PIX8.0: Configuring Active/Standby failover using ASDM 6.1

ASA/PIX, High Availability, Security 2 Minutes

ASDM is a learning tool, remember to turn on the preview command option before you begin configuring using ASDM.

Tools > Preferences, turn on the preview.

 

For this configuration I am using a secondary pix.

For some reason, the High availability wizard cannot be launched, hence I configured the failover without Wizard’s help.

The concept is not difficult, for a better understanding of the concept you can refer to “Cisco ASA, PIX and FWSM Firewall Handbook” written by David Hucaby

Shared key is optional, this can be left blank. The Lan failover section is the device failover, meaning if a pix has failed the secondary pix will take over the primary pix, if State failover is not configured then all the state tables and connections will be lost and everything has to be re-connect once the secondary pix takes over.

The GUI of Lan failover section is doing these commands:

pix-2(config)# failover lan unit secondary

pix-2(config)# failover lan interface lanfo e0
INFO: Non-failover interface config is cleared on Ethernet0 and its sub-interfaces

pix-2(config)#failover interface ip lanfo 192.168.100.1 255.255.255.0 standby 192.168.100.2

The state failover section is the stateful failover feature, whereby all state tables such as tcp and udp sessions and everything will be copied to the secondary pix, upon failover secondary pix will have all the state information cloned from the primary pix.

If your pix has enough port density it is recommended to separate lan failover and stateful failover with different physical interface. For this example I will use one physical interface to carry stateful as well as lan failover traffic.

The state failover is doing these commands:

pix-2(config)# failover link lanfo e0

pix-2(config)# failover replication http

By default all state sessions are replicated over to the secondary pix, however http is special, if did not explicitly stated the secondary pix will not have the http state information.

pix-2(config)# failover
pix-2(config)# .

No Response from Mate

Because the primary pix has not been set up. This configuration example is just to show you how it is configured.

This tab is for tuning the A/S failover timers, default is 15s per hello and 45s (3x hello timer) hold down time.

This is the command, the command I typed here is different from the one shown in the picture, I actually tuned it down to msec in command line, but it is not recommended to tune the hello too low, if too low may cause unnecessary failover despite no failure, this is especially true during congestion whereby the hello may be delayed and millisecond has little tolerance in delay.

pix-2(config)# failover polltime msec 300 holdtime msec 900

This is optional, this is tab is to create a set of virtual active and standby mac address, if not configured then the real mac addresses are used. There’s no option for ethernet 0… this is strange.

Always remember, ASDM is not only a GUI configurator tool it is ultimately a learning tool for engineers like us 😉

Advertisement

Published by cyruslab

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s