Logical network diagram to demonstrate stateful A/S failover using a pair of PIX525 (version 8.0(4)) and a Catalyst 3560 switch
Pre-requisite to do Active/Active and Active/Standby failover
1. If you own a pair of PIX525 you need an unrestricted license to use the failover feature.
Licensed features for this platform:
Maximum Physical Interfaces : 10
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : Unlimited
This platform has an Unrestricted (UR) license.
2. For ASA, A/A failover available for ASA5510 onwards, the firewall OS must be version 7.0(1) or greater. For PIX only these platforms – 515E, 525 and 535 – can do A/A failover. For FWSM, the OS must be version 3.1(1) or greater.
3. A/A failover requires your firewall to enable multiple context feature. Firewall context is a virtual firewall, the logic behind Active/Active is that each context has one Active and Standby group, the first group is configured as FW1 primary and FW2 secondary, the second context has FW1 secondary and FW2 primary, you can see A/A failover is a series of A/S failover in multiple context.
Most of the redundancy except for GLBP has a primary unit doing the work and a secondary unit idling.
4. Hardware and software for both units must be identical. That is PIX525 has a module of 4 routed port and running version 8.0(4), the other PIX525 also must have a module of 4 routed ports and running version 8.0(4).
PIX525 failover choices
1. Default failover interface is a serial interface, you must turn on LAN based failover if you use ethernet port.
2. It is recommended to isolate failover traffic from data traffic.
3. The PIX525 I am using has 6 routed ports, 2 built in fast ethernet ports and a module consists of 4 routed ports.
4. The pix525 has failover serial interface for failover traffic only, a failover serial cable has to be connected between the firewall pair, however serial based failover is suitable for A/S failover but not A/A failover, if you use A/A failover for PIX525 you must use LAN-based failover.
WS3560-24TS-E configuration
interface FastEthernet0/1
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
end
interface FastEthernet0/2
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
end
Primary PIX525 unit configuration (all in global mode)
Step 1:Define failover unit role i.e. either primary or secondary.
failover lan unit primary
Step 2 (for PIX only):Turn on LAN-Based failover. Default is Serial-based failover.
failover lan enable
Step 3:Define failover interface i.e the name of the failover interface and assign a physical ethernet interface for failover. Do not assign ip address to physical interface, because this command will clear all configuration done on the physical interface.
failover lan interface failover Ethernet0
Step 4 (optional):Turn on stateful failover by specifying which interface is responsible to send connection state information (UDP and TCP connection states, NAT states and other protocol states) to the standby unit. This is not mandatory, if you skip this step your failover is stateless.
failover link failover Ethernet0
I am using the same link for sending state information, you are free to define another physical interface to send state information, it is recommended this way as the link will not be bogged down by state information as well as failover traffic. State information can be overwhelming if your number of connection is very high. Hence it is recommended to use LAN-based failover for stateful failover.
Step 5:Assign ip address for failover pairs.
failover interface ip failover 192.168.1.1 255.255.255.252 standby 192.168.1.2
This command is identical for standby unit.
Step 6:Once the pair has configuration from step 1 to 5, turn on failover.
failover
Verification: Standby unit failover output
This is a stateful failover output from secondary unit. Now you can see a state table which contains udp, tcp, NAT, vpn states.
Primary unit failover configuration at a glance
failover
failover lan unit primary
failover lan interface failover Ethernet0
failover lan enable
failover link failover Ethernet0
failover interface ip failover 192.168.1.1 255.255.255.252 standby 192.168.1.2
Secondary unit failover configuration at a glance
failover
failover lan unit secondary
failover lan interface failover Ethernet0
failover lan enable
failover link failover Ethernet0
failover interface ip failover 192.168.1.1 255.255.255.252 standby 192.168.1.2
The only difference is the role of the failover unit. The rest of the commands are identical.
During link failure
pix-1(config)# sh failover
Failover On
Cable status: N/A – LAN-based failover enabled
Failover unit Secondary
Failover LAN Interface: failover Ethernet0 (up)
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 0 of 250 maximum
Version: Ours 8.0(4), Mate 8.0(4)
Last Failover at: 22:50:12 UTC May 1 2011
This host: Secondary – Active
Active time: 60 (sec)
Other host: Primary – Failed
Active time: 4305 (sec)
Stateful Failover Logical Update Statistics
Link : failover Ethernet0 (up)
Stateful Obj xmit xerr rcv rerr
General 545 0 544 1
sys cmd 545 0 544 1
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 1 4671
Xmit Q: 0 1 545
