Cisco ASA - Failover config

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video I'm going to show you how you can configure the Cisco IOS a firewall in a high availability mode in active standby what you'll need is you need to find out if your aasa supports high availability so any models from 5510 upwards 5505 does not you need the security plus license and you can tell if you have the phone level license is if you go run a show version command and go to the failover section and you'll see failover and it should say perpetual and either active active active standby so do that for both your units make sure that they're both there and then allocate yourself a physical interface for use with the failover because we're gonna need a failover interface and okay let's get into it so what we're going to do first is going to go to quickly Neymar is a s sorry hostname a sa primary because this is going to be the primary unit and rename this one hostname is a secondary okay so basically you have obviously have primary and secondary so in the active standby configuration so that means that one is a unit is the primary one that's the one that's functioning and passing data in your network and the other ones just sitting there waiting for some ink on something on the primary si to foul so you know it's down to your choice and the parameters you specify but for instance of a outside or inside interface files you can say that's a failover event or that will see as I failed I've vent the nest it built into the functionality and it will fail over to the secondary say because is in a belt better health condition than what the primary is so you'll fail to the secondary and and what you have obviously each our primary secondary and active standby so one unit might be the primary but it could be the by Union because it's failed it failed fade over to the Sega si sometime before and vice-versa the secondary could be the active unit okay so what we're going to do is we're going to go in and configure a failover so what we the first command is failover land unit primary so obviously this is our primary unit and then we're going to the failover at LAN interface and we're going to give the physical interface an alias of failover link fo link and we're going to specify the physical interface which is at zero and it's going to tell us that the config that was originally on Gigabit Ethernet 0 if there was an e it's going to be cleared okay so the next plan is failover interface IP fo link and then we can specify the IP address of 100 to 1 6 8 101 and then we configure the standby interface which is how to say 102 so what are we doing there what might look a bit a little bit weird well basically that standby command is configuring the interface of the standby units that fit the IP address of the physical interface on the standby unit with this command while we're on the AAS a primary why are we doing that well that's just the way it is you could figure the interface for the secondary that is because at any time the primary could be the standby interface so what you're seeing is mine will sit into that same command on the secondary unit so then the final command center is failover which enables a failover process and you could optionally specify a failover key so like a passphrase and you enter this on both units and basically the units will only talk to each other if they've got that key and so actually it's more secure for this example we're not going to do that okay so we're done on this unit and let's just check that our interfaces up yes so you can see I pee there up ok so let's go to our second unit hostname canary and we're going to the fellow that land unit secondary obviously this is our secondary unit failover land interface gonna specify the same command link and then we're going to specify the next zero for hardware and again it tells us the conflict was cleared and then we're going to specify failover interface IP on their phone link and we need into the exact same details as we did as I sip for standby 1 2 1 6 8 102 I'm going to phone over I'm just going to check the our interfaces are up oh there we go your must be up so it's detect an act of mate and it's going to replicate the configuration from our primary unit ok so it's telling us it's ok end figuration replication to mate so if we now do a show failover command we should see - yep so as we can see here let's go from top to bottom so failover is on this is the primary unit the interface used for failover is the Gigabit Ethernet 0 which is up and the unit whole time is 1 second so it's looking at for another mate in the in failover terms every 1 second and it will wait 15 seconds before determining that I made is dead interphase pole frequency wonder what does that mean basically you're a si is going for every interface you want to monitor you're going to specify while every interface you're going on in the failover set up you're going to specify a standby IP address and what that's going to do is that a si is going to ping across your data network to the IP address of the standby interface and if it doesn't detect it or it's going to do it every five seconds and in if it doesn't detect it in 25 seconds it's going to declare that that interface that is unreachable monitored interface we've got no monitored interfaces at the moment and it's going to tell us the software version sorry that's one very important point I forgot to mention right at the start of the video is that you're both or a SAS must be running the same major version of software on the si so 8.4 8.4 I think there's something to do the mine I'm not too sure about the minor version I think it is only to do with the major version though and but just for peace of mind both of your essay should be exactly the same version I saw that how I always do it so exceed ours is 8.4 - and our mate is 8.4 - last failover was 10 past 8:00 bla bla bla so this this unit primary and is the active unit active time and the our mate is secondary and is in the standby mode okay and then we can also specify it show failover history and they'll tell us all about what happened what was the last time it failed over okay so the best way obviously to tell whether what what unit you're on is always to go here this unit is active primary active okay so what we're going to do is we're going to configure our interfaces on our network with our stand bar IP addresses otherwise without them there'd be no failover then so if we do fail you'll ruin the interface Gigabit Ethernet one it's going to be my sorry being good give it one and we're going to specify inside and description in a solid interface and then we're going to give it an IP address and it's going to be one on two one six eight dot 101 but one at a sudden at mask 2 by 5 to 5 and then making a configure a standby IP address which will be assigned to the secondary unit which I'm going to show you in a second see if I do 101 dot 2 and let them do that for a second okay so and now we're going to know shut down that now we're going to figure out our outside interface is phase Gigabit Ethernet to a my outside the description is going to the outside interface IP address would be just 172 16 dots 100 dots one two five five two point five zero and then again we're going to specify a standby interface 16 one hundred plus two okay so we figured out outside interface and now what we're going to do is we're going to do show and IP brief to confirm all there so we've got our inside our sorry I'll fail over our inside and are outside interface and then I'm going to do is going to do right standby which is going to copy the synchronized configuration with our mate bingqing figuration and figuration okay so that this is obviously our primary active unit then we go on to our secondary so you can see that's been copying show file over this is our secondary standby unit I'm going to show you the interface that them how those commands are fit these interfaces so there you go they've got the two are failover or inside and on outside that's basically failover that's the core of it and the basics get you up and running there are a few more options you can play about with but go away and read them go away and read about it yourself it's a lot more fun and you know you've got to find water suits suits you hope you found this video informative if they've got any feedback please leave it I'm always looking to improve my videos and also please subscribe thank you very much

Info

Channel: Laurence Schoultz

Views: 26,809

Rating: undefined out of 5

Keywords: cisco, asa, 5510, 5520, 5540, 5550, adaptive, security, appliance, network, IP, tcp, high, availability, failover, active-standby, ping, icmp, udp, http, ethernet

Id: Qv-ES1k-2s8

Channel Id: undefined

Length: 11min 3sec (663 seconds)

Published: Wed Oct 24 2012