Cisco ASA Active Standby Failover configuration with Port-Channel

Being in the field I’ve seen it way too many times where customers redundant security appliances have high availability link as a single point of failure.

In this post I’ll present how adding (3) additional lines of code can make a difference in your pair of stateful firewalls.

Topology

In this simple topology we are having a pair of Cisco ASAv running on 9.5.2-204. First we need to define who will be our primary and secondary unit.

  • CiscoASAv9.5.2-204-1 will be our Primary firewall
  • CiscoASAv9.5.2-204-2 will be our Secondary firewall

We are going to be using gi0/5 and gi0/6 on both units as our high availability link presented as port-channel. Please note that port-channel command is not available on ASAv but it will work with physical appliances.

Typically Missed (Bonus) Commands

  • Secret key between pair of firewalls
    • recommended if no direct link is available for the pair of firewalls where communication happens via proxy i.e dmz switch or if they are not in close proximity.
  • HTTP replication
    • HTTP connection is NOT enabled by default within stateful failover configuration.
      • Cisco explanation: “Because HTTP connections are typically short-lived, and because HTTP clients typically retry failed connection attempts, HTTP connections are not automatically included in the replicated state information.” For more info visit Cisco KB.
  • Monitor-interface
    • By default Cisco only monitors “physical” interfaces and if your environment is utilizing sub-interfaces you will need to add them to the mix. For more visit Cisco KB.

Configuration

!configure failover interface on PRIMARY (using Port-channel)
int po 48
desc ASA-HA
no shut
 
int gi0/5
no shut
channel-group 48 mode on
 
int gi0/6
no shut
channel-group 48 mode on
!set failover interface and standby. Please note we will be using interface PO48 for LANFAIL instead of physical interface.  This is the main difference and key game changer.
 
failover replication http
failover lan interface LANFAIL po48
failover interface ip LANFAIL 10.0.10.1 standby 10.0.10.2
 
!secret key
failover key letmein
 
!enable stateful failover
failover link LANFAIL po48
 
!set as primary
failover lan unit primary
 
!enable failover
failover
!configure failover interface on SECONDARY (using Portchannel)
int po 48
desc ASA-HA
no shut
 
int gi0/5
no shut
channel-group 48 mode on
 
int gi0/6
no shut
channel-group 48 mode on
 
!set failover interface and standby
failover lan interface LANFAIL po48
failover interface ip LANFAIL 10.0.10.1 standby 10.0.10.2
 
!set as secondary
failover lan unit secondary
 
!enable failover
failover

Verification

!console logging from Primary and Secondary
!CiscoASAv9.5.2-204-1
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate
 
!CiscoASAv9.5.2-204-2
Failover LAN became OK
Switchover enabled
Configuration has changed, replicate to mate.
State check detected an Active mate
Beginning configuration replication from mate.
End configuration replication from mate.
 
!verify failover.
CiscoASAv9.5.2-204-1# sh failover 
Failover On 
Failover unit Primary
Failover LAN Interface: LANFAIL GigabitEthernet0/5 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 1 of 61 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.5(2)204, Mate 9.5(2)204
Last Failover at: 18:05:11 UTC Dec 22 2017
This host: Primary – Active 
Active time: 710 (sec)
slot 0: empty
Interface outside (1.1.1.1): Unknown (Waiting)
Other host: Secondary – Standby Ready 
Active time: 60 (sec)
Interface outside (1.1.1.2): Unknown (Waiting)
CiscoASAv9.5.2-204-1# sh failover state
 
State Last Failure Reason Date/Time
This host – Primary
Active None
Other host – Secondary
Standby Ready Comm Failure 18:05:26 UTC Dec 22 2017
 
====Configuration State===
Sync Done
====Communication State===
Mac set
 
====VM Properties Compatibility===
vCPUs – This host: 1 
Other host: 1 
Memory – This host: 2048 Mhz 
Other host: 2048 Mhz 
Interfaces – This host: 7 
Other host: 7
 
This concludes this excercise.
 
Give it a try and see if it works for you. If you have any questions please let me know.
 
I hope this has been informative to you and thanks for stopping by.
 
Regards,
Bart

 

Add a Comment

Your email address will not be published. Required fields are marked *