standby values defined in the above configuration will be applied to the secondary units respective interfaces.
Secondary unit configuration (FW2):
1. Below are the only commands you would need on the secondary unit to enable HA/Failover feature between the primary and secondary firewall. Rest of the configuration will be replicated from the primary unit.
asa(config)# failover lan unit secondary asa(config)# failover lan interface int_fo Ethernet0/3 asa(config)# failover key mysecretkey asa(config)# failover interface ip int_fo 10.2.2.1 255.255.255.0 standby 10.2.2.2 asa(config)# failover
The “failover interface ip” command needs to be put in the exactly same manner on both, the primary and secondary unit. While configuring the secondary unit, you may think of using the 10.2.2.2 first and the 10.2.2.1 at the end, but that is not the case. You have to specify the active IP first and then the standby IP.
Things to note:
- The terms Primary and Secondary are used only to determine the addressing provided to the firewalls. They do not define the active or standby roles. Either the primary or secondary unit can be in active or standby state.
- It is recommended that a dedicated interface must be used for the LAN Failover interface. The interface can be connected to an intermediary switch or directly with a crossover cable.
- By default, all the ASA interfaces are monitored for their health with hello packets. Use the no monitoring-interface int_name global command if you want to remove monitoring for a particular interface.
- Upon failover, the standby ASA (now active) swaps all interface IP addresses and mac-addresses with the previously active ASA to maintain consistency in the ARP cache.
- Any command that is explicitly configured on the standby unit will be deleted when the active unit sends its configuration file to the standby unit for replication.
- Once the devices are in the active/standby mode, changes done on the standby unit will not be replicated on the active unit. If changes are made on the standby unit, they can be discarded when you issue the write standby exec command on the active unit. It discards all the configuration except the failover commands on the standby unit.