CCIE Security Notes: ASA HA Notes (9.6.1)

To be an HA pair, ASAs must:

  • Be Identical (model, number of interfaces, same modules, RAM, etc)  
  • Be connected through a dedicated failover link and can have a breakaway state link optionally
  • Have the same firewall mode - routed or transparent
  • Have the same context mode
  • Have same major and minor software version
  • Have same AnyConnect images on them

 

ASA supports two failover modes which can be deployed as both stateful or stateless:

  • Active/Active
    • Both ASAs pass traffic
    • Divide the security contexts into 2 failover groups (this is the maximum). One of the contexts will be active on one and standby on the other and the second failover group will be the exact opposite. 
    • Failover occurs at the failover group level
    • Only supported in multiple context mode
    • Failover group 1 should always contain the admin context
  • Active/Standby
    • One unit is active and passing traffic and the other is not passing anything

 

  • Stateful or Stateless failover?
    • Stateless  Failover - All active connections are dropped. This can be disruptive to the end user 
    • Stateful Failover - Active unit is always passing connection state information to the standby
      • With stateful failover, the following state information is passed: 
        • NAT translation table
        • TCP connection states
        • UDP connection states
        • SCTP connection states
        • ARP table
        • Layer 2 bridge table
        • HTTP connection table 
        • HTTP connection state if enabled
        • ISAKMP and IPSec SA table
        • GTP PDP connection database
        • SIP signaling sessions 
        • ICMP connection state if enabled
        • Dynamic routing protocols
        • IP softphone sessions
        • VPN 
      • What state information is not passed: 
        • Uauth table
        • Application inspections that user advanced TCP-state tracking
        • TCP state bypass connections
        • DHCP client
        • DHCP server address leases
        • Multicast routing
        • State information for modules
        • Certain clientless SSL VPN features:
          • Smart Tunnels
          • Port Forwarding
          • Plugins
          • Java Applets
          • IPv6 clientless or Anyconnect sessions
          • Citrix authentication

 

Failover defaults:

  • No HTTP replication for stateful
  • Single interface failover causes failover
  • Interface poll time is 5 seconds
  • Interface hold time is 25 seconds
  • Unit poll time is 1 second 
  • Unit hold time is 15 seconds
  • Virtual MACs are disabled in multicontext mode
  • All physical interfaces are monitored 

 

Active unit is determined by:

  • Peer notices another peer already active upon boot
  • Unit boots and doesn't detect a peer
  • If both boot at the same time, primary becomes active and standby remains as such
  • Failover occurs on a unit basis
  • With Active/Standby and preemption enabled, it will make sure that the correct primary is running after both ASAs boot
  • With Active/Active, failover can occur on a failover group basis

 

Link types  - 

  • Normal Interfaces 
    • Can be configured with active and standby IPs and MAC addresses 
    • When failover occurs, secondary unit can take the IP addresses and takes over the standby IP addresses and MAC address. This makes it so traffic continues to be forwarded and ARP entries don't need to change 
    • ASA does not send gratuitous APRs for state NAT addresses when MAC addresses change

 

  • Failover Link - 
    • Can configure a physical link or port channel for this but it cannot currently have a nameif on it
    • Can't be a shared interface
    • Need to be layer 2 adjacent 
    • When a failover occurs, the IP address and MAC doesn't change on this interface 
    • Communicates the following with the peer:
      • State - whether it's active or standby
      • Hello messages/keepalives
      • Network link status
      • MAC addresses
      • Configuration replication and syncing 

 

  • Stateful Link
    • This is an optional link and you must configure it 
    • This can be shared with the failover link to conserve interfaces
    • Can use a physical interface or port channel as well like the Failover link but if it uses a port channel, it will only use one link in the bundle to prevent the packets from arriving out of order
    • Should be layer 2 adjacent as well 
    • When a failover occurs, the IP address and MAC doesn't change on this interface  UNLESS it's configured on a data port

 

HA with Transparent Firewall Mode - 

  • Spanning tree is a consideration here since it will go into blocking mode while it reconverges. You can avoid this by having access ports to the transparent firewall potentially but you have to make sure you don't have loops

Health - 

  • The ASA relies on hello messages to determine the health of the other ASA
  • If there aren't 3 consecutive hello messages received, the ASA sends a special message on  all the interfaces to see if the peer is responding 
    • If no response on the failover link, it won't failover. 
    • If there's a response on one of the data interfaces but not the failover, it won't failover but it will mark the failover link as failed. 
    • If there is no response on any interface, then it will fail over and assume the other unit is failed
  • Can monitor up to 250 interfaces as part of health check on the ASA. Recommended to only monitor the important ones. 
  • With Firepower, it monitors the backplane and if the module fails, that'll trigger a failover 
  • Interfaces with both IPv4 and IPv6 addresses will use the IPv4 address for monitoring
  • Interface tests performed by the ASA:
    • Link Up/Link Down
    • Network Activity from generated traffic
    • ARP test to see if the interface counts ARP requests 
    • Broadcast ping test

Replication - 

  • Standby keeps the configuration in running memory. To save it on both, use the write memory all command 
  • Some files are not replicated including the following:
    • Anyconnect images & profiles
    • CSD images
    • Local CAs
    • ASA images
    • ASDM images
  • Commands not replicated to the standby:
    • Copy commands except copy running-config startup-config
    • Write commands except write memory
    • Debug commands
    • Failover lan unit commands
    • Firewall
    • Show
    • Terminal pager and pager

Active/Standby Configuration

  • On the ASA you want to be primary, issue the following
    failover lan unit primary
  • Configure the failover link for that ASA
    failover lan interface fo-name interface
  • Give the active  and standby IP address for the failover link:
    failover interface ip fo-name ip-address mask standby ip-address
  • Enable the failover link
    interface interface
    no shutdown
  • Optionally, you can also configure the state link:
    failover link state-name interface
    • If you choose to make it a different interface than the failover link, you'll want to assign an active and standby IP address on it:
      failover interface ip state-name ip-address mask standby ip-address
    • Enable the state link:
      interface interface
      no shutdown
  • Can also encrypt the communication on the failover or state link using the following command:
    failover ipsec pre-shared-key key
    • If you chose to, you can use a failover key instead of IPSec using the following command:
      failover key key
      This is considered a legacy command
  • Enable failover:
    failover
  • For the secondary unit, it would be all the same commands except for the failover lan unit primary command. By default, a unit will be in secondary 

 

Active/Active Configuration

  • You'll have to configure multicontext mode first and configure the IP addresses for the interfaces except for the failover and state link. 
  • On the primary unit, issue the following command:
    failover lan unit primary
  • Configure the interface that will be used as the failover link:
    failover lan interface fo-name interface
  • Specify the active and standby IP addresses for the failover link:
    failover interface ip fo-name ip-address mask standby ip-address
  • Enable failover link:
    interface interface
    no shutdown
  • Optionally, you can specify an interface to use as the state link:
    failover link state-name interface
  • If the state link is a separate interface, you'll want to configure the active and standby IP addresses for it:
    failover interface ip state-name  ip-address mask standby ip-address
  • Enable the state link interface:
    interface interface
    no shutdown
  • Optionally, if you want to encrypt the traffic between the failover and state links, you can do it the same way you did before with Active/Standby using the same commands:
    failover ipsec pre-shared-key key
    • If you chose to, you can use a failover key instead of IPSec using the following command:
      failover key key
      This is considered a legacy command
  • Create failover group 1:
    failover group 1
    primary
    preempt delay
  • Create failover group 2:
    failover group 2
    secondary
    preempt     delay
  • Add a context to the failover group:
    context name
    join-failover-group {1|2}
  • Enable failover:
    failover
  • To configure the secondary the same way except you wouldn't use the failover lan unit primary command since secondary if the default. The failover group and join-failover-group commands will be replicated from the primary unit. You may want to force the failover of failover group 2 though so it'll be active on the secondary unit: 
    failover active group 2
  •  Optionally, you can also configure asymmetric routing support on Active/Active to restore the asymmetrically routed packets to the right interface. To do so, you would need to do assign like interfaces to the same ASR group on the ASAs. You also want to make sure you have stateful failover and http replication enabled before starting the configuration. You would make sure that the following configuration is done within all the active contexts on the primary and standby ASAs. One caveat to remember is that you cannot configure both ASR groups and traffic zones in a context. To configure the ASR groups, do the following:
    • On the primary and secondary, specify the interface you want to allow asymmetrically routed packets and set the ASR group for the interface
      interface interface
      asr-group num

 

Other nerd knobs:

  • Changing the unit poll and host times. Note: Can't enter a hold time value that is less than 3 times the unit poll time. Change the times with the following command:
    failover polltime [unit] [msec] poll-time [holdtime [msec] time]
  • Change the session replication rate. Default is the maximum rate set by the model of ASA. Change it with the following command in Active/Standby. In Active/Active, it can't be set by failover group:
    failover replication rate conns
  • Disable configuration changes directly on secondary unit or context:
    failover standby config-lock
  • Enable HTTP state replication:
    failover replication http (Active/Standby)
    replication http (Active/Active)
  • Configure thresholds for failover when interfaces fail. The default is that when one interface fails, it cases a failover:
    failover interface-policy num [%] (Active/Standby)
    interface-policy num [%] (Active/Active)
  • Changes the interface poll and hold times:
    failover polltime interface [msec] time [holdtime time] (Active/Standby)
    polltime interface [msec] time [holdtime time] (Active/Active)
  • Configuring a virtual MAC address for an interface. 
    failover mac address interface active-mac standby-mac (Active/Standby)
    mac address interface active-mac standby-mac (Active/Active)
  • Configuring monitored interfaces:
    [no] monitor-interface {nameif | service-module}

 

Helpful commands:

  • Force failover:
    On the standby unit- 
    failover active (Active/Standby)
    failover active [group num] (Active/Active)
    On the active unit - 
    no failover active (Active/Standby)
    no failover active [group num] (Active/Active)
  • Disable failover on one or both units until you reload:
    no failover
    If you would like this to remain permanent, write mem
  • Reset a failed unit to unfailed state:
    failover reset (Active/Standby)
    failover reset [group num] (Active/Active)
  • Resync config: 
    write standby
  • To remote execute on a peer, active, or standby. Note: this cannot be used to changeto different contexts or execute debugs on the peer:
    failover exec {active | mate | standby} commands
  • Debug failover messages:
    debug fover

Show commands:

  • Show conn count
  • Show failover
  • Show failover exec
  • Show failover exec mate
  • Show failover group
  • Show monitor-interface
  • Show running-config failover