Cisco ASA Active-Standby Configuration

---

• Cisco ASA Active-Standby Configuration
• Sony finds no apparent Anonymous link to PlayStation attack
• Sony apologizes, details PlayStation Network attack

Cisco ASA Active-Standby Configuration Posted: 01 May 2011 12:30 PM PDT On my previous post I talked about Cisco ASA Active/Active configuration. In this post I will describe Active/Standby redundancy which is used much more frequently compared with the active/active scenario. ASA Active/Standby failover/redundancy means connecting two identical ASA firewall units via LAN cable so that when one device or interface fails then the second one will take over the traffic and become the active device. During normal operation, the active ASA will be synchronizing its configuration to the standby unit. The configuration must be changed on active ASA. If we try to change the configuration on standby ASA, then the following warning will be displayed: ASA# configure terminal **** WARNING **** Configuration Replication is NOT performed from Standby unit to Active unit. Configurations are no longer synchronized. ASA(config)# During active/standby failover, the active ASA receives all traffic flows and filters all network traffic while the secondary ASA is in the Ready mode. Therefore you should dimension each ASA device in such a way so that to be able to handle all traffic. ASA failover works in 2 modes: Stateful Failover and Regular Failover. During regular Failover, when Failover occurs, all active connections will be dropped. During Stateful Failover however, the active unit continually passes per-connection state to standby unit. When failover occurs, both ASA devices will have knowledge about all connections. The active ASA sends the state information of the following protocols/tables to the Standby ASA: NAT   Translation Table TCP connection Table UDP Connection Table ARP Table Layer2 Bridge Table (if Transparent mode enabled) HTTP Connection Table (if HTTP Replication enabled) ISAKMP and SA Table GTP PDP Connection table The following are not synchronized: HTTP connection Table (unless HTTP Replication Enable) Routing Table User Authentication (UAUTH) Table State Information for Security Service Module. There are some predefined device requirements for allowing two ASAs to work in Failover mode: both of them must be the same model, both must have the same type and number of  interfaces, the same volume of  RAM and FLASH, the same licenses and  the versions of ASA IOSs of both ASAs must match. If any of these requirements is not satisfied, then they cannot work in failover mode. Let's consider an example of active/standby Failover configuration (see diagram below). The Outside interfaces on ASAs are Ge0/0 and LAN interfaces are Ge0/1. For Failover we will use Ge0/2, particularly Ge0/2.1 will be the Failover interface and Ge0/2.2 the state interface (by which the information about protocol States will be exchanged). Note that you don't have to use two different connections for Failover and State. They can share the same connection/interface. Configuration Active Unit Configuration: Note: Always start with the active ASA first. !Assign IP address to outside interface. During Failover the primary IP address will be assigned to Standby Unit. asa(config)# interface g0/0 asa(config-if)# ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2 !Assign IP address to inside interface. During Failover the primary IP address will be assigned to Standby Unit. asa(config)# interface g0/1 asa(config-if)# ip address 192.168.2.1 255.255.255.0 standby 192.168.2.2 !enable LAN Failover. asa(config)#failover lan enable !set that unit as primary. asa(config)#failover lan unit primary !Define Failover Interface. In this documentation, the "failover" (interface name for GigabitEthernet0/2.1) is used as a failover interface. asa(config)#failover lan interface failover Ge0/2.1 !Assign IP address to Failover Interfaces. asa(config)#failover interface ip failover 192.168.3.1 255.255.255.0 standby 192.168.3.2 In this documentation, the "state" (interface name for GigabitEthernet0/2.2) is used as a State interface. !Define stateful Failover interface asa(config)#failover link state Ge0/2.2 !Assign IP addresses to Stateful Failover interfaces asa(config)#failover interface ip state 192.168.4.1  255.255.255.0 standby 192.168.4.2 !enable Failover asa(config)#failover Note: Issue the failover command on the primary device first, and then issue it on the secondary device. After you issue the failover command on the secondary device, the secondary device immediately pulls the configuration from the primary device and sets itself as standby. The primary ASA stays up and passes traffic normally and marks itself as the active device. From that point on, whenever a failure occurs on the active device, the standby device comes up as active. Standby Unit Configuration: ! enable LAN Failover asa(config)#failover lan enable !Define the failover interface asa(config)#failover lan interface failover Ge0/2.1 !assign IP address to failover interface asa(config)#failover interface ip failover 192.168.3.1  255.255.255.0 standby 192.168.3.2 !set this unit as secondary asa(config)#failover lan unit secondary ! Enable failover. asa(config)#failover After the above is completed, configuration replication will start with the following message: "Beginning configuration replication: Sending to mate" ………. "End Configuration Replication to mate." All configuration commands will be done on Primary unit from now on. Connect to the primary unit and issue the command "write memory" to save the configuration. Run also the command "write standby" to save the config to the secondary device. Verification: !show failover on Primary  ASA asa # show failover Failover On Last Failover at: 05:12:14 tbilisi Dec 7 2010 This context: Active Active time: 14228860 (sec) Interface outside (192.168.1.1): Normal Interface inside (192.168.2.1): Normal Peer context: Standby Ready Active time: 1104 (sec) Interface outside (192.168.1.2): Normal Interface inside (192.168.2.2): Normal Stateful Failover Logical Update Statistics Status: Configured. Stateful Obj    xmit       xerr       rcv        rerr RPC services    0          0          0          0 TCP conn        1217633001 31648      2774       0 UDP conn        1128592801 0          15204      0 ARP tbl         2435313    0          420        10 Xlate_Timeout   0          0          0          0 SIP Session     885790     0          0          0 ! show failover on secondary unit. asa# show failover Failover On Last Failover at: 05:12:14 tbilisi Dec 7 2010 This context: Standby Ready Active time: 1104 (sec) Interface outside (192.168.1.2): Normal Interface inside (192.168.2.2): Normal Peer context: Active Active time: 14228965 (sec) Interface outside (192.168.1.1): Normal Interface inside (192.168.1.2 ): Normal Stateful Failover Logical Update Statistics Status: Configured. Stateful Obj    xmit       xerr       rcv        rerr RPC services    0          0          0          0 TCP conn        7349       638711328  571031340  112 UDP conn        45152      0          1136400282 886 ARP tbl         430        0          2435305    36 Xlate_Timeout   0          0          0          0 SIP Session     0          0          885779     11

Sony finds no apparent Anonymous link to PlayStation attack Posted: 01 May 2011 06:35 AM PDT Sony said it has found no link between an attack on its PlayStation Network and Qriocity services and Internet activist group Anonymous, which had earlier targeted its systems.

Sony apologizes, details PlayStation Network attack Posted: 01 May 2011 12:45 AM PDT Sony's PlayStation Network and Qriocity online services will begin a phased resumption this week, after the company took them offline in response to a "very sophisticated" intrusion, the company said Sunday.

You are subscribed to email updates from "Cisco" via Ehsan in Google Reader To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google Inc., 20 West Kinzie, Chicago IL USA 60610