ASA in routed and multiple context mode. ASA must be similar in hardware and configuration for ACTIVE/ACTIVE failover. Both firewall must be in same operating mode, context mode, and same major and minor software versions.
Two contexts named Ctx-1 and Ctx-2 are used. Ctx-1 is the admin context
admin-context Ctx-1
context Ctx-1
allocate-interface GigabitEthernet0
allocate-interface GigabitEthernet1
config-url disk0:/Ctx-1.cfg
join-failover-group 1
!
context Ctx-2
allocate-interface GigabitEthernet1
allocate-interface GigabitEthernet2
config-url disk0:/Ctx-2.cfg
join-failover-group 2
!
Primary Active ASA configuration:
failover group 1
preempt 120
failover group 2
secondary
preempt 120
failover lan unit primary
failover lan interface fail-config GigabitEthernet3
failover link fail-state GigabitEthernet4
failover interface ip fail-config 1.1.1.1 255.255.255.252 standby 1.1.1.2
failover interface ip fail-state 2.2.2.1 255.255.255.252 standby 2.2.2.2
failover
Similarly to the primary, ASA in routed and multiple context mode. ASA must be similar in hardware and configuration for ACTIVE/ACTIVE failover. Ensure that no context configuration (CFG) files exist otherwise running config file is merged with existing
In system context, "no shut" the interfaces used for failover.
Secondary Active ASA configuration:
failover lan unit secondary
failover lan interface fail-config GigabitEthernet3
failover link fail-state GigabitEthernet4
failover interface ip fail-config 1.1.1.1 255.255.255.252 standby 1.1.1.2
failover interface ip fail-state 2.2.2.1 255.255.255.252 standby 2.2.2.2
failover
In system space, allocate interfaces to the contexts, "no shut" the interfaces. Chnage the prompt to display the current context and priority
prompt hostname context priority
Once secondary ASA is found, the configuration is replicated to the secondary ASA from the primary. Any new changed needs to be made on the primary firewall.
ASA1/sec> .
Detected an Active mate
Beginning configuration replication from mate.
ERROR: Password recovery was not changed, unable to access
the configuration register.
Removing context 'Ctx-2' (2)... Done
Removing context 'Ctx-1' (1)... Done
COREDUMP UPDATE: open message queue fail: No such file or directory/2
INFO: Admin context is required to get the interfaces
Creating context 'Ctx-1'... Done. (3)
WARNING: Skip fetching the URL disk0:/Ctx-1.cfg
INFO: Creating context with default config
INFO: Admin context will take some time to come up .... please wait.
Creating context 'Ctx-2'... Done. (4)
WARNING: Skip fetching the URL disk0:/Ctx-2.cfg
INFO: Creating context with default config
Crashinfo is NOT enabled on Full Distribution Environment
Group 1 Detected Active mate
Group 2 Detected Active mate
End configuration replication from mate.
INFO: UC-IME is enabled, issuing 1000 free TLS licenses for UC-IME
INFO: Issuing "tls-proxy maximum-sessions 11000" command due to license change
INFO: UC proxy will be limited to maximum of 10000 sessions by the UC Proxy license on the device
INFO: "tls-proxy maximum-sessions" config is changed, please save the running-config before system reboot
No comments:
Post a Comment