ASA5505 security plus license
1. Support stateless Active/Standby failover.
2. Support unrestricted dmz.
Version used for this lab is 8.2(1)
Placement recommendation
You can choose to connect a cable to connect the ASA5505 pair directly. However if the link between the ASA5505 fails, both ASA5505 will sense their own switchport fails. A more recommended way to implement this is to use a switch to connect the ASA5505 pair as shown in the diagram above, in this placement if a link fails for primary unit, the link of the secondary unit will still be up.
Switch switchport configuration recommendation
For faster response, turn on port fast, make the port that connects the ASA as access port.
3560-1#
interface FastEthernet0/1
switchport access vlan 30
switchport trunk encapsulation dot1q
switchport mode access
spanning-tree portfast
end
interface FastEthernet0/2
switchport access vlan 30
switchport trunk encapsulation dot1q
switchport mode access
spanning-tree portfast
end
Primary ASA unit configuration
Reference article:
http://linuxsysadminblog.com/2009/02/cisco-asa-5505-activestandby-failover-configuration/
Secondary unit has the same configuration steps except that failover lan unit secondary command is used.
Step 1: Create a vlan dedicated for failover, do not configure an ip address directly in the vlan interface, ip address should be assigned using failover command.
asa-1(config)#
interface Vlan30
description LAN Failover Interface
Step 2: Turn on failover in global config mode.
asa-1(config)#
failover
Step 3:Declare the unit as primary or secondary failover unit.
asa-1(config)#
failover lan unit primary
Step 4:Define vlan as the failover interface.
asa-1(config)#
failover lan interface fo Vlan30
Note:The CLI help has rooms for improvements, it mislead unfamiliar users when declaring a vlan interface as a failover interface, take a look at the help:
asa-1(config)# failover lan interface ?
configure mode commands/options:
WORD Specify the interface name
The configuration guidance is not precise. Take a look further.
asa-1(config)# failover lan interface fo
ERROR: Legacy syntax is only supported for configure conversion.
<output truncated>
Now take a look again:
asa-1(config)# failover lan interface fo ?
configure mode commands/options:
WORD Specify dynamic interface
I have no idea what to put after the failover interface name.
Step 5:Assign ip address for primary unit as well as secondary unit, this syntax is identical for secondary unit.
asa-1(config)#
failover interface ip fo 10.30.30.1 255.255.255.252 standby 10.30.30.2
Step 6: Assign the switchport to vlan 30.
asa-1(config)#
interface Ethernet0/1
switchport access vlan 30
Warning:All ethernet switchports in ASA5505 are shutdown by default, you will not notice this because if you connect a cable from the ASA5505 switchport to another ethernet port there’s light. You need to explicitly do a no shutdown in your switchport interface.
Verification
Primary unit:
asa-1(config)# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: fo Vlan30 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 1 of 250 maximum
Version: Ours 8.2(1), Mate 8.2(1)
Last Failover at: 21:38:15 UTC May 1 2011
This host: Primary – Active
Active time: 12350 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(1)) status (Up Sys)
slot 1: empty
Other host: Secondary – Standby Ready
Active time: 407 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(1)) status (Up Sys)
slot 1: empty
Secondary unit:
asa-1(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: fo Vlan30 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 1 of 250 maximum
Version: Ours 8.2(1), Mate 8.2(1)
Last Failover at: 08:52:31 UTC May 1 2011
This host: Secondary – Standby Ready
Active time: 407 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(1)) status (Up Sys)
slot 1: empty
Other host: Primary – Active
Active time: 12424 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(1)) status (Up Sys)
slot 1: empty
Once the failover is successful, the secondary unit will synchronize its config with the primary unit.
During Link failure
Secondary unit:
asa-1(config)# Failover LAN Failed
asa-1(config)#
Switching to Active
asa-1(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: fo Vlan30 (Failed – No Switchover)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 1 of 250 maximum
Version: Ours 8.2(1), Mate 8.2(1)
Last Failover at: 09:09:56 UTC May 1 2011
This host: Secondary – Active
Active time: 425 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(1)) status (Up Sys)
slot 1: empty
Other host: Primary – Failed
Active time: 12475 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(1)) status (Unknown/Unknown)
slot 1: empty
During switchover, the current active communication between firewall and other network devices will be lost, this is because ASA5505 supports only stateless Active/Standby failover, it synchronizes the config with the primary unit but does not synchronize its state tables with the primary unit, a failover like this will cause a short outage.
Link recovery
asa-1(config)# Failover LAN became OK
Switchover enabled
asa-1(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: fo Vlan30 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 1 of 250 maximum
Version: Ours 8.2(1), Mate 8.2(1)
Last Failover at: 09:13:47 UTC May 1 2011
This host: Secondary – Active
Active time: 591 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(1)) status (Up Sys)
slot 1: empty
Other host: Primary – Active
Active time: 12736 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(1)) status (Up Sys)
slot 1: empty
asa-1(config)#
State check detected an Active mate
asa-1(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: fo Vlan30 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 1 of 250 maximum
Version: Ours 8.2(1), Mate 8.2(1)
Last Failover at: 09:13:47 UTC May 1 2011
This host: Secondary – Cold Standby
Active time: 596 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(1)) status (Up Sys)
slot 1: empty
Other host: Primary – Active
Active time: 12742 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(1)) status (Up Sys)
slot 1: empty
asa-1(config)# Beginning configuration replication from mate.
ciscoasa(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: fo Vlan30 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 1 of 250 maximum
Version: Ours 8.2(1), Mate 8.2(1)
Last Failover at: 09:13:47 UTC May 1 2011
This host: Secondary – Sync Config
Active time: 596 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(1)) status (Up Sys)
slot 1: empty
Other host: Primary – Active
Active time: 12745 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(1)) status (Up Sys)
slot 1: empty
asa-1(config)# End configuration replication from mate.
Switching to Standby
asa-1(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: fo Vlan30 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 1 of 250 maximum
Version: Ours 8.2(1), Mate 8.2(1)
Last Failover at: 09:14:19 UTC May 1 2011
This host: Secondary – Standby Ready
Active time: 596 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(1)) status (Up Sys)
slot 1: empty
Other host: Primary – Active
Active time: 12938 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(1)) status (Up Sys)
slot 1: empty
Secondary unit failover configuration
asa-1(config)# sh run failover
failover
failover lan unit secondary
failover lan interface fo Vlan30
failover interface ip fo 10.30.30.1 255.255.255.252 standby 10.30.30.2
cyruslab 