Firewall:Configuring stateful Active/Standby failover using a pair of PIX525

Logical network diagram to demonstrate stateful A/S failover using a pair of PIX525 (version 8.0(4)) and a Catalyst 3560 switch

Pre-requisite to do Active/Active and Active/Standby failover

1. If you own a pair of PIX525 you need an unrestricted license to use the failover feature.

Licensed features for this platform:
Maximum Physical Interfaces  : 10
Maximum VLANs                : 100
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
Cut-through Proxy            : Enabled
Guards                       : Enabled
URL Filtering                : Enabled
Security Contexts            : 2
GTP/GPRS                     : Disabled
VPN Peers                    : Unlimited

This platform has an Unrestricted (UR) license.

2. For ASA, A/A failover available for ASA5510 onwards, the firewall OS must be version 7.0(1) or greater. For PIX only these platforms – 515E, 525 and 535 – can do A/A failover. For FWSM, the OS must be version 3.1(1) or greater.

3. A/A failover requires your firewall to enable multiple context feature. Firewall context is a virtual firewall, the logic behind Active/Active is that each context has one Active and Standby group, the first group is configured as FW1 primary and FW2 secondary, the second context has FW1 secondary and FW2 primary, you can see A/A failover is a series of A/S failover in multiple context.

Most of the redundancy except for GLBP has a primary unit doing the work and a secondary unit idling.

4. Hardware and software for both units must be identical. That is PIX525 has a module of 4 routed port and running version 8.0(4), the other PIX525 also must have a module of 4 routed ports and running version 8.0(4).

PIX525 failover choices

1. Default failover interface is a serial interface, you must turn on LAN based failover if you use ethernet port.

2. It is recommended to isolate failover traffic from data traffic.

3. The PIX525 I am using has 6 routed ports, 2 built in fast ethernet ports and a module consists of 4 routed ports.

4. The pix525 has  failover serial interface for failover traffic only, a failover serial cable has to be connected between the firewall pair, however serial based failover is suitable for A/S failover but not A/A failover, if you use A/A failover for PIX525 you must use LAN-based failover.

WS3560-24TS-E configuration

interface FastEthernet0/1
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
end

interface FastEthernet0/2
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
end

Primary PIX525 unit configuration (all in global mode)

Step 1:Define failover unit role i.e. either primary or secondary.

failover lan unit primary

Step 2 (for PIX only):Turn on LAN-Based failover. Default is Serial-based failover.

failover lan enable

Step 3:Define failover interface i.e the name of the failover interface and assign a physical ethernet interface for failover. Do not assign ip address to physical interface, because this command will clear all configuration done on the physical interface.

failover lan interface failover Ethernet0

Step 4 (optional):Turn on stateful failover by specifying which interface is responsible to send connection state information (UDP and TCP connection states, NAT states and other protocol states) to the standby unit. This is not mandatory, if you skip this step your failover is stateless.

failover link failover Ethernet0

I am using the same link for sending state information, you are free to define another physical interface to send state information, it is recommended this way as the link will not be bogged down by state information as well as failover traffic. State information can be overwhelming if your number of connection is very high. Hence it is recommended to use LAN-based failover for stateful failover.

Step 5:Assign ip address for failover pairs.

failover interface ip failover 192.168.1.1 255.255.255.252 standby 192.168.1.2

This command is identical for standby unit.

Step 6:Once the pair has configuration from step 1 to 5, turn on failover.

failover

Verification: Standby unit failover output

This is a stateful failover output from secondary unit. Now you can see a state table which contains udp, tcp, NAT, vpn states.

Primary unit failover configuration at a glance

failover
failover lan unit primary
failover lan interface failover Ethernet0
failover lan enable
failover link failover Ethernet0
failover interface ip failover 192.168.1.1 255.255.255.252 standby 192.168.1.2

Secondary unit failover configuration at a glance

failover
failover lan unit secondary
failover lan interface failover Ethernet0
failover lan enable
failover link failover Ethernet0
failover interface ip failover 192.168.1.1 255.255.255.252 standby 192.168.1.2

The only difference is the role of the failover unit. The rest of the commands are identical.

During link failure

pix-1(config)# sh failover
Failover On
Cable status: N/A – LAN-based failover enabled
Failover unit Secondary
Failover LAN Interface: failover Ethernet0 (up)
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 0 of 250 maximum
Version: Ours 8.0(4), Mate 8.0(4)
Last Failover at: 22:50:12 UTC May 1 2011
  This host: Secondary – Active
Active time: 60 (sec)
Other host: Primary – Failed
Active time: 4305 (sec)

Stateful Failover Logical Update Statistics
Link : failover Ethernet0 (up)
Stateful Obj    xmit       xerr       rcv        rerr
General         545        0          544        1
sys cmd         545        0          544        1
up time         0          0          0          0
RPC services    0          0          0          0
TCP conn        0          0          0          0
UDP conn        0          0          0          0
ARP tbl         0          0          0          0
Xlate_Timeout   0          0          0          0
VPN IKE upd     0          0          0          0
VPN IPSEC upd   0          0          0          0
VPN CTCP upd    0          0          0          0
VPN SDI upd     0          0          0          0
VPN DHCP upd    0          0          0          0
SIP Session     0          0          0          0

Logical Update Queue Information
Cur     Max     Total
Recv Q:         0       1       4671
Xmit Q:         0       1       545

Advertisements
This entry was posted in ASA/PIX, High Availability, Security and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s