Failover(LAN failover) cable and Stateful cable
In stateful replication - DHCP leased addresses, phone proxy info, hardware modules are not replicated.
HTTP is replicated if HTTP option is enabled.
Active unit uses the "system" IP addresses while Standby unit uses "standby" addresses (in current IP address).
If failover happens, normal routed interfaces on the new active unit will use the system IP address. The IP addresses on the configuration and stateful failover links do not change or swap.
Only implement config changes on an active unit.
When failover happens, active firewall interface takes over the mac addresses of previously active firewall interfaces.
Failover Configuration
When a failover pair starts, (almost) entire configuration from the active unit is replicated to the standby which overwrites the standby's old configuration. Use cross over cables for failover and stateful links.If you use a Vlan for the failover cables, enalbe portfast to minimize failover delay.
- Go to each interface and assign active and standby address. Interface IPs on primary and secondary must be in same vlan.
ip address 10.0.0.1 255.255.255.252 standby 10.0.0.2 - Tell ASA that gig3 will be named "fail-1" and that will be used to replicate the configuration between ASA1 and ASA2
failover lan interface fail-1 G3 - Use the failover command to assign "fail-1" the active and standby IP addresses
failover interface ip fail-1 10.1.1.1 255.255.255.252 standby 10.1.1.2 - Specify the key to be used between primary and secondary
failver key cisco - Tell the ASA that gig4 will be named "fail-2" .Note that the word "link" is the clue to identify this is the stateful connection. This is for the link used just for "stateful" info to be shared between active and standby
failover link fail-2 G4 - Assign IP address for "fail-2" active and standby
failover interface ip fail-2 10.2.2.1 255.255.255.252 standby - Tell this ASA that its title will be "Primary". If an active is found to already be on the network (after power trip or something), standby will get a full "re-sync" of the config from that current active device.
failover lan unit primary - Default hostname will be the same for both active and standby units due to the config being replicated. So, change the prompt to show: Primary or Secondary and Active or Standby
prompt hostname priority state - Turn on the failover
failover
--- Optionally, also replicate the HTTP sessions
failover replication http - On secondary unit, just need to configure failover interface
clear config all
int G3
no shut
failover lan interface fail-1 G3
failover interface ip fail-1 10.1.1.1 255.255.255.252 standby 10.1.1.2
failover key cisco
failover lan unit secondary
failover
- To troubleshoot failover
failover - To force failover to standby device, issue below command on active unit
no failover active
No comments:
Post a Comment