Active/Standby Failover on the ASA using command-line
Nowadays most of the business industries require their network communication the ability to have fault tolerance, meaning it should have the capability to support redundancy. In cisco ASA, Active/standy failover is the system being used to support this. The idea behind this is to have two (2) ASA firewalls that is interconnected with each other and will address an event that if the primary firewall fails, the standby will immediately fail-over and assume the responsibility in allowing packets to pass through.
During the active/standby failover operation, the current IP address being assigned to the active unit is assigned as the System IP address. If the active unit fails, The standby unit will assume the role of the active unit and will start to use the System IP address as its IP address for failover as well as the MAC address of the failed active unit. The active unit uses the system IP Address while the standby unit uses the standby IP address.
Above is the diagram that we will use to accomplish a system-wide failover.
To have a fully-functional active/standby failover on ASA, a replication link has to be established between the 2 firewall. It is called Stateful Link and LAN Failover Link. Active/Standby Failover System should have atleast a connection for LAN Failover Link and Stateful Link.
All of the configuration/changes being done by the administrator on the active unit is replicated to the Standby unit via the LAN Failover Link. On the other hand, the stateful link will include the system uptime, TCP/UDP conn, ARP table, VPN ike, route session on its replication process.
Let's walk through on the required configuration.
Failover will require a redundant equipment and for this scenario, I am using cisco ASA 5520.
It is important to have a license that will support your configuration. You can verify by issuing a command show version | include Failover. You should have Active/Active perpetual if proper license is in place, otherwise secure your license first.
Let's start by assigning the primary role to the active ASA.
On the global configuration mode of the firewall that you will be assigning as the active.
Note: most of the work from here on wards is mostly on the active firewall. The active firewall will be the one who will replicate all of its configuration to the standby unit.
Assuming you already know how to configure the IP address for the interface in a firewall, the only added keyword that you need to issue on the command line is the standby keyword. The IP address that is being assigned as the standby will be configured on the standby unit via replication process on the FAILOVER Link.
Note: It is important that we set the the port for LAN Failover/Stateful link to unshut.
Now we are going to instruct the ASA to use interface GigabitEthernet 2 and name it FAILOVER for the failover replication. This means that every time we do changes on the configuration of the active unit, the committed changes will use this link to update the standby unit.
This is done using the keyword failover lan interface FAILOVER g2
Also, we will be assigning IP Address for the FAILOVER interface. This is done on the global configuration mode using failover interface ip FAILOVER 10.10.10.1 255.255.255.252 standby 10.10.10.2
Note: For added security, we can specify ASA to use a key during fail-over. Do this on the global configuration mode by typing failover key <NAME>.
During this configuration, we will be using the fail-over link to replicate the stateful information.
Stateful link configuration procedure will use link keyword to identify that the link is a stateful. The configuration is done on the global configuration mode.
5520-1(config)#failover link <WORD> physical interface; this keyword will configure gigabitethernet 3 interface to be used as a link for stateful update information.
5520-1(config)#failover interface ip STATEFUL 20.20.20.1 255.255.255.252 standby 20.20.20.2; this command assigns 20.20.20.1 as the IP Address of the STATEFUL interface.
During the normal operation, it is important to know/determine immediately what is current role of the ASA you are accessing. We can issue a command to ASA that will show what is the current status of the device using the command prompt hostname priority state
After issuing the command, the ASA displays the priority (primary) and state (active no failover).
Based from the session display, the ASA's failover is currently inactive. To activate the feature, issue a failover command on the global configuration mode.
To verify if fail-over configuration has been put in place, issue show failover.
This looks good on the active unit perspective since there are no standby units being detected.
Now, how can we put the replication into action so that the active unit configuration will be copied over the standby unit? In order to do this, we just need to configure the FAILOVER interface of the standby unit. The configuration is the same procedure being done on the active unit.
FAILOVER interface on the standby unit has to be created with an IP Address of the active FAILOVER interface.
In this scenario, the standby unit has detected an active unit. By default, logs on the active unit should show Beginning configuration replication: Sending to mate.
NOTE: When the fail-over pairing starts its process, the configuration of the active unit will be replicated to the standby unit. Thus, overwriting the old configuration of the standby unit.
By this time, you should have a fully-functional active/standby fail-over system.