[dry goods] configure failover active/acitve in transparent mode on Cisco ASA firewall

【 Thank you, Mr. Bo 】

Failover Active/Acitive yes ASA An unavoidable link in learning , A large number of existing cases on the network are completed in the routing mode , There are few transparent modes Failover Active/Acitve, So in GNS3 On the simulator , With the help of asa8.02 Multimode firewall qemu Mirror image , The following experiments were completed .

One 、 Topology

chart -1 GNS3 Logical topology on

The upper switch sw1 and sw2 Interface and vlan The relationship is shown in the table -1 Shown , Equipment interface and IP The address is shown in the table -2 Shown ,

surface -1 vlan And interface relationship

surface -2 Equipment and IP Address configuration

because Failover The concept of virtual firewall is used in the configuration , So it has to be fw1 and fw2 Create a virtual firewall on vfw1 and vfw2, The physical interfaces divided into each virtual firewall are shown in the table -3 Shown ：

surface -3 Virtual firewall vfw1 and vfw2 Interface division of

Due to the transparent mode of firewall , The global management address must be configured between the interfaces that establish the bridging relationship , Firewall can work normally , The global management addresses are divided as shown in the table -4 Shown ：

surface -4 Virtual firewall and management address division

because Failover Active/Active Runtime , Each virtual firewall should pass through Lan-Base and Stateful The connection is used for status monitoring and stateful list transmission , So... Must be configured Lan-Base Address and Stateful Address , The division is shown in the table -5 Shown ：

surface -5 Lan-Base and Stateful Interface division

Two 、 The configuration process

Failover When the configuration , Divided into two parts , namely fw1 Configuration and fw2 To configure , among fw2 Few configurations , Mainly in the fw1 On the configuration .

1. Physical firewall fw1 To configure ：

⑴ Turn on the physical interface ：

This step is particularly important , Be sure to turn on all physical interfaces , The specific opening process is not shown here .

⑵ To configure FO and Stateful link , be used for Failover Groups monitor each other

fw1(config)#failover lan unit primary    // Note that in addition to primaryfw1(config)#failover lan interface FO Ethernet0/4fw1(config)#failover link Stateful Ethernet0/5fw1(config)#failover interface ip FO 10.10.30.1 255.255.255.0 standby 10.10.30.2fw1(config)#failover interface ip Stateful 10.10.40.1 255.255.255.0 standby 10.10.40.2

⑶ adjustment failover Group monitoring time

 This step is optional , But it is suggested to do , The effect is clearer for later test fw1(config)#failover polltime unit msec 200 holdtime msec 800

⑷ To configure failover Group

Failover In group primary It's a physical concept , It will not change because of the operation of the network .fw1(config)#failover group 1fw1(config-fover-group)#primaryfw1(config-fover-group)#preemptfw1(config)#failover group 2fw1(config-fover-group)#secondaryfw1(config-fover-group)#preempt

⑸ Configuration management virtual wall admin

Admin Firewalls are used for physical walls （ Include all virtual walls ） Conduct management , Must be configured in advance , Otherwise, the following virtual wall cannot be configured .

fw1(config)#context adminfw1(config-ctx)#config-url flash:/admin.cfg

⑹ Define a virtual firewall

When defining a virtual firewall , Including the distribution interface 、 Join in failover Group and other operations , Must be done between configuring the virtual walls .

fw1(config)#context vfw1fw1(config-ctx)#allocate-interface e0/0fw1(config-ctx)#allocate-interface e0/1fw1(config-ctx)#join-failover-group 1fw1(config-ctx)#config-url flash:/vfw1.cfgfw2(config)#context vfw1fw2(config-ctx)#allocate-interface e0/2fw2(config-ctx)#allocate-interface e0/3fw2(config-ctx)#join-failover-group 2fw2(config-ctx)#config-url flash:/vfw2.cfg

⑺ Configure virtual firewall

The previous step completed the definition of the virtual wall , But the function of virtual wall is not configured , This completes the configuration .

① Configure virtual firewall vfw1

fw1(config)#changeto context vfw1vfw1(config-if)#interface e0/0vfw1(config-if)#nameif outsidevfw1(config-if)#security-level 0vfw1(config-if)#mac-address 1.a.1 standby 1.a.2   # Can not worthy , But it is suggested to match , Avoid unexpected problems .vfw1(config-if)#interface e0/1vfw1(config-if)#nameif insidevfw1(config-if)#security-level 100vfw1(config-if)#mac-address 1.b.1 standby 1.b.2   # Can not worthy , But it is suggested to match , Avoid unexpected problems .vfw1(config)#ip address 10.10.10.100 255.255.255.0 standby 10.10.10.110vfw1(config-if)#access-list OUT permit icmp any any echo-replyvfw1(config-if)#access-list OUT permit icmp any any time-exceededvfw1(config-if)#access-list OUT permit icmp any any unreachablevfw1(config-if)#access-group OUT in interface outsidevfw1(config-if)#policy-map global_policyvfw1(config-pmap)#class inspection_defaultvfw1(config-pmap-c)#inspect icmp

② Configure virtual firewall vfw2

fw1(config)#changeto context vfw2vfw2(config-if)#interface e0/2vfw2(config-if)#nameif outsidevfw2(config-if)#security-level 0vfw2(config-if)#mac-address 2.a.1 standby 2.a.2   # Can not worthy , But it is suggested to match , Avoid unexpected problems .vfw2(config-if)#interface e0/3vfw2(config-if)#nameif insidevfw2(config-if)#security-level 100vfw2(config-if)#mac-address 1.b.1 standby 1.b.2   # Can not worthy , But it is suggested to match , Avoid unexpected problems .Vfw2(config)#ip address 10.10.20.100 255.255.255.0 standby 10.10.20.110vfw2(config-if)#access-list OUT permit icmp any any echo-replyvfw2(config-if)#access-list OUT permit icmp any any time-exceededvfw2(config-if)#access-list OUT permit icmp any any unreachablevfw2(config-if)#access-group OUT in interface outsidevfw2(config-if)#policy-map global_policyvfw2(config-pmap)#class inspection_defaultvfw2(config-pmap-c)#inspect icmp

At this point, the physical firewall fw1 Configuration complete , All that's left is to start failover, However, the configuration on the physical firewall has not been carried out yet , Therefore, it will not be used for the time being .

⒉ Physical firewall fw2 To configure ：

⑴ Turn on the physical interface

This step is important , Be sure to turn on all physical interfaces , The specific opening process is not shown here .

⑵ To configure FO and Stateful link , be used for Failover Groups monitor each other

fw1(config)#failover lan unit secondary     // Notice that this is secondaryfw1(config)#failover lan interface FO Ethernet0/4fw1(config)#failover link Stateful Ethernet0/5fw1(config)#failover interface ip FO 10.10.30.1 255.255.255.0 standby 10.10.30.2fw1(config)#failover interface ip Stateful 10.10.40.1 255.255.255.0 standby 10.10.40.2

Because the physical firewall will automatically from failover lan Master auto transfer configuration in , Therefore, only the above two steps are required , Others do not need to be configured , Don't add to the cake .

⒊ Turn on failover function

⑴ Physical firewall fw1 Upper opening failover

fw1(config)#failover

⑵ Physical firewall fw2 Upper opening failover

fw2(config)#failover

4. Modify the prompt

because failover active/active After the configuration , The two physical firewalls will automatically synchronize the configuration , Will cause physical firewall fw2 Prompt and physical firewall on fw1 It's exactly the same , Not easy to view , So it must be in fw1 Modify prompt on .

fw1(config)#prompt hostname priority statefw1/pri/stby(config)#

uppermost hostname Represents the name of the physical firewall ,priority Represents the physical wall in failover Yes in group primary Equipment or secondary equipment , and state The representative wall is active state , still standby state , From the prompt above, you can see that , Physical firewall fw1 here primary equipment , And in stby state .

3、 ... and 、 View and test ：

⒈ Adjust the state after initial startup ：

When in two physical firewalls fw1 and fw2 Start the failover after , Using commands show failover The state seen is abnormal , I was in gns3 Complete multiple implementations on , Have found this phenomenon , I thought the configuration was not successful , In fact, it is a problem after the initial startup , It has to be adjusted .

chart -2 fw1 As shown on failover Group status

At initial start-up failover after , Often found from the physical firewall fw1 You can see it on failover Group status , There are two active, And normally , As shown in the figure -2 One shown active And a standby state , Many beginners will think that their configuration is incorrect , The processing method is in the physical firewall fw1 and fw2 Save configuration on , Then shut down and restart fw1 and fw2, When it starts again , It will be normal , If it's not normal , Then close the monitoring link .

⒉ Test under normal conditions ：

When fw1 and fw2 Upper failover active/active After successful configuration , Whether in the fw1 still fw2 The normal information seen in the above query is shown in the figure -3、 chart -4 Shown ：

chart -3 fw1 What you see on the is normal failover Information

chart -4 fw2 What you see on the is normal failover Information

Respectively from the PC10、PC20 Access through stateless and stateful modes r1 Upper 1.1.1.1/24, The normal information can be seen as shown in the figure -5、 chart -6 Shown ：

chart -5 fw1 Access through stateless and stateful modes r1

chart -6 fw2 Access through stateless and stateful modes r1

Normal PC10 adopt fw1 Upper vfw1 visit r1, and PC20 adopt fw2 Upper vfw2 visit r1.

⒊ Simulation of uplink failover

In practice, , There may be sw1（e0/0） and vfw1（e0/0） The link between has failed , and failover active/active Switching occurs , also PC10 Stateful connections on will not break , Now it is closed artificially sw1 Interface on e0/0, Simulate the phenomenon of link failure , Particular attention , It must not be from fw1 Of e0/0 Close on .

chart -7 Turn it off artificially sw1 Upper e0/0

Wait a minute , be fw1 Upper vfw1 Switching occurs , namely fw1 The status on is all standby/standby, and fw2 The status on is active/active,

chart -8 fw1 Upper failover state

chart -9 fw2 Upper failover state

Then check PC10 Stateful connection and stateless connection on

chart -10 PC10 Switching effects that occur on

You can see PC10 Status connection on , There will be no disconnection at all , Stateless connection , Packet loss appears 5 individual , And automatically connect , The switch is very good , For customers , It won't be because of switching , Causes the disconnection of stateful connections , Meet the conversation requirements .

4. Analog uplink failover

Can be opened sw1 Of e0/0 Interface , simulation vfw1 and sw1 The phenomenon of link troubleshooting between ,

chart -11 sw1 Troubleshooting on , Open the interface

Then check fw1 and fw2 Upper failover state ,

chart -12 fw1 What I saw on the top failover State information

chart -13 fw2 You can see it on failover State information

You can see ,fw1 be in active/standby state , and fw2 be in standby/active state , That is, it is in the state of load balancing .

5. Simulate the handover of downlink failure

stay fw2 Admiral sw2 and vfw2 The link between is disconnected , Close now fw2 Upper e1/3 Interface , see failover Handoff ,

chart -14 Artificial shutdown sw2 Upper e1/3 Interface

see fw1 and fw2 Upper failover State information ,

chart -15 fw1 Upper failover Information

chart -16 fw2 Upper failover Information

You can see fw1 be in active/active state , and fw2 be in standby/failed state , That is, the automatic switching is completed .

Then check PC20 Stateful and stateless connections on ,

chart -17 PC20 Stateful and stateless connections on

You can see PC20 Stateful session on is always connected , Meet the needs .

6. Simulate downlink fault recovery

open sw2 Of e1/3 Interface , Simulate troubleshooting , Link recovery ,

chart -18 sw2 Open up e1/3 Interface

see fw1 and fw2 Upper failover State information ,

chart -19 fw1 Upper failover Information

chart -20 fw2 Upper failover Information

You can see at this time fw1 be in active/standby state , and fw2 be in standby/active state , namely failover The status switch is normal .

Last but not least , Why use asa8.02 Of qemu Mirror image to do the experiment , because asa8.02 The image of takes up very little memory , Only 256mb,6 Physical interfaces can be used at the same time , Advantages of fast startup , When the physical machine memory is not enough , To complete the experiment , It's a better choice .