ASA -Failover

 

Types

• Active/Standby
• Active/Active (need multiple context)

HW,SW and configuration requirement

• Hardware Requirements

The two units in a failover configuration must be the same model, have the same number and types of interfaces, and the same SSMs installed (if any).

If you are using units with different Flash memory sizes in your failover configuration, make sure the unit with the smaller Flash memory has enough space to accommodate the software image files and the configuration files. If it does not, configuration synchronization from the unit with the larger Flash memory to the unit with the smaller Flash memory will fail.

Although it is not required, it is recommended that both units have the same amount of RAM memory installed.

• Software Requirements

The two units in a failover configuration must be in the same operating modes (routed or transparent, single or multiple context). They must have the same major (first number) and minor (second number) software version. However, you can use different versions of the software during an upgrade process; for example, you can upgrade one unit from Version 7.0(1) to Version 7.0(2) and have failover remain active. We recommend upgrading both units to the same version to ensure long-term compatibility.

License requirement (PIX)

• 3 versions for PIX: UR(Unrestricted), R(Restricted) & FO(Failover)
• Valid combanition
  • UR+UR, R+R, UR+FO, R+FO
• UR+UR support a/a, a/s
• UR+FO support only a/s

Chassis vs. Stateful failover

• With Unit failover, secondary unit sync config with primary and take over when primary role failed. All xlate, conn, vpn session …etc. will be dropped when primary role failed.
• With stateful failover, an extra stateful link is used to replicate the session data from primary to secordary unit which can keep the sessions even primary unit failed.

Failover Link Serial vs. LAN-based failover (LBF)

• Serial: dedicated for PIX with Cisco proprietary RS-232 cable clocked at 115Kbps with DB-15 connector. Cable defines the primary and secondary end.
• LBF: Introduced in v6.2 which use Ethernet interface instead of a serial cable. ASA use LBF as failover link. Can be combined with stateful link.

Failover communications

• The state of the appliances: active or standby
• Power status if PIX with Serial failover link
• Failover hello messages
• Network link status of the appliances interfaces.
• Exchange of MAC addresses used on the appliance interfaces
• Configuration of the active unit synchronized with the standby unit
• With stateful failover, following are synced.
  • xlate table
  • conn table
  • VPN sessions (only in A/S mode)
  • MAC address table(Only in transparent mode)
  • SIP signaling information
  • Current date and time.

Failover link monitoring

• Both failover and data interfaces are monitored by the failover pair.
• Failover hello send on failover link every 15 seconds by default. (minimum 200ms)
• Hold time is 45s (3 hello messages interval).
• Interface test will be made to determine if active unit failed.
• If active unit/interfaces failed, standby unit promote itself to an active state.

Interface Monitoring

If a hello message from a mate is not seen on a monitored interface for one-half the hold-down period, the appliance will run interface tests on the suspect interface to determine what the problem is.
4 tests include,

• Link up/down test
• network activity test
• ARP test
• Broadcast ping test.