Monday, July 7, 2014

ASA Virtual firewall failover (loadblance)




Virtual firewall failover

1. ctx-1 (virtual context) has admin right in ASA

2. ctx-1 is working for inside_1 network, and ctx_2 is working for Inside_2 network

3. ctx-1 is working on ASA1 and ctx-2 is working on ASA2

4. When ASA2 fails ctx-2 will be working on ASA1, and When ASA1 fails ctx-1 will be working on ASA2.


implementation



1. create failover group 1

failover group 1
primary
preempt 60 (When boot ASA ask for active right to be this ASA active)

2. create failover group 2

failover group 2
secondary
preempt 60

3. assign a context to a group(by default, all context is working on primary)

context ctx-1
join-failover-group 1
exit
context ctx-2
join-failover-group 2
exit


4. configure the failover interfaces

int g3
no sh
exit
int g4
no sh
exit

failover lan unit primary

failover lan interface fail-config g3

failover link fail-state g4
failover interface ip fail-config 10.0.0.1 255.255.255.252 standby 10.0.0.2
failover interface ip fail-state 10.0.0.5 255.255.255.252 standby 10.0.0.6


5. configure prompt command

prompt hostname context

6. add standby address on ctx-1 interface g0(inside), and change and add the mac-address and standby, and add standby ip address on g5(outside)

g0:ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2
g5:mac-address cc12.1234.1111 standby cc12.1234.2222
   ip address 192.168.1.141 255.255.255.0 standby 192.168.151
7. add standby address on ctx-2 interface g2, and change and add mac-address and standby, and add standby ip address on g5

g2(ctx_2_inside):ip address 192.168.20.1 255.255.255.0 standby 192.168.20.2
g5(ctx_2_outside):mac-address cc12.2345.1111 standby cc12.2345.2222
                  ip address 192.168.1.142 255.255.255.0 standby 192.168.1.152

8. turn on failover and save configuration

system#failover
       write memory all

Because ASA2 is not configured yet, ASA1 will work  all Virtual firewall as active.



ASA2

10. delete all config files
  delete *.cfg

11. configure this ASA as a secondary

  failover lan unit secondary

12. turn on interface g3(for failover config)

g3: no shut

#failover lan interface fail-config g3
#failover interface ip fail-config 10.0.0.1 255.255.255.252 standby 10.0.0.2

13. turn on failover

#failover


This is ASA2

As you can see, on ASA2, group 1 is standby(ctx1) and group 2 is active(ctx-2)

Test

reload ASA1


Now, ASA2 is Active on both group 1 and 2.

turn on ASA1


Now, ASA1 is standby for both group 1 and 2.

in 60 seconds, ASA1 will be active for group 1(ctx-1) and standby for group 2(ctx-2) because of preempt configuration.


Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)