CISCO ASA Firewall Commands Technical Guide (Final Part)

Welcome to the final part of the CISCO ASA Firewall command line technical guides. Previous parts could be found on my profile page. If you want the full-packed version, you could download it from Research gate.

Configuring and enabling failover and redundancy on Cisco ASA

Ø  Active-standby failover

Ø  Active-active failover

Active-standby failover

This type of failover uses one ASA as the active player that handles all connections and translation operations while the other ASA considered as Standby player where it stays idle until the active player fails.  The two ASAs exchange state information about each other by forming a LAN failover link and stateful failover that enacts swapping connection information between the active and the standby ASA. When a failure occurs, the two ASAs swap their IP and MAC address information to keep translations and active connections on their values.

Now, on the main ASA that is going to be the active one, the following commands are typed:

               Failover lan unit primary

               Failover lan interface int_name  [physical_interface]

               Failover interface   ip   int_name    address_mask  standby ip_address

               Failover key  [ keystring]

               Failover

               Failover link  stateful  int_name  [physical_int]

               Failover interface ip stateful  ip_addr   mask  standby  ip_addr

               Failover replication http

               No monitor-interface  management0/0

Note: The last command for preventing the monitoring operation to take place in the management interface.

On the secondary ASA, A failover interface must be configured through the following commands:

               Failover lan unit secondary

               Failover lan interface [int_name]   [physical_addr]

               Failover interface ip [int_name]  ip_addr   subnet_mask   standby  ip-addr

               Failover key  [keystring must be the same in the primary asa]

               Failover

Active-active failover

Configuring this type requires that every failover link interface be inside a group failover, which will be attached to a security context.

On the primary ASA, the following commands would be typed:

               Failover lan unit primary

               Failover lan interface [int_name] [physical_addr]

               Failover interface ip [int_name]  ip_addr  subnet_mask  standby  ip_addr

               Failover key  [keystring]

               Failover

               Failover group 1

               Primary

               Preempt

               Replication http

               Exit

               Failover group 2

               Secondary

               Preempt

               Replication http

               Exit

               Failover link stateful  [ physical_interface]

               Failover interface ip stateful [ip_addr]  [subnet_mask ]  standby ip_addr

               Context [context_name]

               Allocate-interface  [int_name : ex; eth0/0.1]

               Allocate-interface [ int_name]

               Config-url  [specify url to store the config file, ex: disk0:/admin.cfg]

               Join-failover group 1

               Exit

Note: Each interface designated by the security context must be configured for failover using the following command syntax:

               Ip address [ip_addr]  [ subnet_mask ]  standby  [ ip_addr]

On the secondary ASA, the following commands would be typed:

               Failover lan secondary

               Failover lan interface [ int_name] [ physical_name]

               Failover interface ip [ int_name] [ ip_addr] [ subnet_mask ] standby [ip_addr]

               Failover key [ keystring]

               Failover group 1

               Secondary

               Preempt

               Replication http

               Exit

               Failover group 2

               Primary

               Preempt

               Replication http

               Exit

               Failover

Configuring failover timers for effective detection of defect peers

Every peer sends hello packets to probe for the other peer’s health. Hello packets are sent in a time range called poll time and if the peer does not respond or the hello packets are not received, the hold timer will be triggered to count down the failure state of the peer. We can configure the poll timer and hold timer for optimum performance using the syntax below:

               Failover polltime [ 1-15 sec] holdtime [ 1-45 seconds ]

Note: The the holdtime must be three times the polltime.

Configuring the detection of asymmetric routing

Sometimes, the traffic leaves the active or standby ASA and then returns back from the outside to the other ASA’s peer interface causing it to be dropped because its has no entries in the state table of the peer ASA. This ASR group will get the peer ASA to create or rewrite the layer 2 OSI of the packet to redirect it to its relevant interface.

               Interface  [int_name]

               Asa-group  [number]

Administering and verifying the failover configuration

We can send command to be executed on the other peer asa using the following command:

               Failover exec  [ active | standby | mate ]  command_string

               Show failover

               [no] failover active

Note: The last two commands used to verify the configuration of failover and to force the active state or cancel it on peer ASA respectively.