Failover

The failover feature on Cisco ASA ensures that the secondary Cisco ASA takes over the connections if the primary device fails to respond. The security Cisco ASA also supports Active/Active failover, in which both Cisco ASA are active and standby at the same time.

For this example, SecureMe is trying to set up two security Cisco ASA in failover mode. There are two security contexts configured: Cubs and Bears. The requirements for the Cisco ASA devices are as follows:

  • The primary Cisco ASA will act as an active unit for the Cubs context while the secondary Cisco ASA will act as an active unit for the Bears context. These Cisco ASA will act as a backup for the other context.
  • Use GigabitEthernet0/3 for both LAN failover and stateful failover updates.

To achieve the preceding listed requirements, use the following steps:

Step 1.

Enable failover.

To configure failover, navigate to Configuration > Features > Failover under the System context, as shown in Figure 19-27. Select GigabitEthernet0/3 as the LAN Failover and the Stateful Failover interface. The interface is labeled FOCtrlIntf. The primary failover interface IP address is 10.10.10.1, while the standby address is 10.10.10.2. The shared key is set to cisco123 (which appears in asterisks). Once done, check Enable Failover to turn on the failover on the security Cisco ASA.
 

Figure 19-27. Enabling Failover

 

Step 2.

Define failover groups.

You can define failover groups by clicking the Failover Groups tab and then clicking Add. A security Cisco ASA is being configured for Failover Group 1 in the Primary preferred role, as shown in Figure 19-28. Because stateful failover is enabled, the security Cisco ASA will replicate the stateful connections to the standby firewall. Additionally, this security Cisco ASA is set up to preempt the state if it is acting as a primary device for Failover Group 1.
 

Figure 19-28. Setting Failover Groups


Similarly, add another failover group to be in the Secondary role with the preempt option enabled.
 

Step 3.

Map failover groups to security contexts.

Set up the Active/Active failover to map the failover group to the appropriate security contexts. To do so, navigate to Configuration > Features > Security Contexts and select the security context that needs to be enabled for failover. In Figure 19-29, the Cubs context is modified to make it a member of Failover Group 1, while the Bears context is a part of Failover Group 2.
 

Figure 19-29. Mapping of Failover Group to Security Context

 

Example 19-9 shows the complete configuration of failover as generated by ASDM.

Example 19-9. Failover Configuration Generated by ASDM

failover group 1

 primary

 polltime interface 15

 interface-policy 1

failover group 2

 secondary

 polltime interface 15

 interface-policy 1

failover

context Cubs

 join-failover-group 1

context Bears

 join-failover-group 2

failover active

If you navigate to Monitoring > Features > Failover > System under the System context, ASDM displays the output of show failover in the GUI. You can choose to make an Cisco ASA active or standby, reset failover, and reload the standby Cisco ASA, as shown in Figure 19-30.

Figure 19-30. Monitoring Failover


Part I: Product Overview

Introduction to Network Security

Product History

Hardware Overview

Part II: Firewall Solution

Initial Setup and System Maintenance

Network Access Control

IP Routing

Authentication, Authorization, and Accounting (AAA)

Application Inspection

Security Contexts

Transparent Firewalls

Failover and Redundancy

Quality of Service

Part III: Intrusion Prevention System (IPS) Solution

Intrusion Prevention System Integration

Configuring and Troubleshooting Cisco IPS Software via CLI

Part IV: Virtual Private Network (VPN) Solution

Site-to-Site IPSec VPNs

Remote Access VPN

Public Key Infrastructure (PKI)

Part V: Adaptive Security Device Manager

Introduction to ASDM

Firewall Management Using ASDM

IPS Management Using ASDM

VPN Management Using ASDM

Case Studies



Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net