Active/Active Failover - NetwaxLab

Breaking

Facebook Popup

BANNER 728X90

Saturday, May 30, 2015

Active/Active Failover

Active/Active failover is only available to ASAs in multiple context mode. In an Active/Active failover configuration, both ASAs can pass network traffic.

In Active/Active failover, you divide the security contexts on the ASA into failover groups. A failover group is simply a logical group of one or more security contexts. You can create a maximum of two failover groups. The admin context is always a member of failover group 1. Any unassigned security contexts are also members of failover group 1 by default.

The failover group forms the base unit for failover in Active/Active failover. Interface failure monitoring, failover, and active/standby status are all attributes of a failover group rather than the unit. When an active failover group fails, it changes to the standby state while the standby failover group becomes active. The interfaces in the failover group that becomes active assume the MAC and IP addresses of the interfaces in the failover group that failed. The interfaces in the failover group that is now in the standby state take over the standby MAC and IP addresses.

Failover Configuration Limitations

You cannot configure failover with these types of IP addresses:

  • IP addresses obtained through DHCP
  • IP addresses obtained through PPPoE
  • IPv6 addresses
Additionally, these restrictions apply:

  • Stateful Failover is not supported on the ASA 5505 adaptive security appliance.
  • Active/Active failover is not supported on the ASA 5505 adaptive security appliance.
  • You cannot configure failover when Easy VPN Remote is enabled on the ASA 5505 adaptive security appliance.
  • VPN failover is not supported in multiple context mode.

Unsupported Features

Multiple context mode does not support these features:

  • Dynamic routing protocols
  • Security contexts support only static routes. You cannot enable OSPF or RIP in multiple context mode.
  • VPN
  • Multicast

Configuration

(Note: First complete basic configuration as per given in the Topology Figure)

Topology

 ASA_1_Active

 Firewall mode multiple

 Failover group 1
preempt
Primary

 Failover group 2
Preempt
Secondary

 Failover lan unit primary
failover lan interface fover e0/2
failover replication http
failover link fover e0/2
failover interface ip fover 10.0.0.100 255.255.255.0 standby 10.0.0.101

 context c1
join-failover group 1

 context c2
join-failover group 2

 failover

 ASA_2_Active

 Firewall mode mutltiple
failover lan interface fover e0/2
failover replication http
failover link fover e0/2
failover interface ip fover 10.0.0.100 255.255.255.0 standby 10.0.0.101

 failover

 Verification

ASA(config)#show failover

----
Read more
at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)