You are on page 1of 34

PIX/ASA Active/Standby Failover Configuration Example

Document ID: !"#

Content$
Introduction Prerequisites Requirements Components Used Related Products Conventions Active/Standby Failover Active/Standby Failover Overview Primary/Secondary Status and Active/Standby Status Device Initiali ation and Con!i"uration Sync#roni ation Command Replication Failover $ri""ers Failover Actions Regular and Stateful Failover Re"ular Failover State!ul Failover Cable%&ased Active/Standby Failover Con!i"uration 'PI( Security Appliance Only) *etwor+ Dia"ram Con!i"urations LANBased Active/Standby Failover Configuration *etwor+ Dia"ram Primary Unit Con!i"uration Secondary Unit Con!i"uration Con!i"urations erify Use o! t#e s#ow !ailover Command ,iew o! -onitored Inter!aces Display o! t#e Failover Commands in t#e Runnin" Con!i"uration ASA Failover .mail Alert Con!i"uration Failover Functionality $ests Forced Failover Disabled Failover Restoration o! a Failed Unit Replace t#e Failed Unit wit# a *ew Unit !roubles"oot Failover -onitorin" Unit Failure /U allocate connection !ailed Primary /ost Failover communications wit# mate on inter!ace inter!ace0name Failover System -essa"es Debu" -essa"es S*-P *A$ 1 Issue Failover Polltime

.2port Certi!icate/Private 3ey in Failover Con!i"uration 4AR*I*56 Failover messa"e decryption !ailure7 ASA -odules Failover Failover messa"e bloc+ alloc !ailed AIP -odule Failover Problem Unable to Up"rade t#e ASA Failover Pair !rom .t#ernet Card to Optical Inter!ace .RROR6 Failover cannot be con!i"ured w#ile t#e local CA server is con!i"ured7 8ASA%9%91:1196 'Secondary) Switc#in" to AC$I,. % Service card in ot#er unit #as !ailed 3nown Issues Related Infor#ation

Introduction
$#e !ailover con!i"uration requires two identical security appliances connected to eac# ot#er t#rou"# a dedicated !ailover lin+ and; optionally; a state!ul !ailover lin+7 $#e #ealt# o! t#e active inter!aces and units is monitored to determine i! speci!ic !ailover conditions are met7 I! t#ose conditions are met; !ailover occurs7 $#e security appliance supports two !ailover con!i"urations6 Active/Active Failover and Active/Standby Failover7 .ac# !ailover con!i"uration #as its own met#od to determine and per!orm !ailover7 4it# Active/Active Failover; bot# units can pass networ+ tra!!ic7 $#is lets you con!i"ure load balancin" on your networ+7 Active/Active Failover is only available on units t#at run in multiple conte2t mode7 4it# Active/Standby Failover; only one unit passes tra!!ic w#ile t#e ot#er unit waits in a standby state7 Active/Standby Failover is available on units t#at run in eit#er sin"le or multiple conte2t mode7 &ot# !ailover con!i"urations support state!ul or stateless 're"ular) !ailover7 $#is document !ocuses on #ow to con!i"ure an Active/Standby Failover in PI( Security Appliance7 Note$ ,P* !ailover is not supported on units t#at run in multiple conte2t mode as ,P* is not supported in multiple conte2t7 ,P* !ailover is available only !or Active/Standby Failover con!i"urations in sin"le conte2t con!i"urations7 Cisco recommends t#at you do not use t#e mana"ement inter!ace !or !ailover; especially !or state!ul !ailover in w#ic# t#e security appliance constantly sends t#e connection in!ormation !rom one security appliance to t#e ot#er7 $#e inter!ace !or !ailover must be at least o! t#e same capacity as t#e inter!aces t#at pass re"ular tra!!ic; and w#ile t#e inter!aces on t#e ASA <<:1 are "i"abit; t#e mana"ement inter!ace is Fast.t#ernet only7 $#e mana"ement inter!ace is desi"ned !or mana"ement tra!!ic only and is speci!ied as mana"ement1/17 =owever; you can use t#e #anage#entonly command in order to con!i"ure any inter!ace to be a mana"ement%only inter!ace7 Also; !or -ana"ement 1/1; you can disable mana"ement%only mode so t#e inter!ace can pass t#rou"# tra!!ic >ust li+e any ot#er inter!ace7 For more in!ormation about t#e #anage#entonly command; re!er to Cisco Security Appliance Command Re!erence; ,ersion ?717 $#is con!i"uration "uide provides a sample con!i"uration to include a brie! introduction to t#e PI(/ASA @72 Active/Standby tec#nolo"y7 Re!er to t#e ASA/PI( Command Re!erence 5uide !or a more in%dept# sense o! t#e t#eory based be#ind t#is tec#nolo"y7

Prere%ui$ite$
&e%uirement$
%ard&are Require#ent $#e two units in a !ailover con!i"uration must #ave t#e same #ardware con!i"uration7 $#ey must be t#e same model; #ave t#e same number and types o! inter!aces; and t#e same amount o! RA-7

Note$ $#e two units do not need to #ave t#e same si e Flas# memory7 I! you use units wit# di!!erent Flas# memory si es in your !ailover con!i"uration; ma+e sure t#e unit wit# t#e smaller Flas# memory #as enou"# space to accommodate t#e so!tware ima"e !iles and t#e con!i"uration !iles7 I! it does not; con!i"uration sync#roni ation !rom t#e unit wit# t#e lar"er Flas# memory to t#e unit wit# t#e smaller Flas# memory !ails7 Soft&are Require#ent $#e two units in a !ailover con!i"uration must be in t#e operational modes 'routed or transparent; sin"le or multiple conte2t)7 $#ey must #ave t#e same ma>or '!irst number) and minor 'second number) so!tware version; but you can use di!!erent versions o! t#e so!tware wit#in an up"rade processA !or e2ample; you can up"rade one unit !rom ,ersion @71'9) to ,ersion @71'B) and #ave !ailover remain active7 4e recommend t#at you up"rade bot# units to t#e same version to ensure lon"%term compatibility7 Re!er to t#e Per!ormin" Cero Downtime Up"rades !or Failover Pairs section o! Cisco Security Appliance Command Line Configuration Guide, Version 8.0 !or more in!ormation about up"radin" t#e so!tware on a !ailover pair7 License Require#ents On t#e PI( security appliance plat!orm; at least one o! t#e units must #ave an unrestricted '(R) license7 Note$ It mi"#t be necessary to up"rade t#e licenses on a !ailover pair in order to obtain additional !eatures and bene!its7 For more in!ormation on up"rade; re!er to /icense 3ey Up"rade on a Failover Pair Note$ $#e licensed !eatures 'suc# as SS/ ,P* peers or security conte2ts) on bot# security appliances t#at participate in !ailover must be identical7

Component$ '$ed
$#e in!ormation in t#is document is based on t#e PI( Security Appliance wit# version @72 and above7 $#e in!ormation in t#is document was created !rom t#e devices in a speci!ic lab environment7 All o! t#e devices used in t#is document started wit# a cleared 'de!ault) con!i"uration7 I! your networ+ is live; ma+e sure t#at you understand t#e potential impact o! any command7

&elated Product$
$#is con!i"uration can also be used wit# t#e ASA Security Appliance wit# version @72 and above7

Convention$
Re!er to t#e Cisco $ec#nical $ips Conventions !or more in!ormation on document conventions7

Active/Standby Failover
$#is section describes Active/Standby Failover and includes t#ese topics6 Active/Standby Failover Overview Primary/Secondary Status and Active/Standby Status Device Initiali ation and Con!i"uration Sync#roni ation Command Replication Failover $ri""ers Failover Actions

Active/Standby Failover (vervie)


Active/Standby Failover lets you use a standby security appliance to ta+e over t#e !unctionality o! a !ailed unit7 4#en t#e active unit !ails; it c#an"es to t#e standby state w#ile t#e standby unit c#an"es to t#e active state7 $#e unit t#at becomes active assumes t#e IP addresses 'or; !or a transparent !irewall; t#e mana"ement IP address) and -AC addresses o! t#e !ailed unit and be"ins to pass tra!!ic7 $#e unit t#at is now in standby state ta+es over t#e standby IP addresses and -AC addresses7 &ecause networ+ devices see no c#an"e in t#e -AC to IP address pairin"; no ARP entries c#an"e or time out anyw#ere on t#e networ+7 Note$ For multiple conte2t mode; t#e security appliance can !ail over t#e entire unit 'w#ic# includes all conte2ts) but cannot !ail over individual conte2ts separately7

Primary/Secondary Statu$ and Active/Standby Statu$


$#e main di!!erences between t#e two units in a !ailover pair are related to w#ic# unit is active and w#ic# unit is standby; namely w#ic# IP addresses to use and w#ic# unit is primary and actively passes tra!!ic7 A !ew di!!erences e2ist between t#e units based on w#ic# unit is primary 'as speci!ied in t#e con!i"uration) and w#ic# unit is secondary6 $#e primary unit always becomes t#e active unit i! bot# units start up at t#e same time 'and are o! equal operational #ealt#)7 $#e primary unit -AC address is always coupled wit# t#e active IP addresses7 $#e e2ception to t#is rule occurs w#en t#e secondary unit is active and cannot obtain t#e primary -AC address over t#e !ailover lin+7 In t#is case; t#e secondary -AC address is used7

Device Initiali*ation and Configuration Sync+roni*ation


Con!i"uration sync#roni ation occurs w#en one or bot# devices in t#e !ailover pair boot7 Con!i"urations are always sync#roni ed !rom t#e active unit to t#e standby unit7 4#en t#e standby unit completes its initial startup; it clears its runnin" con!i"uration 'e2cept !or t#e !ailover commands t#at are needed to communicate wit# t#e active unit); and t#e active unit sends its entire con!i"uration to t#e standby unit7 $#e active unit is determined by t#ese6 I! a unit boots and detects a peer already operative as active; it becomes t#e standby unit7 I! a unit boots and does not detect a peer; it becomes t#e active unit7 I! bot# units boot simultaneously; t#e primary unit becomes t#e active unit; and t#e secondary unit becomes t#e standby unit7 Note$ I! t#e secondary unit boots and does not detect t#e primary unit; it becomes t#e active unit7 It uses its own -AC addresses !or t#e active IP addresses7 4#en t#e primary unit becomes available; t#e secondary unit c#an"es t#e -AC addresses to t#ose o! t#e primary unit; w#ic# can cause an interruption in your networ+ tra!!ic7 In order to avoid t#is; con!i"ure t#e !ailover pair wit# virtual -AC addresses7 See t#e Con!i"urin" Active/Standby Failover section o! t#is document !or more in!ormation7 4#en t#e replication starts; t#e security appliance console on t#e active unit displays t#e messa"e D Beginning configuration re*lication$ Sending to #ate;D and; w#en it is complete; t#e security appliance displays t#e messa"e D+nd Configuration Re*lication to #ate,D 4it#in replication; commands entered on t#e active unit cannot replicate properly to t#e standby unit; and commands entered on t#e standby unit can be overwritten by t#e con!i"uration t#at is replicated !rom t#e active unit7 Do not enter commands on eit#er unit in t#e !ailover pair wit#in t#e con!i"uration replication process7 Dependent upon t#e si e o! t#e con!i"uration; replication can ta+e !rom a !ew seconds to several minutes7

From t#e secondary unit; you can observe t#e replication messa"e 'as it sync#roni es) !rom t#e primary unit6
pix> . Detected an Active mate Beginning configuration replication from mate. End configuration replication from mate. pix>

On t#e standby unit; t#e con!i"uration e2ists only in runnin" memory7 In order to save t#e con!i"uration to Flas# memory a!ter sync#roni ation; enter t#ese commands6 For sin"le conte2t mode; enter t#e co*y runningconfig startu*config command on t#e active unit7 $#e command is replicated to t#e standby unit; w#ic# proceeds to write its con!i"uration to Flas# memory7 For multiple conte2t mode; enter t#e co*y runningconfig startu*config command on t#e active unit !rom t#e system e2ecution space and !rom wit#in eac# conte2t on dis+7 $#e command is replicated to t#e standby unit; w#ic# proceeds to write its con!i"uration to Flas# memory7 Conte2ts wit# startup con!i"urations on e2ternal servers are accessible !rom eit#er unit over t#e networ+ and do not need to be saved separately !or eac# unit7 Alternatively; you can copy t#e conte2ts on dis+ !rom t#e active unit to an e2ternal server; and t#en copy t#em to dis+ on t#e standby unit; w#ere t#ey become available w#en t#e unit reloads7

Command &eplication
Command replication always !lows !rom t#e active unit to t#e standby unit7 As commands are entered on t#e active unit; t#ey are sent across t#e !ailover lin+ to t#e standby unit7 Eou do not #ave to save t#e active con!i"uration to Flas# memory to replicate t#e commands7 Note$ C#an"es made on t#e standby unit are not replicated to t#e active unit7 I! you enter a command on t#e standby unit; t#e security appliance displays t#e messa"e **** WARNING **** Configuration Replication i N!" performed from #tand$% unit to Active unit. Con!i"urations are no lon"er sync#roni ed7 $#is messa"e is displayed even i! you enter commands t#at do not a!!ect t#e con!i"uration7 I! you enter t#e &rite standby command on t#e active unit; t#e standby unit clears its runnin" con!i"uration 'e2cept !or t#e !ailover commands used to communicate wit# t#e active unit); and t#e active unit sends its entire con!i"uration to t#e standby unit7 For multiple conte2t mode; w#en you enter t#e &rite standby command in t#e system e2ecution space; all conte2ts are replicated7 I! you enter t#e write standby command wit#in a conte2t; t#e command replicates only t#e conte2t con!i"uration7 Replicated commands are stored in t#e runnin" con!i"uration7 In order to save t#e replicated commands to t#e Flas# memory on t#e standby unit; enter t#ese commands6 For sin"le conte2t mode; enter t#e co*y runningconfig startu*config command on t#e active unit7 $#e command is replicated to t#e standby unit; w#ic# proceeds to write its con!i"uration to Flas# memory7 For multiple conte2t mode; enter t#e co*y runningconfig startu*config command on t#e active unit !rom t#e system e2ecution space and wit#in eac# conte2t on dis+7 $#e command is replicated to t#e standby unit; w#ic# proceeds to write its con!i"uration to Flas# memory7 Conte2ts wit# startup con!i"urations on e2ternal servers are accessible !rom eit#er unit over t#e networ+ and do not need to be saved separately !or eac# unit7 Alternatively; you can copy t#e conte2ts on dis+ !rom t#e active

unit to an e2ternal server; and t#en copy t#em to dis+ on t#e standby unit7

Failover ,rigger$
$#e unit can !ail i! one o! t#ese events occurs6 $#e unit #as a #ardware !ailure or a power !ailure7 $#e unit #as a so!tware !ailure7 $oo many monitored inter!aces !ail7 $#e no failover active command is entered on t#e active unit; or t#e failover active command is entered on t#e standby unit7

Failover Action$
In Active/Standby Failover; !ailover occurs on a unit basis7 .ven on systems t#at run in multiple conte2t mode; you cannot !ailover individual or "roups o! conte2ts7 $#is table s#ows t#e !ailover action !or eac# !ailure event7 For eac# !ailure event; t#e table s#ows t#e !ailover policy '!ailover or no !ailover); t#e action ta+en by t#e active unit; t#e action ta+en by t#e standby unit; and any special notes about t#e !ailover condition and actions7 $#e table s#ows t#e !ailover be#avior7 Failure +vent Active unit !ailed 'power or #ardware)

Policy

Active Action

Standby Action &ecome activeA mar+ active as !ailed

Notes *o #ello messa"es are received on any monitored inter!ace or t#e !ailover lin+7 *one 4#en t#e standby unit is mar+ed as !ailed; t#e active unit does not attempt to !ailover; even i! t#e inter!ace !ailure t#res#old is surpassed7 Eou must restore t#e !ailover lin+ as soon as possible because t#e unit cannot !ailover to t#e standby unit w#ile t#e !ailover lin+ is

Failover

n/a

Formerly active unit recovers Standby unit !ailed 'power or #ardware)

*o !ailover

&ecome standby

*o action

*o !ailover

-ar+ standby as !ailed

n/a

Failover lin+ !ailed wit#in operation

*o !ailover

-ar+ !ailover inter!ace as !ailed

-ar+ !ailover inter!ace as !ailed

down7 Failover lin+ !ailed at startup -ar+ !ailover inter!ace as !ailed I! t#e !ailover lin+ is down at startup; bot# units become active7

*o !ailover

&ecome active

State!ul !ailover lin+ !ailed

*o !ailover

State in!ormation becomes out o! *o action *o action date; and sessions are terminated i! a !ailover occurs7

Inter!ace !ailure on active unit above t#res#old Inter!ace !ailure on standby unit above t#res#old

-ar+ Failover active as !ailed

*o !ailover

4#en t#e standby unit is mar+ed as !ailed; t#e active -ar+ unit does not *o action standby as attempt to !ail !ailed over even i! t#e inter!ace !ailure t#res#old is surpassed7

&ecome active

*one

&egular and Stateful Failover


$#e security appliance supports two types o! !ailover; re"ular and state!ul7 $#is section includes t#ese topics6 Re"ular Failover State!ul Failover

&egular Failover
4#en a !ailover occurs; all active connections are dropped7 Clients need to reestablis# connections w#en t#e new active unit ta+es over7

Stateful Failover
4#en state!ul !ailover is enabled; t#e active unit continually passes per%connection state in!ormation to t#e standby unit7 A!ter a !ailover occurs; t#e same connection in!ormation is available at t#e new active unit7 Supported end%user applications are not required to reconnect to +eep t#e same communication session7 $#e state in!ormation passed to t#e standby unit includes t#ese6 $#e *A$ translation table $#e $CP connection states

$#e UDP connection states $#e ARP table $#e /ayer B brid"e table 'w#en it runs in t#e transparent !irewall mode) $#e =$$P connection states 'i! =$$P replication is enabled) $#e ISA3-P and IPSec SA table $#e 5$P PDP connection database

$#e in!ormation t#at is not passed to t#e standby unit w#en state!ul !ailover is enabled includes t#ese6 $#e =$$P connection table 'unless =$$P replication is enabled) $#e user aut#entication 'uaut#) table $#e routin" tables State in!ormation !or security service modules

Note$ I! !ailover occurs wit#in an active Cisco IP So!tP#one session; t#e call remains active because t#e call session state in!ormation is replicated to t#e standby unit7 4#en t#e call is terminated; t#e IP So!tP#one client loses connection wit# t#e Call -ana"er7 $#is occurs because t#ere is no session in!ormation !or t#e C$IF&. #an"%up messa"e on t#e standby unit7 4#en t#e IP So!tP#one client does not receive a response bac+ !rom t#e Call -ana"er wit#in a certain time period; it considers t#e Call -ana"er unreac#able and unre"isters itsel!7

Cable-.a$ed Active/Standby Failover Configuration /PIX Security Appliance (nly0


1et)or2 Diagram
$#is document uses t#is networ+ setup6

Note$ Cable%based !ailover is available only on t#e PI( <11 Series Security Appliance7 In t#is section; you are presented wit# t#e in!ormation to con!i"ure t#e !eatures described in t#is document7 Follow t#ese steps to con!i"ure Active/Standby Failover wit# a serial cable as t#e !ailover lin+7 $#e commands in t#is tas+ are entered on t#e primary unit in t#e !ailover pair7 $#e primary unit is t#e unit t#at #as t#e end o! t#e cable labeled -Pri#ary- plu""ed into it7 For devices in multiple conte2t mode; t#e commands are entered in t#e system e2ecution space unless ot#erwise noted7 Eou do not need to bootstrap t#e secondary unit in t#e !ailover pair w#en you use cable%based !ailover7 /eave t#e secondary unit powered o!! until instructed to power it on7 Complete t#ese steps in order to con!i"ure cable%based Active/Standby 97 t#e !ailover cable to t#e PI( security appliances7 -a+e sure t#at you attac# t#e end o! t#e Connect cable mar+ed DPrimaryD to t#e unit t#at you use as t#e primary unit; and t#at you attac# t#e end o! t#e cable mar+ed DSecondaryD to t#e ot#er unit7 B7 Power on t#e primary G7 I! you #ave not done so already; con!i"ure t#e active and standby IP addresses !or eac# data inter!ace 'routed mode) or !or t#e mana"ement inter!ace 'transparent mode)7 $#e standby IP address is used on

t#e security appliance t#at is currently t#e standby unit7 It must be in t#e same subnet as t#e active IP address7 Note$ Do not con!i"ure an IP address !or t#e state!ul !ailover lin+ i! you use a dedicated state!ul !ailover inter!ace7 Eou use t#e failover interface i* command to con!i"ure a dedicated state!ul !ailover inter!ace in a later step7
&o tname'config(if)*ip addre <active_addr> <netmask> tand$% <standby_addr>

In t#e e2ample; t#e outside inter!ace o! t#e primary PI( is con!i"ured t#is way6
&o tname'config(if)*ip addre +,-.+..+.+ -//.-//.0.0 tand$% +,-.+..+.-

=ere; 9@B79H7979 is used !or t#e primary unit outside inter!ace IP Address; and 9@B79H797B assi"ns to t#e secondary 'standby) unit outside inter!ace7 Note$ In multiple conte2t mode; you must con!i"ure t#e inter!ace addresses !rom wit#in eac# conte2t7 Use t#e c"angeto conte.t command to switc# between conte2ts7 $#e command prompt c#an"es to #ostname/conte2t'con!i"%i!)I; w#ere conte2t is t#e name o! t#e current conte2t7 :7 In order to enable state!ul !ailover; con!i"ure t#e state!ul !ailover lin+7 a7 Speci!y t#e inter!ace to be used as t#e state!ul !ailover lin+
&o tname'config)*failover lin1 if_name phy_if

In t#is e2ample t#e .t#ernetB inter!ace is used to e2c#an"e t#e state!ul !ailover lin+ state in!ormation7
&o tname'config)*failover lin1 tate Et&ernet-

$#e nameif ar"ument assi"ns a lo"ical name to t#e inter!ace speci!ied by t#e phy_if ar"ument7 $#e phy_if ar"ument can be t#e p#ysical port name; suc# as .t#ernet9; or a previously created subinter!ace; suc# as .t#ernet1/B7G7 $#is inter!ace must not be used !or any ot#er purpose7 b7 Assi"n an active and standby IP address to t#e state!ul !ailover lin+6
&o tname'config)*failover interface ip <if_name> <ip_addr> <mask> tand$% <ip_addr>

In t#is e2ample ; 91717179 is used as an active; and 9171717B is used as a standby IP address !or t#e state!ul !ailover lin+7
&o tname'config)*failover interface ip tate +0.0.0.+ -//.0.0.0 tand$% +0.0.0.-

Note$ I! t#e state!ul !ailover lin+ uses a data inter!ace; s+ip t#is step7 Eou #ave already de!ined t#e active and standby IP addresses !or t#e inter!ace7 $#e standby IP address must be in t#e same subnet as t#e active IP address7 Eou do not need to identi!y t#e standby IP address subnet mas+7 $#e state!ul !ailover lin+ IP address and -AC address do not c#an"e at !ailover unless t#ey use a data inter!ace7 $#e active IP address always stays wit# t#e primary unit; w#ile t#e

standby IP address stays wit# t#e secondary unit7 c7 .nable t#e inter!ace6
&o tname'config)*interface p&%2if &o tname'config(if)*no &utdo3n

<7 .nable !ailover6


&o tname'config)*failover

H7 Power on t#e secondary unit and enable !ailover on t#e unit i! it is not already enabled6 &o tname'config)*failover $#e active unit sends t#e con!i"uration in runnin" memory to t#e standby unit7 As t#e con!i"uration sync#roni es; t#e messa"es D&e"innin" con!i"uration replication6 sendin" to mateD and D.nd Con!i"uration Replication to mateD appear on t#e primary console7 Note$ Issue t#e failover command on t#e primary device !irst; and t#en issue it on t#e secondary device7 A!ter you issue t#e failover command on t#e secondary device; t#e secondary device immediately pulls t#e con!i"uration !rom t#e primary device and sets itsel! as standby7 $#e primary ASA stays up and passes tra!!ic normally and mar+s itsel! as t#e acti e device7 From t#at point on; w#enever a !ailure occurs on t#e active device; t#e standby device comes up as active7 @7 Save t#e con!i"uration to Flas# memory on t#e primary unit7 &ecause t#e commands entered on t#e primary unit are replicated to t#e secondary unit; t#e secondary unit also saves its con!i"uration to Flas# memory7
&o tname'config)*cop% running(config tartup(config

Note$ Use t#e Command /oo+up $ool 're"istered customers only) to obtain more in!ormation on t#e commands used in t#is section7

Configuration$
$#is document uses t#ese con!i"urations6 PI/
pix* &o3 running(config 4I5 6er ion ,.-'+) 7 &o tname pix domain(name default.domain.invalid ena$le pa 3ord -89:n$NIdI.-8;!< encr%pted name 7 interface Et&ernet0 nameif out ide ecurit%(level 0 ip addre +,-.+..+.+ -//.-//.0.0 tand$% +,-.+..+.7 interface Et&ernet+ nameif in ide ecurit%(level +00 ip addre +=-.+.>.+.+ -//.-//.-//.0 tand$% +=-.+.>.+.7 ! Configure "no shutdown" in the stateful failover interface ! of both Primary and secondary P !"

interface Et&ernetde cription #"A"E 9ailover Interface 7 interface Et&ernet? &utdo3n no nameif no ecurit%(level no ip addre 7 interface Et&ernet@ &utdo3n no nameif no ecurit%(level no ip addre 7 interface Et&ernet/ &utdo3n no nameif no ecurit%(level no ip addre 7 pa 3d -89:n$NIdI.-8;!< encr%pted ftp mode pa ive dn erver(group DefaultDN# domain(name default.domain.invalid acce (li t +0+ extended permit ip an% an% pager line -@ mtu out ide +/00 mtu in ide +/00 failover failover lin1 tate Et&ernetfailover interface ip tate +0.0.0.+ -//.0.0.0 tand$% +0.0.0.a dm image fla &ABa dm(/-+.$in no a dm &i tor% ena$le arp timeout +@@00 nat 'in ide) 0 acce (li t +0+ acce (group +0+ in interface out ide route out ide 0.0.0.0 0.0.0.0 +,-.+..+.? + timeout xlate ?A00A00 timeout conn +A00A00 &alf(clo ed 0A+0A00 udp 0A0-A00 icmp 0A00A07 ! #utput $uppressed 7 ervice(polic% glo$al2polic% glo$al prompt &o tname context Cr%ptoc&ec1 umAd@+d>cd=>f00$-0@e=>00==>ecf>@-,e A end

3A1-.a$ed Active/Standby Failover Configuration


1et)or2 Diagram
$#is document uses t#is networ+ setup6

$#is section describes #ow to con!i"ure Active/Standby Failover wit# an .t#ernet !ailover lin+7 4#en you con!i"ure /A*%based !ailover; you must bootstrap t#e secondary device to reco"ni e t#e !ailover lin+ be!ore t#e secondary device can obtain t#e runnin" con!i"uration !rom t#e primary device7 Note$ Instead o! usin" a crossover .t#ernet cable to directly lin+ t#e units; Cisco recommends t#at you use a dedicated switc# between t#e primary and secondary

Primary 'nit
Follow t#ese steps to con!i"ure t#e primary unit in a /A*%based; Active/Standby Failover con!i"uration7 $#ese steps provide t#e minimum con!i"uration needed to enable !ailover on t#e primary unit7 For multiple conte2t mode; all steps are per!ormed in t#e system e2ecution space unless ot#erwise In order to con!i"ure t#e primary unit in an Active/Standby Failover pair; per!orm t#ese steps6 9 #ave not done so already; con!i"ure t#e active and standby IP addresses !or eac# inter!ace I! you 'routed mode) or !or t#e mana"ement inter!ace 'transparent mode)7 $#e standby IP address is used on t#e security appliance t#at is currently t#e standby unit7 It must be in t#e same subnet as t#e active IP address7

Note$ Do not con!i"ure an IP address !or t#e state!ul !ailover lin+ i! you use a dedicated state!ul !ailover inter!ace7 Eou use t#e failover interface i* command to con!i"ure a dedicated state!ul !ailover inter!ace in a later step7
&o tname'config(if)*ip addre active2addr netma 1 tand$% tand$%2addr

In t#is e2ample; t#e outside inter!ace o! t#e primary PI( is con!i"ured t#is way6
&o tname'config(if)*ip addre +,-.+..+.+ -//.-//.0.0 tand$% +,-.+..+.-

=ere; 9@B79H7979 is used !or t#e primary unit outside inter!ace IP address; and 9@B79H797B assi"ns to t#e secondary 'standby) unit outside inter!ace7 Note$ In multiple conte2t mode; you must con!i"ure t#e inter!ace addresses !rom wit#in eac# conte2t7 Use t#e c"angeto conte.t command to switc# between conte2ts7 $#e command prompt c#an"es to #ostname/conte2t'con!i"%i!)I; w#ere conte2t is t#e name o! t#e current conte2t7 B7 'PI( security appliance plat!orm only) .nable t#e /A*%based !ailover7
&o tname'config)*failover lan ena$le

G7 Desi"nate t#e unit as t#e primary unit7


&o tname'config)*failover lan unit primar%

:7 De!ine t#e !ailover inter!ace7 a7 Speci!y t#e inter!ace to be used as t#e !ailover inter!ace7
&o tname'config)*failover lan interface if_name phy_if

In t#is documentation; t#e D!ailoverD 'inter!ace name !or .t#ernetG) is used !or a !ailover inter!ace7
&o tname'config)*failover lan interface failover %thernet&

$#e if_name ar"ument assi"ns a name to t#e inter!ace speci!ied by t#e phy_if ar"ument7 $#e phy_if ar"ument can be t#e p#ysical port name; suc# as .t#ernet9; or a previously created subinter!ace; suc# as .t#ernet1/B7G7 b7 Assi"n t#e active and standby IP address to t#e !ailover lin+
&o tname'config)*failover interface ip if_name ip_addr ma 1 tand$% ip_addr

In t#is documentation; to con!i"ure t#e !ailover lin+; 91797179 is used !or active; 9179717B !or t#e standby unit; and D!ailoverD is an inter!ace name o! .t#ernetG7
&o tname'config)*failover interface ip failover +0.+.0.+ -//.-//.-//.0 tand$% +0.+.0.-

$#e standby IP address must be in t#e same subnet as t#e active IP address7 Eou do not need to identi!y t#e standby address subnet mas+7 $#e !ailover lin+ IP address and -AC address do not c#an"e at !ailover7 $#e active IP address !or t#e !ailover lin+ always stays wit# t#e primary unit; w#ile t#e standby IP address stays wit# t#e secondary unit7

c7 .nable t#e inter!ace


&o tname'config)*interface phy_if &o tname'config(if)*no &utdo3n

In t#e e2ample; .t#ernetG is used !or !ailover6


&o tname'config)*interface et&ernet? &o tname'config(if)*no &utdo3n

<7 'Optional) In order to enable state!ul !ailover; con!i"ure t#e state!ul !ailover lin+7 a7 Speci!y t#e inter!ace to be used as t#e state!ul !ailover lin+7
&o tname'config)*failover lin1 if_name phy_if

$#is e2ample used DstateD as an inter!ace name !or .t#ernetB to e2c#an"e t#e !ailover lin+ state in!ormation6
&o tname'config)*failover lin1 tate Et&ernet-

Note$ I! t#e state!ul !ailover lin+ uses t#e !ailover lin+ or a data inter!ace; you only need to supply t#e if_name ar"ument7 $#e if_name ar"ument assi"ns a lo"ical name to t#e inter!ace speci!ied by t#e phy_if ar"ument7 $#e phy_if ar"ument can be t#e p#ysical port name; suc# as .t#ernet9; or a previously created subinter!ace; suc# as .t#ernet1/B7G7 $#is inter!ace must not be used !or any ot#er purpose; e2cept; optionally; as t#e !ailover lin+7 b7 Assi"n an active and standby IP address to t#e state!ul !ailover lin+7 Note$ I! t#e state!ul !ailover lin+ uses t#e !ailover lin+ or data inter!ace; s+ip t#is step7 Eou #ave already de!ined t#e active and standby IP addresses !or t#e inter!ace7
&o tname'config)*failover interface ip if_name ip_addr ma 1 tand$% ip_addr

$#e 91717179 is used as an active and t#e 9171717B as a standby IP address !or t#e state!ul !ailover lin+ in t#is e2ample7
&o tname'config)*failover interface ip tate +0.0.0.+ -//.0.0.0 tand$% +0.0.0.-

$#e standby IP address must be in t#e same subnet as t#e active IP address7 Eou do not need to identi!y t#e standby address subnet mas+7 $#e state!ul !ailover lin+ IP address and -AC address do not c#an"e at !ailover unless t#ey use a data inter!ace7 $#e active IP address always stays wit# t#e primary unit; w#ile t#e standby IP address stays wit# t#e secondary unit7 c7 .nable t#e inter!ace7 Note$ I! t#e state!ul !ailover lin+ uses t#e !ailover lin+ or data inter!ace; s+ip t#is step7 Eou #ave already enabled t#e inter!ace7

&o tname'config)*interface p&%2if &o tname'config(if)*no &utdo3n

Note$ For e2ample; in t#is scenario; .t#ernetB is used !or t#e state!ul !ailover lin+6
&o tname'config)*interface et&ernet&o tname'config(if)*no &utdo3n

H7 .nable !ailover7
&o tname'config)*failover

Note$ Issue t#e failover command on t#e primary device !irst; and t#en issue it on t#e secondary device7 A!ter you issue t#e failover command on t#e secondary device; t#e secondary device immediately pulls t#e con!i"uration !rom t#e primary device and sets itsel! as standby7 $#e primary ASA stays up and passes tra!!ic normally and mar+s itsel! as t#e acti e device7 From t#at point on; w#enever a !ailure occurs on t#e active device; t#e standby device comes up as active7 @7 Save t#e system con!i"uration to Flas# memory7
&o tname'config)*cop% running(config tartup(config

Secondary 'nit Configuration


$#e only con!i"uration required on t#e secondary unit is !or t#e !ailover inter!ace7 $#e secondary unit requires t#ese commands to initially communicate wit# t#e primary unit7 A!ter t#e primary unit sends its con!i"uration to t#e secondary unit; t#e only permanent di!!erence between t#e two con!i"urations is t#e failover lan unit command; w#ic# identi!ies eac# unit as primary or secondary7 For multiple conte2t mode; all steps are per!ormed in t#e system e2ecution space unless noted ot#erwise7 In order to con!i"ure t#e secondary unit; per!orm t#ese steps6 97 'PI( security appliance plat!orm only) .nable /A*%based !ailover7 &o tname'config)*failover lan ena$le B7 De!ine t#e !ailover inter!ace7 Use t#e same settin"s t#at you used !or t#e primary unit7 a7 Speci!y t#e inter!ace to be used as t#e !ailover inter!ace7
&o tname'config)*failover lan interface if_name phy_if

In t#is documentation; t#e D!ailoverD 'inter!ace name !or .t#ernetG) is used !or a /A* !ailover inter!ace7
&o tname'config)*failover lan interface failover %thernet&

$#e if_name ar"ument assi"ns a name to t#e inter!ace speci!ied by t#e phy_if ar"ument7 b7 Assi"n t#e active and standby IP address to t#e !ailover lin+7
&o tname'config)*failover interface ip if_name ip_addr ma 1 tand$% ip_addr

In t#is documentation; to con!i"ure t#e !ailover lin+; 91797179 is used !or active; 9179717B !or t#e standby unit; and D!ailoverD is an inter!ace name o! .t#ernetG7
&o tname'config)*failover interface ip failover +0.+.0.+ -//.-//.-//.0 tand$% +0.+.0.-

Note$ .nter t#is command e2actly as you entered it on t#e primary unit w#en you con!i"ured t#e !ailover inter!ace on t#e primary unit7 c7 .nable t#e inter!ace7
&o tname'config)*interface phy_if &o tname'config(if)*no &utdo3n

For e2ample; in t#is scenario; .t#ernetG is used !or !ailover7


&o tname'config)*interface et&ernet? &o tname'config(if)*no &utdo3n

G7

'Optional) Desi"nate t#is unit as t#e secondary unit7


&o tname'config)*failover lan unit econdar%

Note$ $#is step is optional because; by de!ault; units are desi"nated as secondary unless previously con!i"ured7 :7 .nable !ailover7
&o tname'config)*failover

Note$ A!ter you enable !ailover; t#e active unit sends t#e con!i"uration in runnin" memory to t#e standby unit7 As t#e con!i"uration sync#roni es; t#e messa"es !eginning configuration replication" Sending to mate and #nd Configuration $eplication to mate appear on t#e active unit console7 <7 A!ter t#e runnin" con!i"uration #as completed replication; save t#e con!i"uration to Flas# memory7
&o tname'config)*cop% running(config tartup(config

Configuration$
$#is document uses t#ese con!i"urations6 Pri#ary PI/
pix* &o3 running(config 4I5 6er ion ,.-'+) 7 &o tname pix domain(name default.domain.invalid ena$le pa 3ord -89:n$NIdI.-8;!< encr%pted name 7 interface Et&ernet0 nameif out ide ecurit%(level 0 ip addre +,-.+..+.+ -//.-//.0.0 tand$% +,-.+..+.7 interface Et&ernet+ nameif in ide

ecurit%(level +00 ip addre +=-.+.>.+.+ -//.-//.-//.0 7

tand$% +=-.+.>.+.-

! Configure "no shutdown" in the stateful failover interface ! of both Primary and secondary P !" interface Et&ernetnameif tate de cription #"A"E 9ailover Interface interface et&ernet? nameif failover de cription CAN 9ailover Interface 7 interface Et&ernet@ &utdo3n no nameif no ecurit%(level no ip addre 7 interface Et&ernet/ &utdo3n no nameif no ecurit%(level no ip addre 7 pa 3d -89:n$NIdI.-8;!< encr%pted ftp mode pa ive dn erver(group DefaultDN# domain(name default.domain.invalid acce (li t +0+ extended permit ip an% an% pager line -@ mtu out ide +/00 mtu in ide +/00 failover failover failover failover failover failover failover failover lan unit primar% lan interface failover Et&ernet? lan ena$le 1e% ****** lin1 tate Et&ernetinterface ip failover +0.+.0.+ -//.-//.-//.0 tand$% +0.+.0.interface ip tate +0.0.0.+ -//.0.0.0 tand$% +0.0.0.-

a dm image fla &ABa dm(/-+.$in no a dm &i tor% ena$le arp timeout +@@00 nat 'in ide) 0 acce (li t +0+ acce (group +0+ in interface out ide route out ide 0.0.0.0 0.0.0.0 +,-.+..+.? + timeout xlate ?A00A00 timeout conn +A00A00 &alf(clo ed 0A+0A00 udp 0A0-A00 icmp 0A00A0timeout unrpc 0A+0A00 &?-? 0A0/A00 &--/ +A00A00 mgcp 0A0/A00 mgcp(pat 0A0/A00 timeout ip 0A?0A00 ip2media 0A0-A00 ip(invite 0A0?A00 ip(di connect 0A0-A00 timeout uaut& 0A0/A00 a$ olute no nmp( erver location no nmp( erver contact nmp( erver ena$le trap nmp aut&entication lin1up lin1do3n cold tart telnet timeout / & timeout / con ole timeout 0

7 cla (map in pection2default matc& default(in pection(traffic 7 7 polic%(map t%pe in pect dn pre et2dn 2map parameter me age(lengt& maximum /+polic%(map glo$al2polic% cla in pection2default in pect dn pre et2dn 2map in pect ftp in pect &?-? &--/ in pect &?-? ra in pect net$io in pect r & in pect rt p in pect 1inn% in pect e mtp in pect Dlnet in pect unrpc in pect tftp in pect ip in pect xdmcp 7 ervice(polic% glo$al2polic% glo$al prompt &o tname context Cr%ptoc&ec1 umAd@+d>cd=>f00$-0@e=>00==>ecf>@-,e A end

pix* &o3 running(config failover failover failover failover failover failover +0.+.0.-

Secondary PI/

lan unit econdar% lan interface failover Et&ernet? lan ena$le 1e% ****** interface ip failover +0.+.0.+ -//.-//.-//.0

tand$%

4erify
'$e of t+e $+o) failover Command
$#is section describes t#e s"o& failover command output7 On eac# unit; you can veri!y t#e !ailover status wit# t#e s"o& failover command7 Pri#ary PI/
pix* &o3 failover 9ailover !n Ca$le tatu A Normal 9ailover unit 4rimar% 9ailover CAN InterfaceA NBA ( #erial($a ed failover ena$led <nit 4oll freDuenc% +/ econd E &oldtime @/ econd Interface 4oll freDuenc% / econd E &oldtime -/ econd Interface 4olic% + Fonitored Interface - of -/0 maximum 6er ionA !ur ,.-'+)E Fate ,.-'+) Ca t 9ailover atA 0.A0,A@@ <"C Dec -. -00. "&i &o tA 4rimar% ( Active

Active timeA +=0/ ' ec) Interface out ide '+,-.+..+.+)A Normal Interface in ide '+=-.+.>.+.+)A Normal !t&er &o tA #econdar% ( #tand$% Read% Active timeA 0 ' ec) Interface out ide '+,-.+..+.-)A Normal Interface in ide '+=-.+.>.+.-)A Normal #tateful 9ailover Cogical <pdate #tati tic Cin1 A tate Et&ernet- 'do3n) #tateful !$G xmit xerr General 0 0 % cmd 0 0 up time 0 0 R4C ervice 0 0 "C4 conn 0 0 <D4 conn 0 0 AR4 t$l 0 0 0 0 5late2"imeout 64N I8E upd 0 0 64N I4#EC upd 0 0 64N C"C4 upd 0 0 64N #DI upd 0 0 64N DHC4 upd 0 0 Cogical <pdate :ueue Information Cur Fax "otal Recv :A 0 0 0 5mit :A 0 0 0

rcv 0 0 0 0 0 0 0 0 0 0 0 0 0

rerr 0 0 0 0 0 0 0 0 0 0 0 0 0

Secondary PI/
pix'config)* &o3 failover 9ailover !n Ca$le tatu A Normal 9ailover unit #econdar% 9ailover CAN InterfaceA NBA ( #erial($a ed failover ena$led <nit 4oll freDuenc% +/ econd E &oldtime @/ econd Interface 4oll freDuenc% / econd E &oldtime -/ econd Interface 4olic% + Fonitored Interface - of -/0 maximum 6er ionA !ur ,.-'+)E Fate ,.-'+) Ca t 9ailover atA 00A00A+> <"C Ian + +==? "&i &o tA #econdar% ( #tand$% Read% Active timeA 0 ' ec) Interface out ide '+,-.+..+.-)A Normal Interface in ide '+=-.+.>.+.-)A Normal !t&er &o tA 4rimar% ( Active Active timeA +/@+>/ ' ec) Interface out ide '+,-.+..+.+)A Normal Interface in ide '+=-.+.>.+.+)A Normal #tateful 9ailover Cogical <pdate #tati tic Cin1 A tate Et&ernet- 'do3n) #tateful !$G xmit xerr General 0 0 % cmd 0 0 up time 0 0 R4C ervice 0 0 "C4 conn 0 0 <D4 conn 0 0 AR4 t$l 0 0 0 0 5late2"imeout 64N I8E upd 0 0 64N I4#EC upd 0 0 64N C"C4 upd 0 0

rcv 0 0 0 0 0 0 0 0 0 0 0

rerr 0 0 0 0 0 0 0 0 0 0 0

64N #DI upd 64N DHC4 upd

0 0

0 0

0 0

0 0

Cogical <pdate :ueue Information Cur Fax "otal Recv :A 0 0 0 5mit :A 0 0 0

Use t#e s"o& failover state command to veri!y t#e state7 Pri#ary PI/
pix* &o3 failover tate JJJJF% #tateJJJ 4rimar% K Active K JJJJ!t&er #tateJJJ #econdar% K #tand$% K JJJJConfiguratio n #tateJJJ #%nc Done JJJJCommunication #tateJJJ Fac et JJJJJJJJJ9ailed Rea onJJJJ F% 9ail Rea onA !t&er 9ail Rea onA Comm 9ailure

Secondary unit
pix* &o3 failover tate JJJJF% #tateJJJ #econdar% K #tand$% K JJJJ!t&er #tateJJJ 4rimar% K Active K JJJJConfiguration #tateJJJ #%nc Done ( #"ANDB; JJJJCommunication #tateJJJ Fac et JJJJJJJJJ9ailed Rea onJJJJJ LLLLLLLLLLLLLLLLL F% 9ail Rea onA !t&er 9ail Rea onA

In order to veri!y t#e IP addresses o! t#e !ailover unit; use t#e s"o& failover interfacecommand7 Pri#ary unit
pix* &o3 failover interface interface tate Et&ernet#% tem I4 Addre A +0.0.0.+ -//.0.0.0 F% I4 Addre A +0.0.0.+ !t&er I4 Addre A +0.0.0.-

Secondary unit
pix* &o3 failover interface interface tate Et&ernet#% tem I4 Addre A +0.0.0.+ -//.0.0.0 F% I4 Addre A +0.0.0.!t&er I4 Addre A +0.0.0.+

4ie) of 5onitored Interface$


In order to view t#e status o! monitored inter!aces6 In sin"le conte2t mode; enter t#e s"o& #onitorinterface command in "lobal con!i"uration mode7 In multiple conte2t mode; enter t#e s"o& #onitorinterface wit#in a conte2t7 Note$ In order to enable #ealt# monitorin" on a speci!ic inter!ace; use t#e #onitorinterface command in "lobal con!i"uration mode6
monitor(interface Mif_name>

Pri#ary PI/
pix'config)* &o3 monitor(interface "&i &o tA 4rimar% ( Active Interface out ide '+,-.+..+.+)A Normal Interface in ide '+=-.+.>.+.+)A Normal !t&er &o tA #econdar% ( #tand$% Read% Interface out ide '+,-.+..+.-)A Normal Interface in ide '+=-.+.>.+.-)A Normal

Secondary PI/
pix'config)* &o3 monitor(interface "&i &o tA #econdar% ( #tand$% Read% Interface out ide '+,-.+..+.-)A Interface in ide '+=-.+.>.+.-)A !t&er &o tA 4rimar% ( Active Interface out ide '+,-.+..+.+)A Interface in ide '+=-.+.>.+.+)A

Normal Normal Normal Normal

Note$ I! you do not enter a !ailover IP address; t#e s"o& failover command displays 1717171 !or t#e IP address and inter!ace monitorin" remains in a %aiting state7 Re!er to t#e s#ow !ailover section o! t#e Cisco Security Appliance Command $eference, Version &.' !or more in!ormation about t#e di!!erent !ailover states7 Note$ &y de!ault; monitorin" o! p#ysical inter!aces is enabled; and monitorin" o! subinter!aces is disabled7

Di$play of t+e Failover Command$ in t+e &unning Configuration


In order to view t#e !ailover commands in t#e runnin" con!i"uration; enter t#is command6
&o tname'config)* &o3 running(config failover

All o! t#e !ailover commands are displayed7 On units t#at run in multiple conte2t mode; enter t#e s"o& runningconfig failover command in t#e system e2ecution space7 .nter t#e command s"o& runningconfig all failover to display t#e !ailover commands in t#e runnin" con!i"uration and include commands !or w#ic# you #ave not c#an"ed t#e de!ault value7

ASA Failover Email Alert Configuration


Complete t#ese steps in order to con!i"ure t#e email alert !or !ailover6 97 #ostname'con!i")I logging #ail high(priority B7 #ostname'con!i")I logging fro#address )))(00*+e)ample.com G7 #ostname'con!i")I logging reci*ientaddress admin+e)ample.com :7 #ostname'con!i")I s#t*server ,.,.,.,

For a detailed description o! t#ese commands; re!er to Sendin" Syslo" -essa"es to an .%mail Address7

Failover Functionality ,e$t$


In order to test !ailover !unctionality; per!orm t#ese steps6 97 $est t#at your active unit or !ailover "roup passes tra!!ic as e2pected wit# F$P '!or e2ample) to send a !ile between #osts on di!!erent inter!aces7 B7 Force a !ailover to t#e standby unit wit# t#is command6 For Active/Standby Failover; enter t#is command on t#e active unit6
&o tname'config)*no failover active

G7 :7 <7

Use F$P to send anot#er !ile between t#e same two #osts7 I! t#e test was not success!ul; enter t#e s"o& failover co##and to c#ec+ t#e !ailover status7 4#en you are !inis#ed; you can restore t#e unit or !ailover "roup to active status wit# t#is command6 For Active/Standby Failover; enter t#is command on t#e active unit6
&o tname'config)*failover active

Forced Failover
In order to !orce t#e standby unit to become active; enter one o! t#ese commands6 .nter t#is command on t#e standby unit6
&o tname*failover active

.nter t#is command on t#e active unit6


&o tname*no failover active

Di$abled Failover
In order to disable !ailover; enter t#is command6
&o tname'config)*no failover

I! you disable !ailover on an Active/Standby pair; it causes t#e active and standby state o! eac# unit to be maintained until you restart7 For e2ample; t#e standby unit remains in standby mode so t#at bot# units do not start to pass tra!!ic7 In order to ma+e t#e standby unit active 'even wit# !ailover disabled); see t#e Forcin" Failover section7 I! you disable !ailover on an Active/Active pair; it causes t#e !ailover "roups to remain in t#e active state on w#ic#ever unit t#ey are currently active on; no matter w#ic# unit t#ey are con!i"ured to pre!er7 $#e no failover command can be entered in t#e system e2ecution space7

&e$toration of a Failed 'nit


In order to restore a !ailed unit to an un!ailed state; enter t#is command6
&o tname'config)*failover re et

I! you restore a !ailed unit to an un!ailed state; it does not automatically ma+e it activeA restored units or "roups remain in t#e standby state until made active by !ailover '!orced or natural)7 An e2ception is a !ailover "roup con!i"ured wit# t#e preempt command7 I! previously active; a !ailover "roup becomes active i! it is con!i"ured wit# t#e preempt command and i! t#e unit on w#ic# it !ailed is its pre!erred unit7

&eplace t+e Failed 'nit )it+ a 1e) 'nit


Complete t#ese steps in order to replace a !ailed unit wit# a new unit6 97 Run t#e no failover command on t#e primary unit7 $#e status o! t#e secondary unit s#ows standby unit as not detected7 B7 Unplu" t#e primary unit; and connect t#e replacement primary unit7 G7 ,eri!y t#at t#e replacement unit runs t#e same so!tware and ASD- version as t#e secondary unit7 :7 Run t#ese commands on t#e replacement unit6
A#A'config)*failover lan unit primar% A#A'config)*failover lan interface failover Et&ernet? A#A'config)*failover interface ip failover +0.+.0.+ -//.-//.-//.0 A#A'config)*interface Et&ernet? A#A'config(if)*no &ut A#A'config(if)*exit

tand$% +0.+.0.-

<7 Plu" t#e replacement primary unit to t#e networ+; and run t#is command6 A#A'config)*failover

,rouble$+oot
4#en a !ailover occurs; bot# security appliances send out system messa"es7 $#is section includes t#ese topics6 Failover -onitorin" Unit Failure 8ASA%G%B9111<6 /U allocate connection !ailed 8PI(JASA%9%91<11<6 'Primary) /ost Failover communications wit# mate on inter!ace interface_name Failover System -essa"es Debu" -essa"es S*-P *A$ 1 Issue .RROR6 Failover cannot be con!i"ured w#ile t#e local CA server is con!i"ured7 3nown Issues

Failover 5onitoring
$#is e2ample demonstrates w#at #appens w#en !ailover #as not started to monitor t#e networ+ inter!aces7 Failover does not start to monitor t#e networ+ inter!aces until it #as #eard t#e second D#elloD pac+et !rom t#e ot#er unit on t#at inter!ace7 $#is ta+es about G1 seconds7 I! t#e unit is attac#ed to a networ+ switc# t#at runs Spannin" $ree Protocol 'S$P); t#is ta+es twice t#e D!orward delayD time con!i"ured in t#e switc# 'typically con!i"ured as 9< seconds); plus t#is G1 second delay7 $#is is because at PI( bootup and immediately a!ter a !ailover event; t#e networ+ switc# detects a temporary brid"e loop7 Upon detection o! t#is loop; it stops !orwardin" pac+ets on t#ese inter!aces !or t#e D!orward delayD time7 It t#en enters t#e DlistenD mode !or an additional D!orward delayD time; wit#in w#ic# time t#e switc# listens !or brid"e loops but does not !orward tra!!ic ' or !orward !ailover D#elloD pac+ets)7 A!ter twice t#e !orward delay time 'G1 seconds); tra!!ic !low

resumes7 .ac# PI( remains in a Dwaitin"D mode until it #ears G1 seconds wort# o! D#elloD pac+ets !rom t#e ot#er unit7 4it#in t#e time t#at t#e PI( passes tra!!ic; it does not !ail t#e ot#er unit based on not #earin" t#e D#elloD pac+ets7 All ot#er !ailover monitorin" still occurs 't#at is; Power; Inter!ace /oss o! /in+; and Failover Cable D#elloD)7 For !ailover; Cisco stron"ly recommends t#at customers enable port!ast on all switc# ports t#at connect to PI( inter!aces7 In addition; c#annelin" and trun+in" must be disabled on t#ese ports7 I! t#e inter!ace o! t#e PI( "oes down wit#in !ailover; t#e switc# does not #ave to wait G1 seconds w#ile t#e port transitions !rom a state o! listenin" to learnin" to !orwardin"7
9ailover !n Ca$le tatu A Normal Reconnect timeout 0A00A00 "&i &o tA 4rimar% ( Active Active timeA .=?0 ' ec) Interface 0 '+=-.+.>.>=.+)A Interface + '+=-.+.>.>=.+)A !t&er &o tA #econdar% ( #tand$% Active timeA +/ ' ec) Interface 0 '+=-.+.>.>=.-)A Interface + '+=-.+.>.>=.-)A

Normal Normal Normal Normal

'Waiting) 'Waiting) 'Waiting) 'Waiting)

In summary; c#ec+ t#ese steps to narrow down t#e !ailover problems6 C#ec+ t#e networ+ cables connected to t#e inter!ace in t#e waitin"/!ailed state and; i! it is possible; replace t#em7 I! t#ere is a switc# connected between t#e two units; veri!y t#at t#e networ+s connected to t#e inter!ace in t#e waitin"/!ailed state !unction correctly7 C#ec+ t#e switc# port connected to t#e inter!ace in t#e waitin"/!ailed state and; i! it is possible; use t#e anot#er F. port on t#e switc#77 C#ec+ t#at you #ave enabled port !ast and disabled bot# trun+in" and c#annelin" on t#e switc# ports t#at are connected to t#e inter!ace7

'nit Failure
In t#is e2ample; !ailover #as detected a !ailure7 *ote t#at Inter!ace 9 on t#e primary unit is t#e source o! t#e !ailure7 $#e units are bac+ in Dwaitin"D mode because o! t#e !ailure7 $#e !ailed unit #as removed itsel! !rom t#e networ+ 'inter!aces are down) and is no lon"er sendin" D#elloD pac+ets on t#e networ+7 $#e active unit remains in a Dwaitin"D state until t#e !ailed unit is replaced and !ailover communications starts a"ain7
9ailover !n Ca$le tatu A Normal Reconnect timeout 0A00A00 "&i &o tA 4rimar% ( #tand$% '9ailed) Active timeA ,+@0 ' ec) Interface 0 '+=-.+.>.>=.-)A Normal Interface + '+=-.+.>.>=.-)A 9ailed !t&er &o tA #econdar% ( Active Active timeA ?0 ' ec) Interface 0 '+=-.+.>.>=.+)A Normal Interface + '+=-.+.>.>=.+)A Normal

'Waiting) 'Waiting) 'Waiting) 'Waiting)

3' allocate connection failed


A memory problem mi"#t e2ist i! you receive t#is error messa"e6 L- allocate connection failed

Up"rade t#e PI(/ASA so!tware in order to resolve t#is issue7 Re!er to Cisco bu" ID CSCte?11B@ 're"istered customers only) !or more in!ormation7

Primary 3o$t Failover communication$ )it+ mate on interface interface6name


$#is !ailover messa"e is displayed i! t#e unit o! t#e !ailover pair can no lon"er communicate wit# t#e ot#er unit o! t#e pair7 Primary can also be listed as Secondary !or t#e secondary unit7 ./rimary0 Lost 1ailo er communications %ith mate on interface interface_name ,eri!y t#at t#e networ+ t#at is connected to t#e speci!ied inter!ace is !unctionin" correctly7

Failover Sy$tem 5e$$age$


$#e security appliance issues a number o! system messa"es related to !ailover at priority level B; w#ic# indicates a critical condition7 In order to view t#ese messa"es; re!er to t#e Cisco Security Appliance /o""in" Con!i"uration and System /o" -essa"es to enable lo""in" and to see descriptions o! t#e system messa"es7 Note$ 4it#in switc#over; !ailover lo"ically s#uts down and t#en brin"s up inter!aces; w#ic# "enerates syslo" 011221 and 011223 messa"es7 $#is is normal activity7

Debug 5e$$age$
In order to see debu" messa"es; enter t#e debug fover command7 Re!er to t#e Cisco Security Appliance Command Re!erence !or more in!ormation7 Note$ &ecause debu""in" output is assi"ned #i"# priority in t#e CPU process; it can drastically a!!ect system per!ormance7 For t#is reason; use t#e debug fover commands only to troubles#oot speci!ic problems or wit#in troubles#ootin" sessions wit# Cisco tec#nical support sta!!7

S15P
In order to receive S*-P syslo" traps !or !ailover; con!i"ure t#e S*-P a"ent to send S*-P traps to S*-P mana"ement stations; de!ine a syslo" #ost; and compile t#e Cisco syslo" -I& into your S*-P mana"ement station7 Re!er to t#e sn#*server and logging commands in t#e Cisco Security Appliance Command Re!erence !or more in!ormation7

1A, " I$$ue


4#en t#e power on t#e Cisco Security Appliance is cycled; t#e *A$ 1 command disappears !rom t#e wor+in" con!i"uration7 $#is issue occurs even a!ter t#e con!i"uration is saved7 Ot#er commands are saved; but t#e nat 2 command is not saved7 $#is issue is due to t#e Cisco bu" ID CSCs+9?1?G 're"istered customers only) 7 In order to resolve t#is issue; do not con!i"ure invalid access%lists to nat e.e#*tion access%lists7 Use ip permit or den% ace entries7

Failover Polltime
In order to speci!y t#e !ailover unit poll and #old times; use t#e failover *ollti#e command in "lobal

con!i"uration

$#e failover polltime unit m ec NtimeO represents t#e time interval in order to c#ec+ t#e standby unitKs e2istence by pollin" #ello messa"es7 Similarly; t#e failover &oldtime unit m ec NtimeO represents t#e settin" a time period durin" w#ic# a unit must receive a #ello messa"e on t#e !ailover lin+; a!ter w#ic# t#e peer unit is declared !ailed7 In order to speci!y t#e data inter!ace poll and #old times in an Active/Standby !ailover con!i"uration; use t#e failover *ollti#e interface command in "lobal con!i"uration mode7 In order to restore t#e de!ault poll and #old times; use t#e no !orm o! t#is command7
failover polltime interface Nm ecO time N&oldtime timeO

Use t#e failover *ollti#e interface command in order to c#an"e t#e !requency at w#ic# #ello pac+ets are sent out on data inter!aces7 $#is command is available !or Active/Standby !ailover only7 For Active/Active !ailover; use t#e *ollti#e interface command in t#e !ailover "roup con!i"uration mode instead o! t#e failover *ollti#e interface command7 Eou cannot enter a holdtime value t#at is less t#an < times t#e inter!ace poll time7 4it# a !aster poll time; t#e security appliance can detect !ailure and tri""er !ailover !aster7 =owever; !aster detection can cause unnecessary switc#overs w#en t#e networ+ is temporarily con"ested7 Inter!ace testin" be"ins w#en a #ello pac+et is not #eard on t#e inter!ace !or over #al! t#e #old time7 Eou can include bot# !ailover polltime unit and !ailover polltime inter!ace commands in t#e con!i"uration7 $#is e2ample sets t#e inter!ace poll time !requency to <11 milliseconds and t#e #old time to < seconds6
&o tname'config)*failover polltime interface m ec /00 &oldtime /

Re!er to t#e !ailover polltime section o! t#e Cisco Security Appliance Command $eference, Version &.' !or more in!ormation7

Export Certificate/Private 7ey in Failover Configuration


$#e primary device automatically replicates t#e private +ey/certi!icate to t#e secondary unit7 Issue t#e command &rite #e#ory in t#e active unit in order to replicate t#e con!i"uration 'w#ic# includes t#e certi!icate/private +ey) to t#e standby unit7 All t#e +eys/certi!icates on t#e standby unit are erased and repopulated by t#e active unit con!i"uration7 Note$ Eou must not manually import t#e certi!icates; +eys; and trust points !rom t#e active device and t#en e2port to t#e standby device7

8A&1I19: Failover me$$age decryption failure:


.rror messa"e6
9ailover me age decr%ption failure. 4lea e ma1e ure $ot& unit &ave t&e ame failover &ared 1e% and cr%pto licen e or % tem i not out of memor%

$#is problem occurs due to !ailover +ey con!i"uration7 In order to resolve t#is issue; remove t#e !ailover +ey; and con!i"ure t#e new s#ared +ey7

ASA 5odule$ Failover


I! Advanced Inspection and Prevention Security Services -odule 'AIP%SS-) or Content Security and Control Security Services -odule 'CSC%SS-) are used in active and standby units; t#en it operates independently o! t#e ASA in terms o! !ailover7 4odules #ust be configured #anually in active and standby units5 t"e failover &ill not re*licate t"e #odule configuration, In terms o! !ailover; bot# ASA units t#at #ave AIP%SS- or CSC%SS- modules must be o! t#e same #ardware type7 For e2ample; i! t#e primary unit #ave t#e ASA%SS-%91 module; t#e secondary unit must #ave t#e ASA%SS-%91 module7 In order to replace t#e AIP%SS- module on a !ailover pair o! ASAs; you must run t#e "&#odule #odule 1 s"utdo&n command be!ore you remove t#e module7 In addition; t#e ASA must be powered down as t#e modules are not #otswapable7 For more in!ormation on #ow to install and remove AIP%SS-; re!er to Installation and Removal Instructions7

Failover me$$age bloc2 alloc failed


+rror 4essage P4I5KA#A(?(+0/0+0A '4rimar%) 9ailover me failed age $loc1 alloc

+.*lanation$ &loc+ memory was depleted7 $#is is a transient messa"e; and t#e security appliance s#ould recover7 /rimary can also be listed as Secondary !or t#e secondary unit7 Reco##ended Action$ Use t#e s"o& bloc6s command in order to monitor t#e current bloc+ memory7

AIP 5odule Failover Problem


I! you #ave two ASAs in a !ailover con!i"uration and eac# #as an AIP%SS-; you must manually replicate t#e con!i"uration o! t#e AIP%SS-s7 Only t#e con!i"uration o! t#e ASA is replicated by t#e !ailover mec#anism7 $#e AIP%SS- is not included in t#e !ailover7 First; t#e AIP%SS- operates independently o! t#e ASA in terms o! !ailover7 For !ailover; all t#at is needed !rom an ASA perspective is t#at t#e AIP modules be o! t#e same #ardware type7 &eyond t#at; as wit# any ot#er portion o! !ailover; t#e con!i"uration o! t#e ASA between t#e active and standby must be in sync7 As !or t#e set up o! t#e AIPs; t#ey are e!!ectively independent sensors7 $#ere is no !ailover between t#e two; and t#ey #ave no awareness o! eac# ot#er7 $#ey can run independent versions o! code7 $#at is; t#ey do not #ave to matc#; and t#e ASA does not care about t#e version o! code on t#e AIP wit# respect to !ailover7 ASD- initiates a connection to t#e AIP t#rou"# t#e mana"ement inter!ace IP t#at you con!i"ured on t#e AIP7 In ot#er words; it connects to t#e sensor typically t#rou"# =$$PS dependin" on #ow you set up t#e sensor7 Eou could #ave a !ailover o! t#e ASA independent o! t#e IPS 'AIP) modules7 Eou will still be connected to t#e same one because you connect to its mana"ement IP7 In order to connect to t#e ot#er AIP; you must reconnect to its manan"ement IP to con!i"ure it and access it7 For sample con!i"urations on #ow to send networ+ tra!!ic t#at passes t#rou"# t#e Cisco ASA <<11 Series Adaptive Security Appliance 'ASA) to t#e Advanced Inspection and Prevention Security Services -odule 'AIP%SS-) 'IPS); re!er to ASA6 Send *etwor+ $ra!!ic !rom t#e ASA to t#e AIP SS- Con!i"uration .2ample7

'nable to 'pgrade t+e ASA Failover Pair from Et+ernet Card to (ptical Interface
Complete t#ese steps in order to up"rade t#e ASA !ailover pair !rom .t#ernet card to optical inter!ace6 97 .nsure t#at t#e primary device is active; s#ut down t#e secondary/standby ASA; and add t#e new inter!ace card7 B7 Remove all cables and boot t#e secondary/standby ASA to test t#at t#e new #ardware is operational7 G7 S#ut down t#e secondary/standby ASA a"ain; and reconnect t#e cables7 :7 S#ut down t#e primary/active ASA; and boot t#e secondary ASA7 Note$ Do not allow bot# ASAs to become active at t#e same time7 <7 Con!irm t#at t#e secondary ASA is up and passin" tra!!ic; and t#en ma+e t#e secondary device active wit# t#e failover active command7 H7 Install t#e new inter!ace on t#e primary ASA; and remove t#e cables7 @7 &oot t#e primary ASA; and test t#e new #ardware7 ?7 S#ut down t#e primary ASA; and reconnect t#e cables7 L7 &oot t#e primary ASA; and ma+e t#e primary device active wit# t#e failover active command7 Note$ ,eri!y t#e !ailover status on bot# devices wit# t#e s"o& failover command7 I! !ailover status is O3; you can con!i"ure t#e inter!aces on t#e primary active device; w#ic# will be replicated on t#e secondary standby7

E&&(&: Failover cannot be configured )+ile t+e local CA $erver i$ configured:


$#is error messa"e appears w#en a user attempts to con!i"ure !ailover on an ASA6 ERR!RA 9ailover cannot $e configured 3&ile t&e local CA erver i configured. 4lea e remove t&e local CA erver configuration $efore configuring failover. $#is error occurs because t#e ASA does not support con!i"urin" local CA server and !ailover at t#e same time7

;ASA-<-<"=""<: /Secondary0 S)itc+ing to AC,I4E - Service card in ot+er unit +a$ failed
I receive t#is error messa"e on my !ailover ASA pair6 PA#A(+(+0@00+A '#econdar%) #3itc&ing to AC"I6E ( #ervice card in ot&er unit &a failed $#is issue usually occurs because o! t#e IPS CSC module and not because o! t#e ASA itsel!7 I! you receive t#is messa"e in t#e error lo"; veri!y t#e con!i"uration o! t#e modules or try reseatin" t#em7 Re!er to Cisco &u" ID CSCt!111GL 're"istered customers only) !or more in!ormation7

7no)n I$$ue$
+rror$ !"e na#e on t"e security certificate is invalid or does not #atc" t"e na#e of t"e site 4#en a user attempts to access t#e ASD- on t#e secondary ASA wit# version ?72 so!tware and ASD- version H72 !or !ailover con!i"uration; t#is error is received6

ErrorA "&e name on t&e ecurit% certificate i matc& t&e name of t&e ite

invalid or doe

not

In t#e certi!icate; t#e Issuer and t#e Sub>ect *ame is t#e IP address o! t#e acti e unit 'not t#e IP address o! t#e standby unit)7 In ASA version ?72; t#e internal 'ASD-) certi!icate is replicated !rom t#e active unit to t#e standby unit; w#ic# causes t#e error messa"e7 =owever; i! t#e same !irewall runs on version @72 code wit# <72 ASD- and you try to access ASD-; you will receive t#e re"ular security warnin"6 "&e ecurit% certificate &a page %ou are tr%ing to vie3 a valid name matc&ing t&e name of t&e

4#en you c#ec+ t#e certi!icate; t#e issuer and t#e sub>ect name is t#e IP address o! t#e standby unit7 +rror$ 7ASA"a8312229$ L( allocate .late failed $#is error is received6 PA#A(&a(?(-+000,A C< allocate xlate failed $#is issue #as been observed and lo""ed in Cisco &u" ID CSCte1??9H 're"istered customers only) 7 In order to resolve t#is issue; you must up"rade to one o! t#e so!tware versions in w#ic# t#is bu" #as been !i2ed7 Standby ASA reloads during .late re*lication fro# Pri#ary For t#e moment; t#is issue is seen wit# releases ?7:7B and ?7:797997 $ry to up"rade to ?7:7B7: in order to !i2 t#e issue7 Re!er to Cisco bu" ID CSCtrGGBB? !or more in!ormation7

&elated Information
Cisco PI/ Fire&all Soft&are Fire&all Services 4odule 'F:S4) Failover Configuration F:S4 Failover !roubles"ooting %o& Failover :or6s on t"e Cisco Secure PI/ Fire&all ASA Failover "andling of SSL PN A**lication !raffic and Configurations !ec"nical Su**ort ; <ocu#entation Cisco Syste#s
Contacts M Feedbac+ J =elp J Site -ap N B19B % B19G Cisco Systems; Inc7 All ri"#ts reserved7 $erms M Conditions J Privacy Statement J Coo+ie Policy J $rademar+s o! Cisco Systems; Inc7

Updated6 *ov 1:; B11L

Document ID6 @@?1L