Re: ASA-Failover from karim jamali on 2010-06-06 (Ccielab archives 06/2010)

From: karim jamali <karim.jamali_at_gmail.com>
Date: Sun, 6 Jun 2010 15:47:51 +0300

Hello Adam,

Regarding the first question you can specify one interface for failover
(where keepalives are being sent) and if one fails the standby ASA will take
over, and you can specify another interface(could be the same) for stateful
failover; where the connection/states are being replicated from one ASA to
another. As I said these interfaces can be the same or can be different
depending on your case & the number of connection states involved.

On the secondary firewall the ip address for the interface is the same
syntax as you specified for the primary.

if Active is: failover interface ip <NAME> 10.10.10.1 255.255.255.252
standby 10.10.10.2
Standby is: failover interface ip <NAME> 10.10.10.1 255.255.255.252 standby
10.10.10.2

Same configurations on both!

I believe replication will work even if no ip address is specified on inside
interface, although I am not 100% sure.

Best Regards,

On Sun, Jun 6, 2010 at 3:34 PM, adam gibs <adamgibs7_at_gmail.com> wrote:

> Hello Friends,
>
> But the above command is for LAN failover,??? that means i can use the same
> interface for LAN failover and stateful failover.???,
>
> what configuration i have to do on secondary firewall, the above configs in
> my previous mail whay i have mentioned are correct, i don't have to
> specify any ip address on the inside interface of the secondary firewall,
> and if so then what will be the command syntax;
>
> ip add (secondary IP ) 255.255.255.0 standby (primary IP)
>
> *OR*
>
> IP add (primary IP ) 255.255.255.0 standby (secondary IP )
>
> If i don't specify any IP address on inside interface then how the configs
> will replicate ??? i hope by the failover link.???? correct me if i m
> wrong??
>
>
>
>
>
> Thanks for your support.
>
>
> On Sun, Jun 6, 2010 at 3:36 PM, karim jamali <karim.jamali_at_gmail.com>wrote:
>
>> Hi,
>>
>> It seems you haven't chosen the failover interface this command does it:
>> failover lan interface <name> interface
>>
>> Note that the failover link interface you have used pertains to stateful
>> failover, i.e. replicating the connections & state tables from one firewall
>> to another.
>>
>> Regards,
>>
>> On Sun, Jun 6, 2010 at 1:36 PM, adam gibs <adamgibs7_at_gmail.com> wrote:
>>
>>> Hi,
>>>
>>> I have ASA with same hardware and software version, I have configured
>>> *stateful
>>> failover*, after configuring primary ,i have booted the secondary and i
>>> issued a write standby command on primary but no effect on secondary, My
>>> inside interface and failover interface are on the same switch but in
>>> different vlan.
>>>
>>> I have read in book that while configuring STATEFUL FAILOVER u dont need
>>> to
>>> configure anything on secondary. But Still i have specified inside ip
>>> address but no output, where i m missing something friends,i have used 1
>>> dedicated interface for failover and rest 3 for inside,outside,DMZ,
>>>
>>> failover lan unit primary
>>> failover link failover gig0/3
>>> failover interface ip failover 192.168.3.1 255.255.255.0 standby
>>> 192.168.3.2
>>> failover key cisco
>>> failover replication http
>>> failover
>>>
>>> *Secondary:*
>>> failover lan unit secondary
>>> failover link failover GigabitEthernet0/3
>>> failover key cisco
>>> failover interface ip Failover 192.168.3.1 255.255.255.0 standby
>>> 192.168.3.2
>>> failover replication http
>>> failover
>>> I m getting this warning.on secondary
>>>
>>> WARNING: Failover enabled but the failover interface configuration is
>>> incomplete
>>> Failover will not take effect until the interface is fully
>>> configured
>>>
>>> *Secondary:*
>>>
>>> ciscoasa(config)# sh failover
>>> Failover On
>>> Failover unit Secondary
>>> Failover LAN Interface: not Configured
>>> Unit Poll frequency 1 seconds, holdtime 15 seconds
>>> Interface Poll frequency 5 seconds, holdtime 25 seconds
>>> Interface Policy 1
>>> Monitored Interfaces 1 of 250 maximum
>>> failover replication http
>>> Version: Ours 8.0(4), Mate Unknown
>>> Last Failover at: 02:53:07 UTC Jun 6 2010
>>> This host: Secondary - Disabled
>>> Active time: 0 (sec)
>>> slot 0: ASA5520 hw/sw rev (2.0/8.0(4)) status (Up Sys)
>>> Interface management (192.168.1.1): No Link (Waiting)
>>> slot 1: ASA-SSM-20 hw/sw rev (1.0/6.0(6)E4) status (Up/Up)
>>> IPS, 6.0(6)E4, Up
>>> Other host: Primary - Not Detected
>>> Active time: 0 (sec)
>>> slot 0: empty
>>> Interface management (0.0.0.0): Unknown (Waiting)
>>> slot 1: empty
>>> Stateful Failover Logical Update Statistics
>>> Link : failover GigabitEthernet0/3 (up)
>>> Stateful Obj xmit xerr rcv rerr
>>> General 0 0 0 0
>>> sys cmd 0 0 0 0
>>> up time 0 0 0 0
>>> RPC services 0 0 0 0
>>> TCP conn 0 0 0 0
>>> UDP conn 0 0 0 0
>>> ARP tbl 0 0 0 0
>>> Xlate_Timeout 0 0 0 0
>>> VPN IKE upd 0 0 0 0
>>> VPN IPSEC upd 0 0 0 0
>>> VPN CTCP upd 0 0 0 0
>>> VPN SDI upd 0 0 0 0
>>> VPN DHCP upd 0 0 0 0
>>> SIP Session 0 0 0 0
>>> Logical Update Queue Information
>>> Cur Max Total
>>> Recv Q: 0 0 0
>>> Xmit Q: 0 0 0
>>>
>>> PRIMARY:
>>> Failover On
>>> Failover unit Primary
>>> Failover LAN Interface: not Configured
>>> Unit Poll frequency 1 seconds, holdtime 15 seconds
>>> Interface Poll frequency 5 seconds, holdtime 25 seconds
>>> Interface Policy 1
>>> Monitored Interfaces 4 of 250 maximum
>>> failover replication http
>>> Version: Ours 8.0(4), Mate Unknown
>>> Last Failover at: 22:11:24 UTC Jun 5 2010
>>> This host: Primary - Disabled
>>> Active time: 0 (sec)
>>> slot 0: ASA5520 hw/sw rev (2.0/8.0(4)) status (Up Sys)
>>> Interface management (192.168.1.1): No Link (Waiting)
>>> Interface outside (172.16.1.1): No Link (Waiting)
>>> Interface inside (192.168.2.1): Normal (Waiting)
>>> Interface DMZ (10.146.254.2): No Link (Waiting)
>>> slot 1: ASA-SSM-20 hw/sw rev (1.0/6.0(6)E4) status (Up/Up)
>>> IPS, 6.0(6)E4, Up
>>> Other host: Secondary - Not Detected
>>> Active time: 0 (sec)
>>> slot 0: empty
>>> Interface management (0.0.0.0): Unknown (Waiting)
>>> Interface outside (172.16.1.3): Unknown (Waiting)
>>> Interface inside (192.168.2.2): Unknown (Waiting)
>>> Interface DMZ (10.146.254.3): Unknown (Waiting)
>>> slot 1: empty
>>> Stateful Failover Logical Update Statistics
>>> Link : failover GigabitEthernet0/3 (up)
>>> Stateful Obj xmit xerr rcv rerr
>>> General 0 0 0 0
>>> sys cmd 0 0 0 0
>>> up time 0 0 0 0
>>> RPC services 0 0 0 0
>>> TCP conn 0 0 0 0
>>> UDP conn 0 0 0 0
>>> ARP tbl 0 0 0 0
>>> Xlate_Timeout 0 0 0 0
>>> VPN IKE upd 0 0 0 0
>>> VPN IPSEC upd 0 0 0 0
>>> VPN CTCP upd 0 0 0 0
>>> VPN SDI upd 0 0 0 0
>>> VPN DHCP upd 0 0 0 0
>>> SIP Session 0 0 0 0
>>> Logical Update Queue Information
>>> Cur Max Total
>>> Recv Q: 0 0 0
>>> Xmit Q: 0 0 0
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>> --
>> KJ
>>
>
>

-- 
KJ
Blogs and organic groups at http://www.ccie.net

Received on Sun Jun 06 2010 - 15:47:51 ART

This archive was generated by hypermail 2.2.0 : Sun Aug 01 2010 - 09:11:37 ART