
By: Motasem
July 20, 2016
CISCO ASA Firewall Commands Technical Guide (Final Part)

By: Motasem
July 20, 2016
Welcome to the final part of the CISCO ASA Firewall command line technical guides. Previous parts could be found on my profile page. If you want the full-packed version, you could download it from Research gate.
Configuring and enabling failover and redundancy on Cisco ASA
Ø Active-standby failover
Ø Active-active failover
Active-standby failover
This type of failover uses one ASA as the active player that handles all connections and translation operations while the other ASA considered as Standby player where it stays idle until the active player fails. The two ASAs exchange state information about each other by forming a LAN failover link and stateful failover that enacts swapping connection information between the active and the standby ASA. When a failure occurs, the two ASAs swap their IP and MAC address information to keep translations and active connections on their values.
Now, on the main ASA that is going to be the active one, the following commands are typed:
Failover lan unit primary
Failover lan interface int_name [physical_interface]
Failover interface ip int_name address_mask standby ip_address
Failover key [ keystring]
Failover
Failover link stateful int_name [physical_int]
Failover interface ip stateful ip_addr mask standby ip_addr
Failover replication http
No monitor-interface management0/0
Note: The last command for preventing the monitoring operation to take place in the management interface.
On the secondary ASA, A failover interface must be configured through the following commands:
Failover lan unit secondary
Failover lan interface [int_name] [physical_addr]
Failover interface ip [int_name] ip_addr subnet_mask standby ip-addr
Failover key [keystring must be the same in the primary asa]
Failover
Active-active failover
Configuring this type requires that every failover link interface be inside a group failover, which will be attached to a security context.
On the primary ASA, the following commands would be typed:
Failover lan unit primary
Failover lan interface [int_name] [physical_addr]
Failover interface ip [int_name] ip_addr subnet_mask standby ip_addr
Failover key [keystring]
Failover
Failover group 1
Primary
Preempt
Replication http
Exit
Failover group 2
Secondary
Preempt
Replication http
Exit
Failover link stateful [ physical_interface]
Failover interface ip stateful [ip_addr] [subnet_mask ] standby ip_addr
Context [context_name]
Allocate-interface [int_name : ex; eth0/0.1]
Allocate-interface [ int_name]
Config-url [specify url to store the config file, ex: disk0:/admin.cfg]
Join-failover group 1
Exit
Note: Each interface designated by the security context must be configured for failover using the following command syntax:
Ip address [ip_addr] [ subnet_mask ] standby [ ip_addr]
On the secondary ASA, the following commands would be typed:
Failover lan secondary
Failover lan interface [ int_name] [ physical_name]
Failover interface ip [ int_name] [ ip_addr] [ subnet_mask ] standby [ip_addr]
Failover key [ keystring]
Failover group 1
Secondary
Preempt
Replication http
Exit
Failover group 2
Primary
Preempt
Replication http
Exit
Failover
Configuring failover timers for effective detection of defect peers
Every peer sends hello packets to probe for the other peer’s health. Hello packets are sent in a time range called poll time and if the peer does not respond or the hello packets are not received, the hold timer will be triggered to count down the failure state of the peer. We can configure the poll timer and hold timer for optimum performance using the syntax below:
Failover polltime [ 1-15 sec] holdtime [ 1-45 seconds ]
Note: The the holdtime must be three times the polltime.
Configuring the detection of asymmetric routing
Sometimes, the traffic leaves the active or standby ASA and then returns back from the outside to the other ASA’s peer interface causing it to be dropped because its has no entries in the state table of the peer ASA. This ASR group will get the peer ASA to create or rewrite the layer 2 OSI of the packet to redirect it to its relevant interface.
Interface [int_name]
Asa-group [number]
Administering and verifying the failover configuration
We can send command to be executed on the other peer asa using the following command:
Failover exec [ active | standby | mate ] command_string
Show failover
[no] failover active
Note: The last two commands used to verify the configuration of failover and to force the active state or cancel it on peer ASA respectively.