Sunday 23 February 2014

Active-Active Failover

IP addresses of failover link and stateful link will never change regardless of what failover state the firewall is in. By default, the ASA who is active unit for group 1 is also active for system configuration as well..

Configuration











  1. Starting on the unit that will be the PRIMARY,with multiple mode and context already in place,configure it in the system context. Failover gorup 1 is the default failover group. Create the first of the two failover groups
    ASA1(config)#failover group 1
  2. Tell the failover system that the PRIMARY unit should be active for any context in this "failover group #1"
    primary
  3. Optionally, tell the system to take over the active role 2 minutes after a reboot by the primary unit for this group
    preempt 120
  4. Do the same for failover group 2
    failover group 2
  5. Tell the failover system that the "SECONDARY" unit should be active for any context in this "failover group #2"
    secondary
  6. Request a preempt 2 minutes after reboot if by the secondary unit for this group
    preempt 120
  7. Tell the system that each of the contexts are assigned to 1 of the 2 failover groups
    ASA1(config)#context Ctx-1
    ASA1(config-ctx)#join-failover-gorup 1
    ASA1(config-ctx)#exitASA1(config)#context Ctx-2
    ASA1(config-ctx)#join-failover-group 2
  1. Prepare the failover interfaces (the lan fail and stateful link). Go to the these interfaces and unshut the ports.
    no shutdown
  2. Tell this physical box its "priority" or title (Primary or Secondary).This priority(name) never changes for this physical unit on ASA1
    failover lan unit primary
  3. Configure the names and IP addresses for the 2 failover connections on ASA1
    failover lan interface fail-config G4
    failover link fail-state G5
    failover interface ip fail-config 1.1.1.1 255.255.255.252 standby 1.1.1.2
    failover interface ip fail-state 2.2.2.1 255.255.255.252 standby 2.2.2.2
  4. Set the prompt to include which context(if any) we are working in.
    prompt hostname context
  5. Change from the sytem execution space to the context of Ctx-1 in order to add the standby addresses
    changeto context Ctx-1
    int G1
    ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2
    int G3
    mac-address cc1e.6783.1111 standby cc1e.6783.2222     //optionally add MAC addresses on the shared interface for this context
    ip address 192.168.1.171 255.255.255.0 standby 192.168.1.181














  1. Change from Ctx-1 and move to the context of Ctx-2 in order to add standby addresses
    changeto context Ctx-2
    interface ctx2_inside
    ip address 10.2.2.1 255.255.255.0 standby 10.2.2.2
    interface ctx2_outside
    mac-address cc1e.6783.3333 standby cc1e.6783.4444
    ip address 192.168.1.172 255.255.255.0 standby 192.168.1.182
  2. Move back to teh sytem execution space and turn on failover
    changeto system
    failover


  1. Save the system config and all the contexts individual configs at the same time
    write mem all
    show failover state
  2. Go to secondary firewall, verify it is in multiple mode which is required for active/active. check same hardware, same number of interface, model,same function, etc.
    show mode
  3. Tell this ASA what priority(title) it will have.Primary or Secondary
    failover lan unit secondary
  4. Makesure failver interface is up.Define failover interface name and IPs
    failover lan interface fail-config G4
    failover interface ip fail-config 1.1.1.1 255.255.255.252 standby 1.1.1.2
  5. Tun on failover
    failover
prompt hostname priority context state

To rectify Asymmetric routing if there is any, use ASR group. Add the interface to ASR group(under routing) in each context. Maximum of 2 failover groups can be created.

Configuring Support for Asymmetrically Routed Packets

When running in Active/Active failover, a unit may receive a return packet for a connection that originated through its peer unit. Because the ASA that receives the packet does not have any connection information for the packet, the packet is dropped. This most commonly occurs when the two ASAs in an Active/Active failover pair are connected to different service providers and the outbound connection does not use a NAT address.
You can prevent the return packets from being dropped using the asr-group command on interfaces where this is likely to occur. When an interface configured with the asr-group command receives a packet for which it has no session information, it checks the session information for the other interfaces that are in the same group. If it does not find a match, the packet is dropped. If it finds a match, then one of the following actions occurs:
If the incoming traffic originated on a peer unit, some or all of the layer 2 header is rewritten and the packet is redirected to the other unit. This redirection continues as long as the session is active.

If the incoming traffic originated on a different interface on the same unit, some or all of the layer 2 header is rewritten and the packet is reinjected into the stream.
-----

How the Security Appliance Classifies Packets

Each packet that enters the ASA must be classified, so that the ASA can determine to which context to send a packet. This section includes the following topics:
Valid Classifier Criteria
Invalid Classifier Criteria
Classification Examples

Valid Classifier Criteria

This section describes the criteria used by the classifier, and includes the following topics:
Unique Interfaces
Unique MAC Addresses

NAT Configuration

Unique Interfaces

If only one context is associated with the ingress interface, the ASA classifies the packet into that context. In transparent firewall mode, unique interfaces for contexts are required, so this method is used to classify packets at all times.

Unique MAC Addresses

If multiple contexts share an interface, then the classifier uses the interface MAC address. The ASA lets you assign a different MAC address in each context to the same shared interface, whether it is a shared physical interface or a shared subinterface. By default, shared interfaces do not have unique MAC addresses; the interface uses the physical interface burned-in MAC address in every context. An upstream router cannot route directly to a context without unique MAC addresses. You can set the MAC addresses manually when you configure each interface (see the "Configuring the MAC Address" section), or you can automatically generate MAC addresses (see the "Automatically Assigning MAC Addresses to Context Interfaces" section).

NAT Configuration

If you do not have unique MAC addresses, then the classifier intercepts the packet and performs a destination IP address lookup. All other fields are ignored; only the destination IP address is used. To use the destination address for classification, the classifier must have knowledge about the subnets located behind each security context. The classifier relies on the NAT configuration to determine the subnets in each context. The classifier matches the destination IP address to either a static command or a global command. In the case of the global command, the classifier does not need a matching natcommand or an active NAT session to classify the packet. Whether the packet can communicate with the destination IP address after classification depends on how you configure NAT and NAT control.
For example, the classifier gains knowledge about subnets 10.10.10.0, 10.20.10.0 and 10.30.10.0 when the context administrators configure staticcommands in each context:
Context A:
static (inside,shared) 10.10.10.0 10.10.10.0 netmask 255.255.255.0





Context B:




static (inside,shared) 10.20.10.0 10.20.10.0 netmask 255.255.255.0











Context C:






static (inside,shared) 10.30.10.0 10.30.10.0 netmask 255.255.255.0














Posted by



at






















Labels:
,


















No comments:















Post a Comment


















        

      









Subscribe to:
Post Comments (Atom)