Официален блог на WebEKM EKM очаквайте сайта онлайн скоро.
Download Free Templates http://bigtheme.net/ free full Wordpress, Joomla, Mgento - premium themes.
Cisco ASA – Fault Tolerance with 2 firewalls –
ACTIVE / STANDBY and ACTIVE / ACTIVE
Asymetric routing prevention
Regarding Fault Tolerance ASA provides 2 solutions: Active/Standby and Active/Active. Whereas Active/Standby is simple in use Active/Active provides not only redundancy but load sharing as well. On the other hand, requires more expansive license. Anyway, in this article we will compare them and see how to configure.
Before we go over configuration, I have to explain a couple of things. As a Fault Tolerance solution on ASA we have to choices: ACTIVE/STANDBY, what means that only one device forwards packets in given moment and ACTIVE/ACTIVE – two devices forward packets. Besides, ACTIVE/ACTIVE provides load sharing and what is important uses multiple mode (virtual contexts).
In order to check own activity , ASAs use “hello timers” -1s and “dead timer” -15s by default. ASAs use 2 links (usually) in order to synchronize themselves, replicate configuration and checking if one of them is ACTIVE yet.
STATEFUL LINK – is being used to replicate information about TCP/UDP sessions (HTTP sessions, FTP ), ARP table, VPN peer tavle etc., but this link is not used by default ! From version 8.41 also routing information is replicated (as a stateful information).
FAILOVER LINK – changes like IP addresses, NAT, ACLs, RSA keys, certificates etc. made on ACTIVE ASA are replicated to STANDBY ASA on the fly via that link. If ASAs work as a DHCP servers or phone proxy servers or have any hardware modules installed, even the same on both of them, these informations will not be replicated!
STATEFUL and FAILOVER links may work on the same physical link!
ACTIVE/STANDBY Configuration:
ASA 1 Primary – Active
We have 2 sets of IP addresses: Active device uses “system ip addresses” that are current ip addresses as well Standby device uses “standby ip addresses”. If Active fails, Standby takes over System IP addresses of Active and MAC addresses as well
int gig0/1
ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2
int gig0/2
ip address 172.16.0.1 255.255.255.0 standby 172.16.0.2
int gig0/0
ip address 192.168.1.171 255.255.255.0 standby 192.168.1.172
Let’s point out the FAILOVER link named fail-1
failover lan interface fail-1 gig0/3
failover interface ip fail-1 10.1.1.1 255.255.255.252 standby 10.1.1.2
failover key itbundle
and STATEFUL link named fail-2
failover link fail-2 gig0/4
failover interface ip fail-2 10.2.2.1 255.255.255.252 standby 10.2.2.2
We also want ASA to replicate http sessions via STATEFUL link
failover replication http
We set up ASA as PRIMARY (Active)
failover lan unit primary
Let’s change the prompt to get better information what state of ASA we have
prompt hostname priority state
and let’s run the feature
failover
ASA 2 Secondary – Standby
On the ASA Secondary we only point out FAILOVER link and that device is Secondary (Standby). And we have to run feature with “failover” command
failover lan interface fail-1 gig0/3
failover interface ip fail-1 10.1.1.1 255.255.255.252 standby 10.1.1.2
failover key itbundle
failover lan unit secondary
failover
ACTIVE/ACTIVE Configuration:
Before you go over further, if you are not familiar with Multiple Mode and contexts on ASA I recommend reading this article http://itbundle.net/archives/3769 cause familiarity with firewall virtualization is crucial if you are going to deploy ACTIVE/ACTIVE mode.
WE CONFIGURE PRIMARY ASA:
mode multiple
wr
changeto system
We have to create contexts and allocate appropriate interfaces to them with changed names
context cxt-1
config-url disk0:/cxt-1.cfg
allocate-interface GigabitEthernet0 cxt_1_outside invisible
allocate-interface GigabitEthernet1 cxt_1_inside invisible
allocate-interface GigabitEthernet2 cxt_1_dmz invisible
context cxt-2
config-url disk0:/cxt-2.cfg
allocate-interface GigabitEthernet0 cxt_2_outside invisible
allocate-interface GigabitEthernet1 cxt_2_inside invisible
allocate-interface GigabitEthernet2 cxt_2_dmz invisible
Now we assign IP addresses, names and what is very important MAC addresses, to distinguish logical interfaces from different contexts on the same physical interface
changeto context cxt-1
interface cxt_1_outside
ip address 192.168.1.171 255.255.255.0 standby 192.168.1.181
mac-address 0000.1111.1111
nameif OUTSIDE
no shutdown
interface cxt_1_inside
ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2
nameif INSIDE
mac-address 0000.1111.2222
no shutdown
interface cxt_1_dmz
ip address 172.16.0.1 255.255.255.0 standby 172.16.0.2
nameif DMZ
mac-address 0000.1111.3333
no shutdown
changeto context cxt-2
interface cxt_2_outside
ip address 192.168.1.172 255.255.255.0 standby 192.168.1.182
nameif OUTSIDE
mac-address 0000.2222.1111
no shutdown
interface cxt_2_inside
ip address 10.2.2.1 255.255.255.0 standby 10.2.2.2
nameif INSIDE
mac-address 0000.2222.2222
no shutdown
interface cxt_2_dmz
ip address 172.16.2.1 255.255.255.0 standby 172.16.2.2
nameif DMZ
mac-address 0000.2222.3333
no shutdown
changeto system
There is no preemption be default, so we have to “force”, for being Active after the failure and getting back to work
failover group 1
primary
preempt 120
failover group 2
secondary
preempt 120
We have to join particular contexts on the ASA to appropriate failover groups, beacuse by default both contexts are placed in “failover group 1”
context cxt-1
join-failover-group 1
context cxt-2
join-failover-group 2
Standard setting up failover link and stateful link alike Active/Standby
failover lan unit primary
failover lan interface fail-config GigabitEthernet3
failover interface ip fail-config 1.1.1.1 255.255.255.252 standby 1.1.1.2
failover link fail-stateful GigabitEthernet4
failover interface ip fail-stateful 2.2.2.1 255.255.255.252 standby
2.2.2.2
Changing prompt name
prompt hostname priority context state
Running the feature
failover
We configure ASA Secondary:
mode multiple
wr
failover lan unit secondary
int gig3
no shut
failover lan interface fail-config GigabitEthernet3
failover interface ip fail-config 1.1.1.1 255.255.255.252 standby 1.1.1.2
failover
Let’s check if both ASAs have converged with command “show failover state”
ASYMETRIC ROUTING ISSUE
Asymmetric routing takes place when we have 2 paths that lead outside. In case of Active/Active we have definitely to deal with that, because we have 2 active gateways for 2 different contexts. The packet leaves one ASA in direction of let’s say the server, but returning packets are redirected to the second ASA.Because the second ASA doesn’t have idea about the initial flow (doesn’t have TCP connection in stateful table), the packet will be dropped. We may easily prevent this, by assigning particular interfaces to appropriate ASRs (Asymetric Routing Groups).
Interfaces INSIDE, OUTSIDE and DMZ have to be in the same ASRs.
changeto context cxt-1
interface cxt_1_outside
asr-group 1
interface cxt_1_inside
asr-group 2
interface cxt_1_dmz
asr-group 3
changeto context cxt-2
interface cxt_2_outside
asr-group 1
interface cxt_2_inside
asr-group 2
interface cxt_2_dmz
asr-group 3