Upload
khnog
View
300
Download
13
Embed Size (px)
Citation preview
HAING [email protected] Engineer at DEAM KHNOG Micro-Event
Date: 27 July 2016
1/ Introduction to High Availability network design
2/ Failover/ High Availability Overview (Terms and Concepts)3/ Failover Deployment
4/ Failover Requirements
5/ How failover work 6/ Failover Active/Standby Configuration
7/ Failover Behaviors 8/ Question/Answer
Agenda
1/ Introduction to High Availability network design
Internet
Internet InternetFlat network topology HA Network topology
2/ Failover/ High Availability Overview (Terms and Concepts)
- Failover/High Availability : Two ASAs are paired to operate together and provide redundancy
in case of a device failure.
- Primary Unit : All the configurations are done. The primary unit always becomes the active
unit if both units start up at the same time but it can either be active or standby .
- Secondary Unit : The secondary unit can either be active or standby.
- Active : Handle all the and traffic and maintenance session table .
- Standby : Only monitor the active unit for failure and take the active role when a failure occurs.
- Stateless failover : The TCP/UDP Connection, NAT translation tables, ARP table, VPN information
and more are NOT replicated on the standby unit. Two ASAs use Failover link for configuration
/commands synchronization.
- Stateful failover : The TCP/UDP connection, NAT translation tables, ARP table, VPN information
and more are replicated on the standby unit. Two ASAs use Stateful link to replicated on to the
standby unit.
Active ASA Standby ASAActive ASA-‐1 Active ASA-‐2
ASA can be configured in Active/standby and Active/Active modes
Active/StandbyActive/Active
(Requires Multi-‐Context Mode)
Outside
Inside
Outside
InsideCTX-‐ACTX-‐B CTX-‐A CTX-‐B
3/ Failover Deployment
Failover link
State link
Failover link
State link
4/ How failover works in active/standby
Primary ASA (Active) Secondary ASA (Standby)
Hello
If no respond Hello…
Hello
Failover
State
outside
Inside Inside
outside
After three missed hellos, standby unit will send hellos over all interface to check health of its peer and if still no longer respond it will takes
over IP addresses and MAC addresses.
Hello
Primary ASA (Active) Secondary ASA (Standby)
Hello
Hello
Failover
State
outside
Inside Inside
outside
Hello
Failover link passes Hellos between active and standby until very 15
second
Hello
How failover works in active/standby
5/ Failover Requirements
Software requirement : - Be in the same firewall mode (routed or transparent)- Be in the same context mode (Single or multiple)- Have the same version firmware
- Have the same Any connect image (if configured)Licensing requirement :- License the same security plus require (5505,5506, 55010,5512x)Hardware requirement - Failover require two identical ASAs connected each otherthrough dedicated failover link or optional state link- Number and type of interfaces
- Amount of RAM installed - Module installed
ASA-‐1 ASA-‐2
Outside
Inside
6/ Failover Active/Standby Configuration
Internet
Primary ASA (Active)
Secondary ASA (Standby)
State link11.11.0/32
Failover link10.10.10.0/32
.1
.2
192.168.1.1/24
192.168.1.2/24
172.16.1.1/24
172.16.1.2/24
172.16.1.0/24
G0/1
G0/0
G0/0
G0/1
G0/2
G0/2
.1
.2G0/3
G0/3
outside
outsideinside
inside
ASA(config)# failover lan unit primary # Enable ASA to be the Primary device
ASA(config)# failover lan interface FAILOVER GigabitEthernet0/2 # Specifies interface Gi0/2 as failover interface
INFO: Non-‐failover interface config is cleared on Ethernet0/2 and its subinterfaces
ASA(config)# failover interface ip FAILOVER 10.10.10.1 255.255.255.252 10.10.10.2 # Assigns the active and standby IP addresses to the failover link
ASA(config)# failover link STATE GigabitEthernet0/3 # Specifies interface Gi0/3 as state interface (Optional)
ASA(config)# failover interface ip STATE 11.11.11.1 255.255.255.252 11.11.11.2 #Assigns the active and standby IP addresses the State interface
ASA(config)# failover key KHNOG # Configure security key
ASA(config)# failover # Enable failover
ASA-Primary Configuration
ASA(config)# interface GigabitEthernet0/0
ASA(config)# nameif OUTSIDE
ASA(config)# ip address ip address 192.168.1.1 255.255.255.0 192.168.1.2
# Assign ip address for primary and secondary
ASA(config)#no shut
ASA(config)# interface GigabitEthernet0/1
ASA(config)# nameif INSIDE
ASA(config)# ip address ip address 172.16.1.1 255.255.255.0 172.16.1.2
#Assign ip address for primary and secondary
ASA(config)#no shut
ASA(config)# prompt hostname context priority state # Enable host prompt
ASA-Secondary Configuration
ASA(config)# failover lan unit secondary # Enable ASA to be Secondary device
ASA(config)# failover lan interface FAILOVER GigabitEthernet0/2 # Specifies interface Gi0/2 as failover interface
INFO: Non-‐failover interface config is cleared on Ethernet0/2 and its subinterfaces
ASA(config)# failover interface ip FAILOVER 10.10.10.1 255.255.255.252 10.10.10.2 #Assigns the active and standby IP addresses to the failover link
ASA(config)# failover link STATE GigabitEthernet0/3 #Specifies interface Gi0/3 as state interface
ASA(config)# failover interface ip STATE 11.11.11.1 255.255.255.252 11.11.11.2 #Assigns the active and standby IP addresses to the state link
ASA(config)# failover key KHNOG # Configure security key
ASA(config)# failover # Enable failover
ASA/Pri/act(config)# Beginning configuration replication: Sending to mate.
End Configuration Replication to mate
ASA/Sec/stby# Failover LAN became OK
Switchover enabled
Configuration has changed, replicate to mate.
State check detected an Active mate
Beginning configuration replication from mate.
End configuration replication from mate.
Switching to Standby
ASA/Pri/act(config)# show failover
Failover On
Failover unit Primary
Last Failover at: 12:23:34 UTC Junly 27 2017
This host: Primary - Active
Active time: 1664 (sec)
slot 0: ASA5510 hw/sw rev (2.0/9.1(5)) status (Up Sys)
Interface INSIDE (192.168.1.1): Normal (Monitored)
Interface OUTSIDE (172.16.1.1): Normal (Monitored)
Other host: Secondary - Standby Ready
Active time: 31 (sec)
slot 0: ASA5510 hw/sw rev (1.1/9.1(5)) status (Up Sys)
Interface INSIDE (192.168.1.2): Normal (Monitored)
Interface OUTSIDE (172.16.1.2): Normal (Monitored)
ASA/Sec/stby(config)# show failover
Failover On
Failover unit secondary
Last Failover at: 12:23:34 UTC Junly 27 2017
This host: secondary – Standby ready
Active time: 1664 (sec)
slot 0: ASA5510 hw/sw rev (2.0/9.1(5)) status (Up Sys)
Interface INSIDE (192.168.1.2): Normal (Monitored)
Interface OUTSIDE (172.16.1.2): Normal (Monitored)
Other host: primary – Active
Active time: 31 (sec)
slot 0: ASA5510 hw/sw rev (1.1/9.1(5)) status (Up Sys)
Interface INSIDE (192.168.1.1): Normal (Monitored)
Interface OUTSIDE (172.16.1.1): Normal (Monitored)
7/ Failover BehaviorsFailover trigger condition
- The active unit has a hardware failure or a power failure.
- Direct connected interfaces are monitored fail
- Manually force by no failover active command is entered on the
active unit, or the failover active command is entered on the standby unit.
- The unit has a software failure.
Failover Condition Minimum Default MaximumActive unit loses power or stops normal operation.
800 milliseconds 15 seconds 45 seconds
Active unit main board interface link down.
500 milliseconds 5 seconds 15 seconds
Active unit 4GE module interface link down.
2 seconds 5 seconds 15 seconds
Active unit IPS or CSC module fails. 2 seconds 2 seconds 2 seconds
Failover timers