The failover has been set to be stateful, authenticated and to replicate HTTP sessions. This type of replication might result on a high load on the network link, thus it is only recommended to be used when the HTTP sessions state must be kept and the failover link is dedicated.
interface Ethernet0/5
description LAN/STATE Failover Interface
!
failover
failover lan unit primary
failover lan interface folink Ethernet0/5
failover interface-policy 1
failover key *****
failover replication http
failover mac address Redundant2 0000.abcd.1013 0000.abcd.1113
failover mac address Redundant1 0000.abcd.1010 0000.abcd.1110
failover mac address Ethernet0/2 0000.abcd.1012 0000.abcd.1112
failover link folink Ethernet0/5
failover interface ip folink 10.255.255.253 255.255.255.252 standby 10.255.255.254
prompt hostname priority state
A redundant interface pair has been set to the primary internet connection (ISP1). The inside interface is also on a redundant pair. The secondary internet link uses only one physical interface. It is important to note that redundant interface members couldn't be configured with subinterfaces and no nameif can be set. All the security-level and IP addresses are automatically cleared.
interface Ethernet0/0
description Link ISP1
no nameif
no security-level
no ip address
!
interface Ethernet0/1
description Link ISP1
no nameif
no security-level
no ip address
!
interface Ethernet0/2
description Link ISP2
nameif outside-isp2
security-level 0
ip address 172.31.10.2 255.255.255.248 standby 172.31.10.3
!
interface Ethernet0/3
description Inside LAN
no nameif
no security-level
no ip address
!
interface Ethernet0/4
description Inside LAN
no nameif
no security-level
no ip address
!
interface Redundant1
member-interface Ethernet0/0
member-interface Ethernet0/1
nameif outside-isp1
security-level 0
ip address 192.168.10.2 255.255.255.248 standby 192.168.10.3
!
interface Redundant2
member-interface Ethernet0/3
member-interface Ethernet0/4
nameif inside
security-level 100
ip address 10.0.0.1 255.255.0.0 standby 10.0.0.2
When the active member of the redundant interface fails, the secondary member takes the active role. This feature does failback, so if the interface assigned to the index 0 returns from a failed state, it gets back to the active role.
redundant interface Redundant1 active member Ethernet0/0 admin becomes down.
redundant interface Redundant1 switchover, active idx 0, stby idx 1
redundant interface Redundant1 switching active from Ethernet0/0 to Ethernet0/1.
Send gratuitous ARP on Redundant1.
redundant interface Redundant1 switch active to Ethernet0/1 done.
redundant interface Redundant1 switchovered to member 1.
redundant interface Redundant1 stby member Ethernet0/0 admin becomes up.
active member Ethernet0/1 is already up, no further action.
redundant interface Redundant1 switching active from Ethernet0/1 to Ethernet0/0.
Send gratuitous ARP on Redundant1.
redundant interface Redundant1 switch active to Ethernet0/0 done.
Moreover, it results on a device failover. It happens because the command monitor-interface makes the system to monitor the redudant interface state, not the physical interface state individually. So we cannot set the failover to happen just when all members of the redundant interface fail.
fover_parse: parse_thread_helper() - mate ifc 2 link status change from 1 to 4
fover_parse: parse_thread_helper() - mate ifc 2 link status change from 4 to 0
The default route that forwards traffic through ISP1 is monitored with SLA Monitor. If the monitoring fails, therefore, the route is automatically replaced by the secondary (the one with higher administrative distance). The NAT settings follow this replacement, however for some inbound traffic (e.g., connections to SMTP servers) we need to have additional resources to keep the services running (e.g., BGP).
global (outside-isp1) 1 interface
global (outside-isp2) 1 interface
nat (inside) 1 10.0.0.0 255.0.0.0
route outside-isp1 0.0.0.0 0.0.0.0 192.168.10.1 1 track 1
route outside-isp2 0.0.0.0 0.0.0.0 172.31.10.1 254
sla monitor 1
type echo protocol ipIcmpEcho 192.168.10.1 interface outside-isp1
num-packets 3
timeout 4000
threshold 2500
frequency 10
sla monitor schedule 1 life forever start-time now
!
track 1 rtr 1 reachability
I used the next hop address to monitor the link state. We could use some Internet known address to monitor the state of the ISP path instead of only the local link to the ISP. In this case the target address must be always available.
If the monitoring gets back from a failed state, the firewall swap the routes again since the primary one has lower administrative distance (failback).
IP SLA Monitor(1) Scheduler: Starting an operation
IP SLA Monitor(1) echo operation: Sending an echo operation
IP SLA Monitor(1) echo operation: Timeout
IP SLA Monitor(1) echo operation: Timeout
IP SLA Monitor(1) echo operation: Timeout
IP SLA Monitor(1) Scheduler: Updating result
Aug 01 2010 20:14:32: %ASA-6-622001: Removing tracked route 0.0.0.0 0.0.0.0 192.168.10.1, distance 1, table Default-IP-Routing-Table, on interface outside-isp1
IP SLA Monitor TRACE debugging for entry 1 is on
IP SLA Monitor(1) Scheduler: Starting an operation
IP SLA Monitor(1) echo operation: Sending an echo operation
IP SLA Monitor(1) echo operation: RTT=13 OK
IP SLA Monitor(1) echo operation: RTT=20 OK
IP SLA Monitor(1) echo operation: RTT=20 OK
IP SLA Monitor(1) Scheduler: Updating result
Aug 01 2010 20:13:46: %ASA-6-622001: Adding tracked route 0.0.0.0 0.0.0.0 192.168.10.1, distance 1, table Default-IP-Routing-Table, on interface outside-isp1
asa(config)# end
asa# wr mem
No comments:
Post a Comment