Redundanta Cisco ASA-PIX

PDF Downloads
Document ID: 77809
PIX/ASA Active/Standby Failover Configuration Example
Share on printShare on emailShare on favoritesShare on googleShare on twitterShare on facebook
Related Documents
PIX/ASA: Active/Active Failover Configuration Example PIX/ASA: Transparent Firewall Configuration Example ASA/PIX: Configure Active/Standby Failover in Transparent Mode PIX/ASA: License Key Upgrade on a Failover Pair More...
Related Products/Technology
Cisco ASA 5500 Series Adaptive Security Appliances Cisco PIX 500 Series Security Appliances
Related Discussion
PIX/ASA Failover conditions Hello Connection to Pix Issues Failover Replication Warning Failover --> Sending mail when switching
Contents
Introduction Prerequisites Requirements Components Used Related Products Conventions Active/Standby Failover Active/Standby Failover Overview Primary/Secondary Status and Active/Standby Status Device Initialization and Configuration Synchronization Command Replication Failover Triggers Failover Actions Regular and Stateful Failover Regular Failover Stateful Failover Cable-Based Active/Standby Failover Configuration (PIX Security Appliance Only)
Network Diagram Configurations LAN-Based Active/Standby Failover Configuration Network Diagram Primary Unit Configuration Secondary Unit Configuration Configurations Verify Use of the show failover Command View of Monitored Interfaces Display of the Failover Commands in the Running Configuration ASA Failover Email Alert Configuration Failover Functionality Tests Forced Failover Disabled Failover Restoration of a Failed Unit Replace the Failed Unit with a New Unit Troubleshoot Failover Monitoring Unit Failure LU allocate connection failed Primary Lost Failover communications with mate on interface interface_name Failover System Messages Debug Messages SNMP NAT 0 Issue Failover Polltime Export Certificate/Private Key in Failover Configuration WARNING: Failover message decryption failure. ASA Modules Failover Failover message block alloc failed AIP Module Failover Problem Unable to Upgrade the ASA Failover Pair from Ethernet Card to Optical Interface ERROR: Failover cannot be configured while the local CA server is configured. %ASA-1-104001: (Secondary) Switching to ACTIVE - Service card in other unit has failed Known Issues Cisco Support Community - Featured Conversations Related Information
Introduction
Failover is a backup operational mode in which the functions of a system component (such as a processor, server, network, or database, for example) are assumed by secondary system components when the primary component becomes unavailable through either failure or scheduled down time.
Failover este un mod de rezerv/redundanta operaional n care funciile unei componente de sistem (cum ar fi un procesor, server, retea, sau baza de date, de exemplu) sunt asumate de componentele de sistem secundare atunci cnd componenta primar devine indisponibil, fie datorita unei defectiuni , fie datorita unei opriri programate/planificate.
The failover configuration requires two identical security appliances connected to each other through a dedicated failover link and, optionally, a stateful failover link. The health of the active interfaces and units
is monitored to determine if specific failover conditions are met. If those conditions are met, failover occurs.
Acest tip de configuraie are nevoie de dou echipamente de securitate identice conectate ntre ele printr-o legatur dedidact (failover) i opional o legtura dinamic failover. Unitatea hardware monitorizeaz interfeele active i echipamentul pentru a stabili dac ondiiile specific failover sunt ndeplinite. Daca aceste condiii sunt ndeplinite failover se produce.
The security appliance supports two failover configurations: Active/Active Failover and Active/Standby Failover. Each failover configuration has its own method to determine and perform failover. With Active/Active Failover, both units can pass network traffic. This lets you configure load balancing on your network.
Aparatul de securitate suporta doua configuratii: Active/ Active Failover si Active / Standby Failover. Fiecare configuraie failover are propria sa metod de a determina i de a efectua failover. Cu Active / Active Failover, ambele uniti asigura trecerea traficului n reea. Acest lucru v permite s configurai load balancing/ echilibrarea incarcarii pe reea
Active/Active Failover is only available on units that run in multiple context mode. With Active/Standby Failover, only one unit passes traffic while the other unit waits in a standby state. Active/Standby Failover is available on units that run in either single or multiple context mode. Both failover configurations support stateful or stateless (regular) failover.
Optiunea Active / Active Failover este disponibil numai pe echipamentele care ruleaz n modul partajare multipl. In modul Active / Standby Failover, traficul traverseaz unitatea activ iar cellalt echipament ateapt n modul pregtit. Activ /Standby Failover este disponibil pe dispozitivele care lucreaz n modul partiionat simplu sau partiionare multipl. Ambele configurrii suport configurare pentru modul dynamic (stateful) sau normal (stateless) de comutare la defect (failover).
This document focuses on how to configure an Active/Standby Failover in PIX Security Appliance.
Acest document se concentreaza pe cum se configureaza Active/Standby Failover la echipamentele de securitate PIX.
Note: VPN failover is not supported on units that run in multiple context mode as VPN is not supported in multiple context. VPN failover is available only forActive/Standby Failover configurations in single context configurations.
VPN failover nu este acceptat pe unitile care ruleaza n modul de contextul multiplu, deci VPN nu este acceptat n modul partajare multipla. VPN failover este disponibil doar pentru configuratiile de Active/Standby Failover in modul partajat simplu.
Cisco recommends that you do not use the management interface for failover, especially for stateful failover in which the security appliance constantly sends the connection information from one security appliance to the other.
Cisco recomanda sa nu se utilizeze interfata de management pentru failover, in mod special pentru modul dynamic in care echipamentul de securitate transmite constant informatii despre conexiune de la un echipament la altul
The interface for failover must be at least of the same capacity as the interfaces that pass regular traffic, and while the interfaces on the ASA 5540 are gigabit, the management interface is FastEthernet only. The management interface is designed for management traffic only and is specified as management0/0.
Interfata folosita pentru failover /rezerva/redundant trebuie sa fie, cel putin, de aceeasi capacitate ca interfata folosita pentru traficul de baza, n timp ce interfeele pe ASA 5540 sunt gigabit, interfaa de gestionare este doar FastEthernet. Interfata de management este destinata doar pentru traficul de management si este specificata ca management0/0.
However, you can use the management-only command in order to configure any interface to be a management-only interface. Also, for Management 0/0, you can disable management-only mode so the interface can pass through traffic just like any other interface. For more information about the management-only command, refer to Cisco Security Appliance Command Reference, Version 8.0 .
Cu toate acestea, avei posibilitatea s utilizai comanda de doar pentru gestionare n scopul de a configura orice interfata pentru a fi o interfata de doar pentru management.
This configuration guide provides a sample configuration to include a brief introduction to the PIX/ASA 7.x Active/Standby technology. Refer to the ASA/PIX Command Reference Guide for a more in-depth sense of the theory based behind this technology.
Acest ghid de configurare prezinta un exemplu de configuratie ce include o scurta introducere in tehnologia Active/Standby a echipamentului PIX/ASA 7.x
Prerequisites
Requirements
Hardware Requirement The two units in a failover configuration must have the same hardware configuration. They must be the same model, have the same number and types of interfaces, and the same amount of RAM.
Cele dou uniti ntr-o configuraie de comutare la eroare trebuie s aib aceeasi configuraie hardware. Acestea trebuie s fie acelai model, acelai numr i tipuri de interfee, i aceeai cantitate de memorie RAM.
Note: The two units do not need to have the same size Flash memory. If you use units with different Flash memory sizes in your failover configuration, make sure the unit with the smaller Flash memory has enough space to accommodate the software image files and the configuration files. If it does not,
configuration synchronization from the unit with the larger Flash memory to the unit with the smaller Flash memory fails.
Cele dou uniti nu trebuie s aib aceeai dimensiune de memorie flash. Dac utilizai uniti cu dimensiuni diferite de memorie flash n configuraia failover a dvs., asigurai-v c unitatea de memorie Flash mai mica are spaiu suficient pentru a gzdui fiierele imagine ale software-ului i fiierele de configurare. Dac nu, sincronizarea configuratiei de la unitatea cu memorie flash mai mare catre unitatea cu memorie Flash mai mica se va bloca.
Software Requirement The two units in a failover configuration must be in the operational modes (routed or transparent, single or multiple context). They must have the same major (first number) and minor (second number) software version, but you can use different versions of the software within an upgrade process; for example, you can upgrade one unit from Version 7.0(1) to Version 7.0(2) and have failover remain active. We recommend that you upgrade both units to the same version to ensure long-term compatibility.
Cele dou uniti ntr-o configuraie failover trebuie s fie n modurile de funcionare (comutat sau transparent, partajat simplu sau multiplu). Echip. trebuie s aib acelasi major (primul numr) si acelai minor (al doilea numr) al versiunii software, dar putei folosi diferite versiuni ale software-ului n cadrul unui proces de upgrade, de exemplu, putei s facei upgrade la o unitate de la versiunea 7.0 (1) la versiunea 7.0 (2) i partea de failover rmne activa. V recomandm s facei upgrade ambelor uniti la aceeai versiune pentru a asigura compatibilitatea pe termen lung
Refer to the Performing Zero Downtime Upgrades for Failover Pairs section of Cisco Security Appliance Command Line Configuration Guide, Version 8.0 for more information about upgrading the software on a failover pair.
Referinte in sectiunea Zero intreruperi pentru Failover pe timpul upgrade-ului a Ghidului de configurare vers.8.0
License Requirements On the PIX security appliance platform, at least one of the units must have an unrestricted (UR) license.
La platforma echip.de securitate PIX cel puin una dintre uniti trebuie s aib o licen unrestricted (UR).
Note: It might be necessary to upgrade the licenses on a failover pair in order to obtain additional features and benefits. For more information on upgrade, refer to License Key Upgrade on a Failover Pair
Ar putea fi necesar s facei upgrade-ul licenelor pe o pereche de failover, n scopul de a obine funcii i beneficii suplimentare.Pentru mai multe informatii despre upgrade mergeti la License Key Upgrade on a Failover Pair
Note: The licensed features (such as SSL VPN peers or security contexts) on both security appliances that participate in failover must be identical.
Caracteristicile liceniate (cum ar fi SSL VPN peers sau contexte de securitate) de pe ambele dispozitive de securitate care particip la failover trebuie s fie identice.
Components Used
The information in this document is based on the PIX Security Appliance with version 7.x and above.
Informaiile din acest document se bazeaz pe Aparatura de securitate PIX cu versiunea 7.x i mai sus.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Informaiile din acest document a fost creat pentru dispozitive ntr-un mediu de laborator specific. Toate dispozitivele utilizate n acest document au nceput de la o configuratie initiala (implicita). Dac reeaua dvs. este n activa, asigurai-v c ai neles impactul potenial al oricrei comenzi.
Related Products
This configuration can also be used with the ASA Security Appliance with version 7.x and above.
Aceast configuraie poate fi, de asemenea, utilizata pentru un dispozitiv de securitate ASA cu versiunea 7.x i mai sus.
Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Cautati la Cisco Technical Tips Conventions pentru mai multe informaii privind conveniile de documente.
Active/Standby Failover
This section describes Active/Standby Failover and includes these topics:
Aceast seciune descrie Active / Standby Failover si include urmatoarele subiecte:

Active/Standby Failover Overview Primary/Secondary Status and Active/Standby Status Device Initialization and Configuration Synchronization Command Replication Failover Triggers
Failover Actions
Active/Standby Failover Overview

Active/Standby Failover lets you use a standby security appliance to take over the functionality of a failed unit. When the active unit fails, it changes to the standby state while the standby unit changes to the active state. The unit that becomes active assumes the IP addresses (or, for a transparent firewall, the management IP address) and MAC addresses of the failed unit and begins to pass traffic. The unit that is now in standby state takes over the standby IP addresses and MAC addresses. Because network devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere on the network.
Active / Standby Failover v permite s utilizai un dispozitiv de securitate in Standby/ateptare care s preia funcionalitatea unei uniti care a cedat. Atunci cnd unitatea activ cedeaza, aceasta isi schimb starea in standby n timp ce unitatea in standby isi modific starea in activ. Unitatea care devine activ preia adresele IP (sau, pentru un firewall transparent, adresa IP de management) i adresele MAC ale unitii care a cedat i ncepe s transfere traficul. Unitate care se afl acum n stare de ateptare preia adresele IP i adresele MAC de standby. Din aceasta cauza dispozitivele de reea nu vad nici o schimbare n asocierea adresei MAC cu adresa IP, nici o schimbare in intrrile ARP sau pauz de oriunde de pe reea.
Note: For multiple context mode, the security appliance can fail over the entire unit (which includes all contexts) but cannot fail over individual contexts separately.
Pentru modul partajat multiplu, aparatul de securitate poate trece peste defect/sa comute ntreaga unitate (care include toate contextele), dar nu poate s treaca peste defect/sa comute contexte individuale separat.
Primary/Secondary Status and Active/Standby Status

The main differences between the two units in a failover pair are related to which unit is active and which unit is standby, namely which IP addresses to use and which unit is primary and actively passes traffic.
Principalele diferene dintre cele dou uniti dintr-o pereche de failover sunt legate de unitatea care este activ i unitatea care este in ateptare, i anume ce adrese IP se utilizeaz i care unitate este de baza i prin care trece n mod activ traficul.
A few differences exist between the units based on which unit is primary (as specified in the configuration) and which unit is secondary:
Cteva diferene exist ntre uniti din punct de vedere al aspectului care este unitatea primar (aa cum se specific n configurare) i care este unitatea secundara:
The primary unit always becomes the active unit if both units start up at the same time (and are of equal operational health).
Unitatea primar ntotdeauna devine activ dac ambele uniti pornesc n acelai timp (i sunt la fel de operaionale).
The primary unit MAC address is always coupled with the active IP addresses. The exception to this rule occurs when the secondary unit is active and cannot obtain the primary MAC address over the failover link. In this case, the secondary MAC address is used.
Adresa MAC a unitatii primare este ntotdeauna cuplata de adresele IP active. Excepie de la aceast regul se produce atunci cnd unitatea secundara este activa i nu poate obine adresa MAC primara peste link-ul de failover. n acest caz, adresa MAC a unitatii secundare este utilizat.
Device Initialization and Configuration Synchronization

Configuration synchronization occurs when one or both devices in the failover pair boot. Configurations are always synchronized from the active unit to the standby unit. When the standby unit completes its initial startup, it clears its running configuration (except for the failover commands that are needed to communicate with the active unit), and the active unit sends its entire configuration to the standby unit.
Sincronizarea configuratiei apare atunci cnd una sau ambele dispozitive din perechea de failover pornesc. Configuraiile sunt ntotdeauna sincronizate de la unitatea activ la unitatea de ateptare. Atunci cnd unitatea de ateptare finalizeaz pornirea iniial, se terge configuraia sa de funcionare (cu excepia comenzilor pentru failover, care sunt necesare pentru a comunica cu unitatea activ), iar unitatea activ trimite ntreaga sa configuraie catre unitatea de ateptare.
The active unit is determined by these:
Unitatea activ este determinat de acestea:

If a unit boots and detects a peer already operative as active, it becomes the standby unit.
n cazul n care o unitate porneste i detecteaz un peer deja operativ ca activ, aceasta devine unitate de asteptare
If a unit boots and does not detect a peer, it becomes the active unit.
n cazul n care o unitate porneste i nu detecteaz un peer, devine unitatea activ

If both units boot simultaneously, the primary unit becomes the active unit, and the secondary unit becomes the standby unit.
Dac ambele uniti pornesc-simultan, unitatea primar devine unitatea activ i unitatea secundar devine unitatea de asteptare
Note: If the secondary unit boots and does not detect the primary unit, it becomes the active unit. It uses its own MAC addresses for the active IP addresses. When the primary unit becomes available, the secondary unit changes the MAC addresses to those of the primary unit, which can cause an interruption in your network traffic. In order to avoid this, configure the failover pair with virtual MAC addresses. See the Configuring Active/Standby Failover section of this document for more information.
n cazul n care unitatea secundara porneste i nu detecteaz unitatea de primara, aceasta devine unitatea de activa. Acesta utilizeaz adresele MAC proprii pentru adresele IP active.
Atunci cnd unitatea principal devine disponibila, unitatea secundar schimb adresele MAC cu cele ale unitii primare, care poate provoca o ntrerupere n traficul de reea. Pentru a evita acest lucru, configurai pereche failover cu adrese MAC virtuale.
When the replication starts, the security appliance console on the active unit displays the message "Beginning configuration replication: Sending to mate," and, when it is complete, the security appliance displays the message "End Configuration Replication to mate." Within replication, commands entered on the active unit cannot replicate properly to the standby unit, and commands entered on the standby unit can be overwritten by the configuration that is replicated from the active unit. Do not enter commands on either unit in the failover pair within the configuration replication process. Dependent upon the size of the configuration, replication can take from a few seconds to several minutes.
Cnd ncepe replicarea, consola aparatului de securitate de pe unitatea activ afieaz mesajul " Beginning configuration replication: Sending to mate," i, atunci cnd este complet, aparatul de securitate afieaz mesajul " End Configuration Replication to mate ". In timpul replicarii, comenzile introduse pe unitatea activ nu se pot replica n mod corespunztor pe unitatea de ateptare, iar comenzile introduse pe unitatea de ateptare nu pot fi suprascrise peste configuratia care este replicata de la unitatea activ. Nu introducei comenzi pe ambele uniti, n pereche de failover n cadrul procesului de replicare a configuratiei. Functie de dimensiunea de configuratiei, replicarea poate dura de la cteva secunde pana la cteva minute.
From the secondary unit, you can observe the replication message (as it synchronizes) from the primary unit:
Din unitatea secundar, putei observa mesajul de replicare (cum se sincronizeaza), de la unitatea de primara:
pix> . Detected an Active mate Beginning configuration replication from mate. End configuration replication from mate. pix>
On the standby unit, the configuration exists only in running memory. In order to save the configuration to Flash memory after synchronization, enter these commands:
Pe unitatea de asteptare, configuraia exist numai n memorie. n scopul de a salva configuratia pe o memorie flash dup sincronizare, introducei aceste comenzi:
For single context mode, enter the copy running-config startup-config command on the active unit. The command is replicated to the standby unit, which proceeds to write its configuration to Flash memory.
Pentru modul simplu context, introducei comanda copy running-config startup-config pe unitatea de activa. Comanda este replicata la unitatea de ateptare, care incepe s scrie configuraia sa pe memoria flash.
For multiple context mode, enter the copy running-config startup-config command on the active unit from the system execution space and from within each context on disk. The command is replicated to the standby unit, which proceeds to write its configuration to Flash memory. Contexts with startup configurations on external servers are accessible from either unit over the network and do not need to be saved separately for each unit. Alternatively, you can copy the contexts on disk from the active unit to an external server, and then copy them to disk on the standby unit, where they become available when the unit reloads.
Pentru modul context multiplu, introducei comanda copy running-config startupconfig pe unitatea de activa din spaiul de execuie al sistemului i din cadrul fiecrui context de pe disc. Comanda este replicata la unitatea de ateptare, care incepe s scrie configuraia sa pe memoria flash. Contexte cu configuraii de pornire de pe servere externe sunt accesibile fie de la unitatea de peste reea i nu trebuie s fie salvate separat pentru fiecare unitate. Alternativ, avei posibilitatea s copiai contextele de pe disc de la unitatea activ la un server extern, i apoi copiai-le pe disc la unitatea de ateptare, unde acestea devin disponibile atunci cnd se unitatea reporneste ..
Command Replication
Command replication always flows from the active unit to the standby unit. As commands are entered on the active unit, they are sent across the failover link to the standby unit. You do not have to save the active configuration to Flash memory to replicate the commands.
Comanda pentru Replicare porneste ntotdeauna de la unitatea activ la unitatea de ateptare. Deoarece comenzile sunt introduse pe unitatea activa, acestea sunt trimise peste link-ul de failover la unitatea de ateptare. Nu trebuie sa salvati configuraia activ pe memoria flash pentru a replica comenzile.
Note: Changes made on the standby unit are not replicated to the active unit. If you enter a command on the standby unit, the security appliance displays the message **** WARNING **** Configuration Replication is NOT performed from Standby unit to Active unit. Configurations are no longer synchronized. This message is displayed even if you enter commands that do not affect the configuration.
Schimbrile fcute pe unitatea de ateptare nu sunt replicate la unitatea activ. Dac introducei o comand de pe unitatea de ateptare, aparatul de securitate afieaz mesajul
**** WARNING **** Configuration Replication is NOT performed from Standby unit to Active unit. Configuraiile nu mai sunt sincronizate. Acest mesaj este afiat, chiar
dac introducei comenzi care nu afecteaz configuraia.
If you enter the write standby command on the active unit, the standby unit clears its running configuration (except for the failover commands used to communicate with the active unit), and the active unit sends its entire configuration to the standby unit.
Dac introducei comanda write standby pe unitatea activ, unitatea de ateptare terge configuraia sa de funcionare (cu excepia comenzilor de failover utilizate pentru a comunica cu unitatea activ), iar unitatea activ trimite ntreaga sa configuraie pe unitate de ateptare.
For multiple context mode, when you enter the write standby command in the system execution space, all contexts are replicated. If you enter the write standby command within a context, the command replicates only the context configuration.
Pentru modul de context multiplu, atunci cnd introducei comanda write standby n spaiul de execuie al sistemului, toate contextele sunt replicate. Dac introducei comanda write standby ntr-un context, comanda reproduce numai configuraia acelui context.
Replicated commands are stored in the running configuration. In order to save the replicated commands to the Flash memory on the standby unit, enter these commands:
Comenzile replicate sunt stocate n configuraia ce ruleaza. n scopul de a salva comenzile de replicare pe memoria Flash a unitatii de ateptare, introducei aceste comenzi:
For single context mode, enter the copy running-config startup-config command on the active unit. The command is replicated to the standby unit, which proceeds to write its configuration to Flash memory. Pentru modul simplu context, introducei comanda copy running-config startup-config
pe unitatea de activa. Comanda este replicata la unitatea de ateptare, care incepe s scrie configuraia sa pe memoria flash.
For multiple context mode, enter the copy running-config startup-config command on the active unit from the system execution space and within each context on disk. The command is replicated to the standby unit, which proceeds to write its configuration to Flash memory. Contexts with startup configurations on external servers are accessible from either unit over the network and do not need to be saved separately for each unit. Alternatively, you can copy the contexts on disk from the active unit to an external server, and then copy them to disk on the standby unit. Pentru modul context multiplu, introducei comanda copy running-config startupconfig pe unitatea de activa din spaiul de execuie al sistemului din fiecare context de
pe disc. Comanda este replicata la unitatea de ateptare, care incepe s scrie configuraia sa pe memoria flash. Contextele cu configuraii de pornire de pe servere externe sunt accesibile de la unitatea de peste reea i nu trebuie s fie salvate separat pentru fiecare unitate. Alternativ, avei posibilitatea s copiai contextele de pe disc de la unitatea activ la un server extern, i apoi copiai-le pe disc la unitatea de ateptare.
Failover Triggers
The unit can fail if one of these events occurs:
Unitatea poate ceda n cazul n care unul din aceste evenimente are loc:
The unit has a hardware failure or a power failure.
Unitatea are o defeciune hardware sau o pan de curent.

The unit has a software failure.
Unitatea are o defeciune software

Too many monitored interfaces fail.
Prea multe interfee monitorizate se defecteaza.

The no failover active command is entered on the active unit, or the failover active command is entered on the standby unit. Comanda no failover active este nscrisa pe unitatea de activa, sau comanda failover active este nscrisa pe unitatea de ateptare
Failover Actions
In Active/Standby Failover, failover occurs on a unit basis. Even on systems that run in multiple context mode, you cannot failover individual or groups of contexts.
n Active / Standby Failover, failover este la nivel de unitate. Chiar si pe sistemele care functioneaza n modul de context multiplu, putei face failover individual sau pe grupuri de contexte.
This table shows the failover action for each failure event. For each failure event, the table shows the failover policy (failover or no failover), the action taken by the active unit, the action taken by the standby unit, and any special notes about the failover condition and actions. The table shows the failover behavior.
Acest tabel detaliaza aciunea failover pentru fiecare eveniment eec. Pentru fiecare eveniment, tabelul prezinta politica failover (failover sau nu failover), msurile luate de ctre unitatea activ, msurile luate de ctre unitatea de ateptare, precum i orice note speciale despre conditiile si aciunile starii failover. Tabelul arat comportamentul failover.
Failure Event Policy Active Action n/a Become standby Mark standby as failed Mark failover Standby Action Become active; mark active as failed No action Notes No hello messages are received on any monitored interface or the failover link. None When the standby unit is marked as failed, the active unit does not attempt to failover, even if the interface failure threshold is surpassed. You must restore the failover link as soon as possible because the unit cannot
Active unit failed (power or Failover hardware) Formerly active unit recovers Standby unit failed (power or hardware) Failover link failed within No failover No failover No failover
n/a
Mark failover interface as failed
operation
interface as failed No failover Mark failover interface as failed
failover to the standby unit while the failover link is down. If the failover link is down at startup, both units become active. State information becomes out of date, and sessions are terminated if a failover occurs. None When the standby unit is marked as failed, the active unit does not attempt to fail over even if the interface failure threshold is surpassed.
Failover link failed at startup
Become active
Stateful failover link failed Interface failure on active unit above threshold Interface failure on standby unit above threshold
No failover
No action No action Mark active as failed
Failover
Become active
No failover
Mark standby as No action failed
Regular and Stateful Failover

The security appliance supports two types of failover, regular and stateful. This section includes these topics:
Aparatul de securitate accept dou tipuri de failover, normal i dinamic. Aceast seciune include aceste subiecte:

Regular Failover Stateful Failover
Regular Failover
When a failover occurs, all active connections are dropped. Clients need to reestablish connections when the new active unit takes over.
Atunci cnd un failover apare, toate conexiunile active se opresc. Clientii trebuie sa restabileasca conexiunile cnd noua unitate devine activ.
Stateful Failover
When stateful failover is enabled, the active unit continually passes per-connection state information to the standby unit. After a failover occurs, the same connection information is available at the new active unit. Supported end-user applications are not required to reconnect to keep the same communication session.
Atunci cnd este activat modul de failover dinamic, unitatea activ transmite continuu informaiile de stare pentru fiecare conexiune catre unitatea de ateptare. Dup ce failover apare, aceleasi informaii despre conexiuni sunt disponibile la noua unitate activ. Sprijinind
aplicaiile utilizatorilor finali astfel incat nu este necesar s se reconecteze pentru a menine aceeai sesiune de comunicare.
The state information passed to the standby unit includes these:
Informaiile de stare vehiculate catre unitatea de ateptare includ urmatoarele:

The NAT translation table The TCP connection states The UDP connection states The ARP table The Layer 2 bridge table (when it runs in the transparent firewall mode) The HTTP connection states (if HTTP replication is enabled) The ISAKMP and IPSec SA table The GTP PDP connection database
The information that is not passed to the standby unit when stateful failover is enabled includes these:
Informaiile care nu sunt vehiculate catre unitatea de ateptare atunci cnd este activat failover dinamic include urmatoarele:
The HTTP connection table (unless HTTP replication is enabled) The user authentication (uauth) table The routing tables State information for security service modules
Note: If failover occurs within an active Cisco IP SoftPhone session, the call remains active because the call session state information is replicated to the standby unit. When the call is terminated, the IP SoftPhone client loses connection with the Call Manager. This occurs because there is no session information for the CTIQBE hang-up message on the standby unit. When the IP SoftPhone client does not receive a response back from the Call Manager within a certain time period, it considers the Call Manager unreachable and unregisters itself.
Dac failover apare in cadrul unei sesiuni active Cisco IP SoftPhone, apelul rmne activ, deoarece informatiile desprea starea sesiunii de apel sunt replicate catre unitatea de ateptare. Cnd apelul este terminat, clientul SoftPhone pierde conexiunea cu Call Manager. Acest lucru se ntmpl pentru c nu exist nici o informaie despre sesiunea mesajelor de tip CTIQBE Hang-up pe unitatea de ateptare. Atunci cnd clientul SoftPhone IP nu primete un rspuns inapoi de la Call Manager ntr-un anumit interval de timp, consider ca echip Call Manager nu poate fi ajuns i unregisters de la sine.
Cable-Based Active/Standby Failover Configuration (PIX Security Appliance Only)
Network Diagram
This document uses this network setup:
Acest document utilizeaz aceast configuratie pentru reea:
Note: Cable-based failover is available only on the PIX 500 Series Security Appliance.
Cablu pentru Failover este disponibil numai pe Aparatura de Securitate Seria PIX 500.
In this section, you are presented with the information to configure the features described in this document.
n aceast seciune, v sunt prezentate cu informaiile pentru a configura caracteristicile descrise n acest document.
Follow these steps to configure Active/Standby Failover with a serial cable as the failover link. The commands in this task are entered on the primary unit in the failover pair. The primary unit is the unit that has the end of the cable labeled "Primary" plugged into it. For devices in multiple context mode, the commands are entered in the system execution space unless otherwise noted.
Urmai aceti pai pentru a configura Active / Standby Failover cu un cablu serial ca link de failover. Comenzile din aceast activitate sunt introduse pe unitatea de primara din perechea failover.Unitatea principal este unitatea care are captul cablului eticheta " Primary " conectat n ea. n cazul dispozitivelor din modul de context multiplu, comenzile sunt introduse n spaiul de execuie al sistemului cu excepia cazului n care se menioneaz altfel.
You do not need to bootstrap the secondary unit in the failover pair when you use cable-based failover. Leave the secondary unit powered off until instructed to power it on.
Nu avei nevoie de procesul de bootstrap in unitatea secundar din perechea failover cnd utilizai cablu pe baz de failover. Lsai unitatea secundar oprita pn o instruiti s porneasca.
Complete these steps in order to configure cable-based Active/Standby Failover:
Finalizai aceti pai pentru a configura cablu bazate pe Active / Standby Failover:
1. Connect the failover cable to the PIX security appliances. Make sure that you attach the end of the cable marked "Primary" to the unit that you use as the primary unit, and that you attach the end of the cable marked "Secondary" to the other unit.
Conectai cablul de failover la aparatele de securitate PIX. Asigurai-v c ataai captul cablului marcat "Primary" catre unitatea pe care o utilizai ca unitate primar, i ataai captul cablului marcat "Secondary" pentru cealalta unitate.
2. Power on the primary unit.
Porniti unitatea primara

3. If you have not done so already, configure the active and standby IP addresses for each data interface (routed mode) or for the management interface (transparent mode). The standby IP address is used on the security appliance that is currently the standby unit. It must be in the same subnet as the active IP address.
Dac nu ai fcut deja acest lucru, configurai adresele IP active i pentru standby pentru fiecare interfa de date (modul rutat) sau pentru interfaa de management (modul transparent). Adresa IP asteptare este folosita pe aparatul de securitate, care este n prezent, unitatea de asteptare. Acesta trebuie s fie n aceeai subreea ca i adresa IP activ
Note: Do not configure an IP address for the stateful failover link if you use a dedicated stateful failover interface. You use the failover interface ipcommand to configure a dedicated stateful failover interface in a later step.
Nu configurai o adres IP pentru link-ul de failover dinamic, dac utilizai o interfata dedicata failover dinamic. Putei comanda failover interface ip pentru a configura o interfata dedicata failover dinamic ntr-o etap ulterioar.
hostname(config-if)#ip address <active_addr> <netmask> standby <standby_addr>
In the example, the outside interface of the primary PIX is configured this way:
n exemplu, interfaa externa a unitatii primare PIX este configurata n acest fel:
hostname(config-if)#ip address 172.16.1.1 255.255.0.0 standby 172.16.1.2

Here, 172.16.1.1 is used for the primary unit outside interface IP Address, and 172.16.1.2 assigns to the secondary (standby) unit outside interface.
Aici, 172.16.1.1 este utilizata pentru unitatea primara ca adresa IP a interfetei externe, i 172.16.1.2 se atribuie unitatii secundare (standby) ca interfata externa.
Note: In multiple context mode, you must configure the interface addresses from within each context. Use the changeto context command to switch between contexts. The command prompt changes to hostname/context(config-if)#, where context is the name of the current context.
n modul de context multiplu, trebuie s configurai adresele de interfa din cadrul fiecrui context. Utilizai comanda changeto context pentru a comuta ntre contexte. Promptul de comanda se modific hostname / context (config-if) #, n care contextul este numele contextului curent.
4. In order to enable stateful failover, configure the stateful failover link.
n scopul de a permite failover dinamic, configurai link-ul de failover dinamic

a. Specify the interface to be used as the stateful failover link
Specificati interfata ce va fi folosita ca link dynamic de failover
b. hostname(config)#failover link if_name phy_if c.
In this example the Ethernet2 interface is used to exchange the stateful failover link state information.
n acest exemplu, interfaa Ethernet2 este folosita pentru a face schimb de informaii de stare despre link-ul de failover dinamic
hostname(config)#failover link state Ethernet2

The nameif argument assigns a logical name to the interface specified by the phy_if argument. The phy_if argument can be the physical port name, such as Ethernet1, or a previously created subinterface, such as Ethernet0/2.3. This interface must not be used for any other purpose.
Argumentul nameif atribuie un nume logic pentru interfaa specificat de argumentul phy_if.Argumentul phy_if poate fi numele portului fizic, cum ar fi Ethernet1, sau o subinterfata creata anterior, cum ar fi Ethernet0/2.3. Aceast interfa nu trebuie s fie utilizata pentru alt scop.
d. Assign an active and standby IP address to the stateful failover link:
Atribuie o adres IP activ si standby pentru link-ul de failover dinamic:
e. hostname(config)#failover interface ip <if_name> <ip_addr> <mask> f. standby <ip_addr> g.

In this example , 10.0.0.1 is used as an active, and 10.0.0.2 is used as a standby IP address for the stateful failover link.
n acest exemplu, 10.0.0.1 este folosit ca adresa IP activa, iar 10.0.0.2 este folosit ca o adres IP de standby pentru link-ul de failover dinamic.
hostname(config)#failover interface ip state 10.0.0.1 255.0.0.0 standby 10.0.0.2

Note: If the stateful failover link uses a data interface, skip this step. You have already defined the active and standby IP addresses for the interface.
Dac link-ul de failover dinamic utilizeaz o interfa de date, srii peste acest pas. Ai definit deja adresele IP activa i standby pentru interfata.
The standby IP address must be in the same subnet as the active IP address. You do not need to identify the standby IP address subnet mask.
Adresa IP de standby trebuie s fie n aceeai subreea ca i adresa IP activa. Nu este nevoie sa specificati masca de retea pentru adresa IP Standby.
The stateful failover link IP address and MAC address do not change at failover unless they use a data interface. The active IP address always stays with the primary unit, while the standby IP address stays with the secondary unit.
Adresa IP i adresa MAC pentru link-ul de Failover dinamic nu se schimba la failover cu excepia cazului n care utilizeaz o interfa de date. Adresa IP activa ntotdeauna se afla pe unitatea primara, n timp ce adresa IP standby se afla pe unitatea secundar.
h. Enable the interface:
i. hostname(config)#interface phy_if j. k. hostname(config-if)#no shutdown

5. Enable failover:
6. hostname(config)#failover
7. Power on the secondary unit and enable failover on the unit if it is not already enabled:
The active unit sends the configuration in running memory to the standby unit. As the configuration synchronizes, the messages "Beginning configuration replication: sending to mate" and "End Configuration Replication to mate" appear on the primary console.
Unitatea activ trimite configuraia in memorie de lucru a unitii de ateptare. La sicncronizarea configuraiei, mesajele " Beginning configuration replication: sending to mate " si " End Configuration Replication to mate " apar pe consola principal.
Note: Issue the failover command on the primary device first, and then issue it on the secondary device. After you issue the failover command on the secondary device, the secondary device immediately pulls the configuration from the primary device and sets itself as standby. The primary ASA stays up and passes traffic normally and marks itself as the active device. From that point on, whenever a failure occurs on the active device, the standby device comes up as active.
Initiaza comanda failover pe dispozitivul principal n primul rnd, i apoi initiaza comanda pe dispozitivul secundar. Dup ce initiezi comanda failover pe dispozitivul secundar, dispozitivul secundar trage imediat configuratia de la dispozitivul primar i se seteaza singur in regimul de standby. Echipamentul ASA primar ramane functional i permite trecerea traficului n mod normal, i marcheaz singur ca dispozitiv activ. Din acel moment, ori de cte ori apare un defect pe dispozitivul activ, dispozitivul de standby devine activ.
9. Save the configuration to Flash memory on the primary unit. Because the commands entered on the primary unit are replicated to the secondary unit, the secondary unit also saves its configuration to Flash memory.
Salvai configuraia echipamentului pe memoria flash din unitatea de primara. Deoarece comenzile nscrise pe unitatea primara sunt replicate la unitatea secundar, unitatea secundar salveaz, de asemenea, configuraia sa pe memoria flash.
10. hostname(config)#copy running-config startupconfig

Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.
Configurations
This document uses these configurations: PIX
pix#show running-config PIX Version 7.2(1) ! hostname pix domain-name default.domain.invalid enable password 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0 nameif outside security-level 0 ip address 172.16.1.1 255.255.0.0 standby 172.16.1.2 ! interface Ethernet1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2 ! !--- Configure "no shutdown" in the stateful failover interface !--- of both Primary and secondary PIX.
interface Ethernet2 description STATE Failover Interface ! interface Ethernet3 shutdown no nameif no security-level no ip address ! interface Ethernet4 shutdown no nameif no security-level no ip address ! interface Ethernet5 shutdown no nameif no security-level no ip address ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive dns server-group DefaultDNS domain-name default.domain.invalid access-list 101 extended permit ip any any pager lines 24 mtu outside 1500 mtu inside 1500 failover failover link state Ethernet2 failover interface ip state 10.0.0.1 255.0.0.0 standby 10.0.0.2 asdm image flash:/asdm-521.bin no asdm history enable arp timeout 14400 nat (inside) 0 access-list 101 access-group 101 in interface outside route outside 0.0.0.0 0.0.0.0 172.16.1.3 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 ! !--- Output Suppressed
! service-policy global_policy global prompt hostname context Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e : end
LAN-Based Active/Standby Failover Configuration

Network Diagram
This document uses this network setup:
This section describes how to configure Active/Standby Failover with an Ethernet failover link. When you configure LAN-based failover, you must bootstrap the secondary device to recognize the failover link before the secondary device can obtain the running configuration from the primary device.
Aceast seciune descrie modul de configurare a Active / Standby Failover cu un link failover Ethernet. Cnd configurai failover bazat pe LAN, trebuie s v bootati dispozitivul secundar pentru a recunoate legtura de failover nainte ca dispozitivul secundar sa poata obine configuraia de pe dispozitivul primar.
Note: Instead of using a crossover Ethernet cable to directly link the units, Cisco recommends that you use a dedicated switch between the primary and secondary units.
n loc sa folositi un cablu crossover Ethernet pentru a lega direct unitile, Cisco v recomand s utilizai un switch dedicat ntre unitile primara i secundara.
Primary Unit Configuration

Follow these steps to configure the primary unit in a LAN-based, Active/Standby Failover configuration. These steps provide the minimum configuration needed to enable failover on the primary unit. For multiple context mode, all steps are performed in the system execution space unless otherwise noted.
Urmai aceti pai pentru a configura unitatea primar ntr-o reea LAN pentru configuraia Active / Standby Failover. Aceti pai furnizeaz configuraia minim necesar pentru a permite failover pe unitatea primara. Pentru modul de context multiplu, toate etapele sunt efectuate n spaiul de execuie al sistemului cu excepia cazului n care se menioneaz altfel.
In order to configure the primary unit in an Active/Standby Failover pair, perform these steps:
n scopul de a configura unitatea primara ntr-o pereche de Active / Standby Failover, efectuai aceti pai:
1. If you have not done so already, configure the active and standby IP addresses for each interface (routed mode) or for the management interface (transparent mode). The standby IP address is used on the security appliance that is currently the standby unit. It must be in the same subnet as the active IP address.
Dac nu ai fcut deja acest lucru, configurai adresele IP activa i standby pentru fiecare interfa (modul rutat) sau pentru interfaa de management (modul transparent). Adresa IP standby este folosita pe aparatul de securitate, care este n prezent, unitatea de asteptare. Acesta trebuie s fie n aceeai subreea ca i adresa IP activa.
Note: Do not configure an IP address for the stateful failover link if you use a dedicated stateful failover interface. You use the failover interface ipcommand to configure a dedicated stateful failover interface in a later step.
Nu configurai o adres IP pentru link-ul de failover dinamic, dac utilizai o interfata dedicata pentru failover dinamic. Putei utiliza comanda failover interface ip pentru a configura o interfata dedicata pentru failover dinamic ntr-o etap ulterioar.
hostname(config-if)#ip address active_addr netmask standby standby_addr

In this example, the outside interface of the primary PIX is configured this way:
n exemplu, interfaa externa a unitatii primare PIX este configurata n acest fel:
hostname(config-if)#ip address 172.16.1.1 255.255.0.0 standby 172.16.1.2

Here, 172.16.1.1 is used for the primary unit outside interface IP address, and 172.16.1.2 assigns to the secondary (standby) unit outside interface.
Aici, 172.16.1.1 este utilizata pentru unitatea primara ca adresa IP a interfetei externe, i 172.16.1.2 se atribuie unitatii secundare (standby) ca interfata externa.
Note: In multiple context mode, you must configure the interface addresses from within each context. Use the changeto context command to switch between contexts. The command prompt changes to hostname/context(config-if)#, where context is the name of the current context.
n modul de context multiplu, trebuie s configurai adresele de interfa din cadrul fiecrui context. Utilizai comanda changeto context pentru a comuta ntre contexte. Promptul de comanda se modific hostname / context (config-if) #, n care contextul este numele contextului curent.
2. (PIX security appliance platform only) Enable the LAN-based failover.
Activeaza failover folosind LAN
3. hostname(config)#failover lan enable

4. Designate the unit as the primary unit.
Desemneaz unitatea ca unitate primar.
5. hostname(config)#failover lan unit primary

6. Define the failover interface.
Defineste interfata de failover.

a. Specify the interface to be used as the failover interface.
Specifica interfata care va fi folosita ca interfata de failover.
b. hostname(config)#failover lan interface if_name phy_if c.

In this documentation, the "failover" (interface name for Ethernet3) is used for a failover interface.
n aceast documentaie, denumirea "failover" (denumeste interfaa Ethernet3) este utilizata pentru o interfa failover.
hostname(config)#failover lan interface failover Ethernet3
The if_name argument assigns a name to the interface specified by the phy_if argument. The phy_if argument can be the physical port name, such as Ethernet1, or a previously created subinterface, such as Ethernet0/2.3.
Argumentul if_name atribuie un nume logic pentru interfaa specificat de argumentul phy_if.Argumentul phy_if poate fi numele portului fizic, cum ar fi Ethernet1, sau o subinterfata creata anterior, cum ar fi Ethernet0/2.3.
d. Assign the active and standby IP address to the failover link
Atribuie o adres IP activ si standby pentru link-ul de failover :
e. hostname(config)#failover interface ip if_name ip_addr mask f. standby ip_addr g.

In this documentation, to configure the failover link, 10.1.0.1 is used for active, 10.1.0.2 for the standby unit, and "failover" is an interface name of Ethernet3.
n acest exemplu, 10.0.0.1 este folosit ca adresa IP activa, iar 10.0.0.2 este folosit ca o adres IP de standby si failover denumeste interfata Ethernet3.
hostname(config)#failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2

The standby IP address must be in the same subnet as the active IP address. You do not need to identify the standby address subnet mask.
The failover link IP address and MAC address do not change at failover. The active IP address for the failover link always stays with the primary unit, while the standby IP address stays with the secondary unit.
Adresa IP i adresa MAC nu se schimba la failover. Adresa IP activa pentru failover ntotdeauna se afla pe unitatea primara, n timp ce adresa IP standby se afla pe unitatea secundar.
h. Enable the interface
i. hostname(config)#interface phy_if j. k. l. hostname(config-if)#no shutdown

In the example, Ethernet3 is used for failover:
hostname(config)#interface ethernet3 hostname(config-if)#no shutdown

7. (Optional) In order to enable stateful failover, configure the stateful failover link.
n scopul de a permite failover dinamic, configurai link-ul de failover dinamic

a. Specify the interface to be used as the stateful failover link.
Specificai interfaa ce va fi utilizata ca link de failover dinamic
b. hostname(config)#failover link if_name phy_if c. d.

This example used "state" as an interface name for Ethernet2 to exchange the failover link state information:
Acest exemplu utilizeaz "state" ca nume pentru interfata Ethernet2 pentru a schimba informaii de starea link-ului de failover:
hostname(config)#failover link state Ethernet2

Note: If the stateful failover link uses the failover link or a data interface, you only need to supply the if_name argument.
Dac link-ul de failover dinamic folosete link-ul de failover sau o interfa de date, este nevoie sa furnizezi doar argumentul if_name.
The if_name argument assigns a logical name to the interface specified by the phy_if argument. The phy_if argument can be the physical port name, such as Ethernet1, or a previously created subinterface, such as Ethernet0/2.3. This interface must not be used for any other purpose, except, optionally, as the failover link.
Argumentul if_name atribuie un nume logic pentru interfaa specificat de argumentul phy_if. Argumentul phy_if poate fi numele portului fizic, cum ar fi Ethernet1, sau o subinterfata creata anterior, cum ar fi Ethernet0/2.3. Aceast
interfa nu trebuie s fie utilizata pentru alt scop, exceptand, optional, ca link de failover.
e. Assign an active and standby IP address to the stateful failover link.
Atribuie o adres IP activ si standby pentru link-ul de failover dinamic:

Note: If the stateful failover link uses the failover link or data interface, skip this step. You have already defined the active and standby IP addresses for the interface.
Dac link-ul de failover dinamic utilizeaz un link de failover sau o interfa de date, srii peste acest pas. Ai definit deja adresele IP activa i standby pentru interfata.
hostname(config)#failover interface ip if_name ip_addr mask standby ip_addr
The 10.0.0.1 is used as an active and the 10.0.0.2 as a standby IP address for the stateful failover link in this example.
n acest exemplu, 10.0.0.1 este folosit ca adresa IP activa, iar 10.0.0.2 este folosit ca o adres IP de standby pentru link-ul de failover dinamic.
hostname(config)#failover interface ip state 10.0.0.1 255.0.0.0 standby 10.0.0.2

The standby IP address must be in the same subnet as the active IP address. You do not need to identify the standby address subnet mask.
The stateful failover link IP address and MAC address do not change at failover unless they use a data interface. The active IP address always stays with the primary unit, while the standby IP address stays with the secondary unit.
Adresa IP i adresa MAC pentru link-ul de Failover dinamic nu se schimba la failover cu excepia cazului n care utilizeaz o interfa de date. Adresa IP activa ntotdeauna se afla pe unitatea primara, n timp ce adresa IP standby se afla pe unitatea secundar.
f.
Enable the interface. Note: If the stateful failover link uses the failover link or data interface, skip this step. You have already enabled the interface.
Dac link-ul de failover dinamic utilizeaz un link de failover sau o interfa de date, srii peste acest pas. Ai activat deja interfata.
hostname(config)#interface phy_if hostname(config-if)#no shutdown

Note: For example, in this scenario, Ethernet2 is used for the stateful failover link:

8. Enable failover.
Note: Issue the failover command on the primary device first, and then issue it on the secondary device. After you issue the failover command on the secondary device, the secondary device immediately pulls the configuration from the primary device and sets itself as standby. The primary ASA stays up and passes traffic normally and marks itself as the active device. From that point on, whenever a failure occurs on the active device, the standby device comes up as active.
Initiaza comanda failover pe dispozitivul principal n primul rnd, i apoi initiaza comanda pe dispozitivul secundar. Dup ce initiezi comanda failover pe dispozitivul secundar, dispozitivul secundar trage imediat configuratia de la dispozitivul primar i se seteaza singur in regimul de standby. Echipamentul ASA primar ramane functional i permite trecerea traficului n mod normal, i marcheaz singur ca dispozitiv activ. Din acel moment, ori de cte ori apare un defect pe dispozitivul activ, dispozitivul de standby devine activ.
10. Save the system configuration to Flash memory.
Salvati configuratia sistemului pe memoria Flash.
11. hostname(config)#copy running-config startupconfig
Secondary Unit Configuration

The only configuration required on the secondary unit is for the failover interface. The secondary unit requires these commands to initially communicate with the primary unit. After the primary unit sends its
configuration to the secondary unit, the only permanent difference between the two configurations is the failover lan unit command, which identifies each unit as primary or secondary.
Configuraia necesar n unitatea secundara este doar pentru interfaa failover. Unitatea secundar are nevoie aceste comenzi pentru a comunica iniial cu unitatea primara. Dup ce unitatea primara trimite configuraia sa catre unitatea secundara, singura diferen permanent ntre cele dou configuraii este comanda failover lan unit , care identific fiecare unitate ca primar sau secundar.
For multiple context mode, all steps are performed in the system execution space unless noted otherwise.
Pentru modul context multiplu, toate etapele sunt efectuate n spaiul de execuie al sistemului cu excepia cazului n care se specific altfel.
In order to configure the secondary unit, perform these steps:
Pentru a configure unitatea secundara, executati acesti pasi:

1. (PIX security appliance platform only) Enable LAN-based failover.
Activati failover pe baza LAN.
2. hostname(config)#failover lan enable

3. Define the failover interface. Use the same settings that you used for the primary unit.
Definii interfaa failover. Utilizai aceleai setri pe care le-ai utilizat pentru unitatea primara.
a. Specify the interface to be used as the failover interface.
Specificai interfaa ce va fi utilizata ca interfa failover
b. hostname(config)#failover lan interface if_name phy_if c.

In this documentation, the "failover" (interface name for Ethernet3) is used for a LAN failover interface.
n aceast documentaie, denumirea "failover" (denumeste interfaa Ethernet3) este utilizata pentru o interfa failover.
hostname(config)#failover lan interface failover Ethernet3
The if_name argument assigns a name to the interface specified by the phy_if argument.
Argumentul if_name atribuie un nume logic pentru interfaa specificat de argumentul phy_if.
d. Assign the active and standby IP address to the failover link.
Atribuie o adres IP activ si standby pentru link-ul de failover
e. hostname(config)#failover interface ip if_name ip_addr mask f. standby ip_addr g.

In this documentation, to configure the failover link, 10.1.0.1 is used for active, 10.1.0.2 for the standby unit, and "failover" is an interface name of Ethernet3.
n acest exemplu, 10.0.0.1 este folosit ca adresa IP activa, iar 10.0.0.2 este folosit ca o adres IP de standby si failover denumeste interfata Ethernet3.
hostname(config)#failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2

Note: Enter this command exactly as you entered it on the primary unit when you configured the failover interface on the primary unit.
Introducei aceast comand exact aa cum ai introdus-o pe unitatea primara atunci cnd v-ai configurat interfaa failover pe unitatea primara.
h. Enable the interface.
i. hostname(config)#interface phy_if j. k. l. hostname(config-if)#no shutdown m.

For example, in this scenario, Ethernet3 is used for failover.

4. (Optional) Designate this unit as the secondary unit.
Denumiti aceasta unitate ca unitate secundara
5. hostname(config)#failover lan unit secondary

Note: This step is optional because, by default, units are designated as secondary unless previously configured.
Acest pas este opional, deoarece, n mod implicit, unitile sunt desemnate ca fiind secundare cu excepia cazului anterior configurat
6. Enable failover.
Note: After you enable failover, the active unit sends the configuration in running memory to the standby unit. As the configuration synchronizes, the messages Beginning configuration replication: Sending to mate and End Configuration Replication to mate appear on the active unit console.
Dupa ce activezi failover, unitatea activ trimite configuraia in memorie de lucru a unitii de ateptare. La sicncronizarea configuraiei, mesajele " Beginning configuration replication: sending to mate " si " End Configuration Replication to mate " apar pe consola principal.
8. After the running configuration has completed replication, save the configuration to Flash memory.
Dup ce configuraia de funcionare a fost complet replicata, salvai configuraia pe memoria flash
9. hostname(config)#copy running-config startup-config
Configurations
This document uses these configurations: Primary PIX
pix#show running-config PIX Version 7.2(1) ! hostname pix domain-name default.domain.invalid enable password 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0 nameif outside security-level 0 ip address 172.16.1.1 255.255.0.0 standby
172.16.1.2 ! interface Ethernet1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2 ! !--- Configure "no shutdown" in the stateful failover interface !--- of both Primary and secondary PIX. interface Ethernet2 nameif state description STATE Failover Interface interface ethernet3 nameif failover description LAN Failover Interface ! interface Ethernet4 shutdown no nameif no security-level no ip address ! interface Ethernet5 shutdown no nameif no security-level no ip address ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive dns server-group DefaultDNS domain-name default.domain.invalid access-list 101 extended permit ip any any pager lines 24 mtu outside 1500 mtu inside 1500
failover failover lan unit primary failover lan interface failover Ethernet3 failover lan enable failover key ****** failover link state Ethernet2 failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2 failover interface ip state 10.0.0.1 255.0.0.0 standby 10.0.0.2 asdm image flash:/asdm-521.bin no asdm history enable arp timeout 14400 nat (inside) 0 access-list 101 access-group 101 in interface outside route outside 0.0.0.0 0.0.0.0 172.16.1.3 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sipinvite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet timeout 5 ssh timeout 5 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp
inspect inspect inspect inspect inspect inspect inspect inspect inspect inspect inspect inspect
h323 h225 h323 ras netbios rsh rtsp skinny esmtp sqlnet sunrpc tftp sip xdmcp
! service-policy global_policy global prompt hostname context Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e : end

Secondary PIX
pix#show running-config failover failover lan unit secondary failover lan interface failover Ethernet3 failover lan enable failover key ****** failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2
Verify
Use of the show failover Command
This section describes the show failover command output. On each unit, you can verify the failover status with the show failover command.
Aceast seciune descrie rezultate obtinute cu comanda show failover . La fiecare unitate, putei verifica starea failover cu comanda show failover .
Primary PIX
pix#show failover Failover On
Cable status: Normal Failover unit Primary Failover LAN Interface: N/A - Serial-based failover enabled Unit Poll frequency 15 seconds, holdtime 45 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 2 of 250 maximum Version: Ours 7.2(1), Mate 7.2(1) Last Failover at: 06:07:44 UTC Dec 26 2006 This host: Primary - Active Active time: 1905 (sec) Interface outside (172.16.1.1): Normal Interface inside (192.168.1.1): Normal Other host: Secondary - Standby Ready Active time: 0 (sec) Interface outside (172.16.1.2): Normal Interface inside (192.168.1.2): Normal Stateful Failover Logical Update Statistics Link : state Ethernet2 (down) Stateful Obj xmit xerr General 0 0 sys cmd 0 0 up time 0 0 RPC services 0 0 TCP conn 0 0 UDP conn 0 0 ARP tbl 0 0 Xlate_Timeout 0 0 VPN IKE upd 0 0 VPN IPSEC upd 0 0 VPN CTCP upd 0 0 VPN SDI upd 0 0 VPN DHCP upd 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 0 0 Xmit Q: 0 0 0
Secondary PIX
rcv 0 0 0 0 0 0 0 0 0 0 0 0 0
rerr 0 0 0 0 0 0 0 0 0 0 0 0 0
pix(config)#show failover Failover On Cable status: Normal
Failover unit Secondary Failover LAN Interface: N/A - Serial-based failover enabled Unit Poll frequency 15 seconds, holdtime 45 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 2 of 250 maximum Version: Ours 7.2(1), Mate 7.2(1) Last Failover at: 00:00:18 UTC Jan 1 1993 This host: Secondary - Standby Ready Active time: 0 (sec) Interface outside (172.16.1.2): Normal Interface inside (192.168.1.2): Normal Other host: Primary - Active Active time: 154185 (sec) Interface outside (172.16.1.1): Normal Interface inside (192.168.1.1): Normal Stateful Failover Logical Update Statistics Link : state Ethernet2 (down) Stateful Obj xmit xerr General 0 0 sys cmd 0 0 up time 0 0 RPC services 0 0 TCP conn 0 0 UDP conn 0 0 ARP tbl 0 0 Xlate_Timeout 0 0 VPN IKE upd 0 0 VPN IPSEC upd 0 0 VPN CTCP upd 0 0 VPN SDI upd 0 0 VPN DHCP upd 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 0 0 Xmit Q: 0 0 0
Use the show failover state command to verify the state. Primary PIX
rcv 0 0 0 0 0 0 0 0 0 0 0 0 0
rerr 0 0 0 0 0 0 0 0 0 0 0 0 0
pix#show failover state ====My State=== Primary | Active |
====Other State=== Secondary | Standby | ====Configuration State=== Sync Done ====Communication State=== Mac set =========Failed Reason============== My Fail Reason: Other Fail Reason: Comm Failure
Secondary unit
pix#show failover state ====My State=== Secondary | Standby | ====Other State=== Primary | Active | ====Configuration State=== Sync Done - STANDBY ====Communication State=== Mac set =========Failed Reason============== My Fail Reason: Other Fail Reason:
In order to verify the IP addresses of the failover unit, use the show failover interfacecommand. Primary unit
pix#show failover interface interface state Ethernet2 System IP Address: 10.0.0.1 255.0.0.0 My IP Address : 10.0.0.1 Other IP Address : 10.0.0.2
Secondary unit
pix#show failover interface interface state Ethernet2 System IP Address: 10.0.0.1 255.0.0.0 My IP Address : 10.0.0.2 Other IP Address : 10.0.0.1
View of Monitored Interfaces
In order to view the status of monitored interfaces: In single context mode, enter the show monitorinterface command in global configuration mode. In multiple context mode, enter the show monitorinterface within a context.
Pentru a vizualiza starea interfeelor monitorizate: n modul single context, introducei comanda show monitor-interface in modul de configurare global. n modul context multiplu, introducei show monitor-interface ntr-un context.
Note: In order to enable health monitoring on a specific interface, use the monitor-interface command in global configuration mode:
n scopul de a permite monitorizarea strii de sntate pe o interfa specific, utilizai comanda monitor-interface n modul de configurare global:
monitor-interface <if_name>
Primary PIX
pix(config)#show monitor-interface This host: Primary - Active Interface outside (172.16.1.1): Interface inside (192.168.1.1): Other host: Secondary - Standby Ready Interface outside (172.16.1.2): Interface inside (192.168.1.2):
Secondary PIX
Normal Normal Normal Normal
pix(config)#show monitor-interface This host: Secondary - Standby Ready Interface outside (172.16.1.2): Interface inside (192.168.1.2): Other host: Primary - Active Interface outside (172.16.1.1): Interface inside (192.168.1.1):
Normal Normal Normal Normal
Note: If you do not enter a failover IP address, the show failover command displays 0.0.0.0 for the IP address and interface monitoring remains in a waitingstate. Refer to the show failover section of the Cisco Security Appliance Command Reference, Version 7.2 for more information about the different failover states.
Dac nu introducei o adres IP de failover, comanda show failover afieaz 0.0.0.0 pentru adresa IP i monitorizarea interfaei rmne n waitingstate. Consultai seciunea show failover din Cisco Security Appliance Command Reference, Version 7.2 pentru mai multe informaii despre diferite state failover.
Note: By default, monitoring of physical interfaces is enabled, and monitoring of subinterfaces is disabled.
n mod implicit, monitorizarea interfeelor fizice este activat, iar monitorizarea subinterfatelor este dezactivat.
Display of the Failover Commands in the Running Configuration

In order to view the failover commands in the running configuration, enter this command:
Pentru a vizualiza comenzile failover n configuraia de funcionare, introducei aceast comand:
hostname(config)#show running-config failover

All of the failover commands are displayed. On units that run in multiple context mode, enter the show running-config failover command in the system execution space. Enter the command show runningconfig all failover to display the failover commands in the running configuration and include commands for which you have not changed the default value.
Toate comenzile de failover sunt afiate. La unitile care se execut n modul de context multiplu, introducei comanda show running-config failover , n spaiul de execuie al sistemului. Introducei comanda show running-config all failover pentru a afia comenzile failover n configuraia de funcionare i include comenzile pentru care nu s-au schimbat valoarea implicit.
ASA Failover Email Alert Configuration

Complete these steps in order to configure the email alert for failover:
Finalizai aceti pai pentru a configura alerta pe e-mail pentru failover:

1. 2. 3. 4. hostname(config)# logging mail high-priority hostname(config)# logging from-address xxx-001@example.com hostname(config)# logging recipient-address admin@example.com hostname(config)# smtp-server X.X.X.X
For a detailed description of these commands, refer to Sending Syslog Messages to an E-mail Address.
Failover Functionality Tests

In order to test failover functionality, perform these steps:
n scopul de a testa funcionalitatea failover, efectuai aceti pai:

1. Test that your active unit or failover group passes traffic as expected with FTP (for example) to send a file between hosts on different interfaces.
Testai c prin unitatea activ sau grup de failover trece traficul cum era de asteptat, cu FTP (de exemplu) trimite un fiier ntre gazde pe interfee diferite.
2. Force a failover to the standby unit with this command:
Foreaza un failover la unitatea in standby cu aceast comand:

o For Active/Standby Failover, enter this command on the active unit: o hostname(config)#no failover active
3. Use FTP to send another file between the same two hosts.
Foloseste FTP pentru a trimite un alt fiier ntre aceleai dou gazde.
4. If the test was not successful, enter the show failover command to check the failover status.
Dac testul nu a avut succes, introducei comanda show failover command pentru a verifica starea de failover
5. When you are finished, you can restore the unit or failover group to active status with this command:
Cnd ai terminat, avei posibilitatea s restabilii unitatea sau grupul de failover la starea activ, cu aceast comand
For Active/Standby Failover, enter this command on the active unit:
hostname(config)#failover active
Forced Failover
In order to force the standby unit to become active, enter one of these commands:
n scopul de a fora unitatea de standby pentru a deveni activa, introducei una dintre aceste comenzi:
Enter this command on the standby unit:
Introducei aceast comand pe unitatea de standby:
hostname#failover active
Enter this command on the active unit:
Introducei aceast comand pe unitatea activa:
hostname#no failover active
Disabled Failover
In order to disable failover, enter this command:
n scopul de a dezactiva failover, introducei aceast comand:
hostname(config)#no failover
If you disable failover on an Active/Standby pair, it causes the active and standby state of each unit to be maintained until you restart. For example, the standby unit remains in standby mode so that both units do not start to pass traffic. In order to make the standby unit active (even with failover disabled), see theForcing Failover section.
Dac dezactivai failover pe o pereche de Active/Standby, aceasta face ca starea activ i standby, pe fiecare unitate s fie meninute pn cnd repornii. De exemplu, unitatea de standby rmne n modul de standby, astfel nct cele dou uniti nu lasa s treac traficul. n scopul de a face unitatea de standby activa (chiar si cu failover dezactivat), a se vedea sectiunea Forcing Failover.
If you disable failover on an Active/Active pair, it causes the failover groups to remain in the active state on whichever unit they are currently active on, no matter which unit they are configured to prefer. The no failover command can be entered in the system execution space.
Dac dezactivai failover pe o pereche Active / Active, aceasta face ca grupurile de failover s rmn n stare activ pe oricare unitate sunt active n prezent, indiferent de unitatea pe care sunt configurate sa o prefere.Comanda no failover poate fi introdusa n spaiul de execuie al sistemului.
Restoration of a Failed Unit

In order to restore a failed unit to an unfailed state, enter this command:
n scopul de a restabili o unitate defecta intr-o stare unfailed, introducei aceast comand:
hostname(config)#failover reset
If you restore a failed unit to an unfailed state, it does not automatically make it active; restored units or groups remain in the standby state until made active by failover (forced or natural). An exception is a failover group configured with the preempt command. If previously active, a failover group becomes active if it is configured with the preempt command and if the unit on which it failed is its preferred unit.
Dac restaurai o unitate blocata intr-o stare unfailed, aceasta nu o va face n mod automat activa; unitile sau grupurile restaurate, rmn n stare de ateptare pn cnd devin active prin failover (forat sau natural). O excepie este un grup de failover configurat cu comanda PREEMPT. Daca anterior era activ, un grup de failover devine activ n cazul n care este configurat cu comanda PREEMPT i dac unitatea blocata era unitatea sa preferata:
Replace the Failed Unit with a New Unit

Complete these steps in order to replace a failed unit with a new unit:
Finalizai aceti pai pentru a nlocui o unitate blocata, cu o unitate nou:

1. Run the no failover command on the primary unit
Rulai comanda no failover pe unitatea primara.

The status of the secondary unit shows standby unit as not detected.
Starea de unitate secundara afiseaza ca unitatea de standby nu a fost detectata.

2. Unplug the primary unit, and connect the replacement primary unit.
Deconectai unitatea primara, i conectai unitatea primara de nlocuire

3. Verify that the replacement unit runs the same software and ASDM version as the secondary unit.
Asigurai-v c unitatea de nlocuire ruleaza aceeai versiune software-ul i ASDM ca unitate secundar
4. Run these commands on the replacement unit:
Executati aceste comenzi pe unitatea noua:
5. ASA(config)#failover lan unit primary 6. ASA(config)#failover lan interface failover Ethernet3 7. ASA(config)#failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2 8. ASA(config)#interface Ethernet3 9. ASA(config-if)#no shut 10. ASA(config-if)#exit
11. Plug the replacement primary unit to the network, and run this command:
Conectati noua unitate primara la retea si executati aceasta comanda:
12.
ASA(config)#failover
Troubleshoot
When a failover occurs, both security appliances send out system messages. This section includes these topics:
Atunci cnd un failover apare, ambele dispozitive de securitate trimit mesaje de sistem. Aceast seciune include aceste subiecte:
Failover Monitoring
Unit Failure %ASA-3-210005: LU allocate connection failed %PIX|ASA-1-105005: (Primary) Lost Failover communications with mate on interface interface_name Failover System Messages Debug Messages SNMP NAT 0 Issue ERROR: Failover cannot be configured while the local CA server is configured. Known Issues
Failover Monitoring
This example demonstrates what happens when failover has not started to monitor the network interfaces. Failover does not start to monitor the network interfaces until it has heard the second "hello" packet from the other unit on that interface. This takes about 30 seconds. If the unit is attached to a network switch that runs Spanning Tree Protocol (STP), this takes twice the "forward delay" time configured in the switch (typically configured as 15 seconds), plus this 30 second delay. This is because at PIX bootup and immediately after a failover event, the network switch detects a temporary bridge loop.
Acest exemplu demonstreaz ceea ce se ntmpl atunci cnd failover nu a nceput s monitorizeze interfeele de reea. Failover nu ncepe s monitorizeze interfeele de reea pn cnd le-a auzit de-al doilea pachet "hello" de la cealalt unitate pe acea interfata. Aceasta dureaz aproximativ 30 de secunde. n cazul n care la unitate este ataat un switch de reea pe care funcioneaz Spanning Tree Protocol (STP), aceasta dureaza dou ori timpul de " forward delay " configurat n switch (de obicei configurat la 15 de secunde), plus aceast ntrziere de 30 secunde. Acest lucru se datoreaz faptului c la plecarea PIX-ului i imediat dup un eveniment failover, switch-ul de reea detecteaz o bucl temporara de bridge.
Upon detection of this loop, it stops forwarding packets on these interfaces for the "forward delay" time. It then enters the "listen" mode for an additional "forward delay" time, within which time the switch listens for bridge loops but does not forward traffic ( or forward failover "hello" packets). After twice the forward delay time (30 seconds), traffic flow resumes. Each PIX remains in a "waiting" mode until it hears 30 seconds worth of "hello" packets from the other unit. Within the time that the PIX passes traffic, it does not fail the other unit based on not hearing the "hello" packets. All other failover monitoring still occurs (that is, Power, Interface Loss of Link, and Failover Cable "hello").
La detectarea de aceastei bucle, se oprete transmiterea pachetelor de pe aceste interfee pentru un timp de " forward delay ". Acesta intr apoi in modul"ascultare" pentru un timp suplimentar " forward delay ", n care timp switch-ul ascult pentru bucle de bridge, dar nu transmite traficul mai departe (sau pachete "Hello" pentru forward failover). Dup de dou ori timpul de ntrziere forward delay (30 de secunde), fluxul de trafic se reia. Fiecare PIX rmne ntr-un mod "n ateptare" pn cnd receptioneaza 30 secunde pachetele Hello de la alt unitate. n acest interval de timp in care traficul trece prin PIX, acesta nu-l opreste catre celelalte unitati care nu receptioneaza pachetele Hello.. Toate aciunile de monitorizare failover se executa (Power, Interface Loss of Link, and Failover Cable "hello").
For failover, Cisco strongly recommends that customers enable portfast on all switch ports that connect to PIX interfaces. In addition, channeling and trunking must be disabled on these ports. If the interface of the
PIX goes down within failover, the switch does not have to wait 30 seconds while the port transitions from a state of listening to learning to forwarding.
Pentru failover, Cisco recomand cu fermitate s se activeze portfast pe toate porturile switch-ului care se conecteaz la interfeele PIX. n plus, canalizarea i trunking-ul trebuie s fie dezactivate pe aceste porturi. Dac interfaa PIX se opreste n cadrul failover, switch-ul nu trebuie s ateptate 30 de secunde, n timpul tranziiei porturilor de la starea de ascultare la invatare pentru transmitere.
Failover On Cable status: Normal Reconnect timeout 0:00:00 This host: Primary - Active Active time: 6930 (sec) Interface 0 (192.168.89.1): Interface 1 (192.168.89.1): Other host: Secondary - Standby Active time: 15 (sec) Interface 0 (192.168.89.2): Interface 1 (192.168.89.2):
In summary, check these steps to narrow down the failover problems:
Normal (Waiting) Normal (Waiting) Normal (Waiting) Normal (Waiting)
n rezumat, verificai aceti pai pentru a restrnge probleme failover:.

Check the network cables connected to the interface in the waiting/failed state and, if it is possible, replace them.
Verificai cablurile de reea conectate la interfaa n ateptare / de stat a euat i, dac este posibil, nlocuii-le.
If there is a switch connected between the two units, verify that the networks connected to the interface in the waiting/failed state function correctly.
Dac exist un switch conectat ntre cele dou uniti, verificai c reelele conectate la interfaa n starea waiting/failed functioneaza n mod corect.
Check the switch port connected to the interface in the waiting/failed state and, if it is possible, use the another FE port on the switch.. Verificai portul de switch conectat la interfaa n starea waiting/failed i dac este
posibil, folosii un alt port de FE al switch-ului

Check that you have enabled port fast and disabled both trunking and channeling on the switch ports that are connected to the interface. Verificai dac ai activat portfast i dezactivat trunking and channeling pe porturile
switch-ului care sunt conectate la interfata PIX.
Unit Failure
In this example, failover has detected a failure. Note that Interface 1 on the primary unit is the source of the failure. The units are back in "waiting" mode because of the failure. The failed unit has removed itself from the network (interfaces are down) and is no longer sending "hello" packets on the network. The
active unit remains in a "waiting" state until the failed unit is replaced and failover communications starts again.
Failover On Cable status: Normal Reconnect timeout 0:00:00 This host: Primary - Standby (Failed) Active time: 7140 (sec) Interface 0 (192.168.89.2): Normal Interface 1 (192.168.89.2): Failed Other host: Secondary - Active Active time: 30 (sec) Interface 0 (192.168.89.1): Normal Interface 1 (192.168.89.1): Normal
(Waiting) (Waiting) (Waiting) (Waiting)
LU allocate connection failed

A memory problem might exist if you receive this error message: LU allocate connection failed Upgrade the PIX/ASA software in order to resolve this issue. Refer to Cisco bug ID CSCte80027 (registered customers only) for more information.
Primary Lost Failover communications with mate on interface interface_name

This failover message is displayed if the unit of the failover pair can no longer communicate with the other unit of the pair. Primary can also be listed as Secondary for the secondary unit. (Primary) Lost Failover communications with mate on interface interface_name Verify that the network that is connected to the specified interface is functioning correctly.
Failover System Messages

The security appliance issues a number of system messages related to failover at priority level 2, which indicates a critical condition. In order to view these messages, refer to the Cisco Security Appliance Logging Configuration and System Log Messages to enable logging and to see descriptions of the system messages. Note: Within switchover, failover logically shuts down and then brings up interfaces, which generates syslog 411001 and 411002 messages. This is normal activity.
Debug Messages
In order to see debug messages, enter the debug fover command. Refer to the Cisco Security Appliance Command Reference for more information.
Note: Because debugging output is assigned high priority in the CPU process, it can drastically affect system performance. For this reason, use the debug fover commands only to troubleshoot specific problems or within troubleshooting sessions with Cisco technical support staff.
SNMP
In order to receive SNMP syslog traps for failover, configure the SNMP agent to send SNMP traps to SNMP management stations, define a syslog host, and compile the Cisco syslog MIB into your SNMP management station. Refer to the snmp-server and logging commands in the Cisco Security Appliance Command Reference for more information.
NAT 0 Issue
When the power on the Cisco Security Appliance is cycled, the NAT 0 command disappears from the working configuration. This issue occurs even after the configuration is saved. Other commands are saved, but the nat 0 command is not saved. This issue is due to the Cisco bug ID CSCsk18083 (registered customers only) . In order to resolve this issue, do not configure invalid access-lists to nat exemption access-lists. Use ip permit or deny ace entries.
Failover Polltime
In order to specify the failover unit poll and hold times, use the failover polltime command in global configuration mode. The failover polltime unit msec [time] represents the time interval in order to check the standby unit's existence by polling hello messages. Similarly, the failover holdtime unit msec [time] represents the setting a time period during which a unit must receive a hello message on the failover link, after which the peer unit is declared failed. In order to specify the data interface poll and hold times in an Active/Standby failover configuration, use the failover polltime interface command in global configuration mode. In order to restore the default poll and hold times, use the no form of this command.
failover polltime interface [msec] time [holdtime time]

Use the failover polltime interface command in order to change the frequency at which hello packets are sent out on data interfaces. This command is available for Active/Standby failover only. For Active/Active failover, use the polltime interface command in the failover group configuration mode instead of thefailover polltime interface command. You cannot enter a holdtime value that is less than 5 times the interface poll time. With a faster poll time, the security appliance can detect failure and trigger failover faster. However, faster detection can cause unnecessary switchovers when the network is temporarily congested. Interface testing begins when a hello packet is not heard on the interface for over half the hold time. You can include both failover polltime unit and failover polltime interface commands in the configuration. This example sets the interface poll time frequency to 500 milliseconds and the hold time to 5 seconds:
hostname(config)#failover polltime interface msec 500 holdtime 5

Refer to the failover polltime section of the Cisco Security Appliance Command Reference, Version 7.2 for more information.
Export Certificate/Private Key in Failover Configuration

The primary device automatically replicates the private key/certificate to the secondary unit. Issue the command write memory in the active unit in order to replicate the configuration (which includes the certificate/private key) to the standby unit. All the keys/certificates on the standby unit are erased and repopulated by the active unit configuration. Note: You must not manually import the certificates, keys, and trust points from the active device and then export to the standby device.
WARNING: Failover message decryption failure.

Error message:
Failover message decryption failure. Please make sure both units have the same failover shared key and crypto license or system is not out of memory
This problem occurs due to failover key configuration. In order to resolve this issue, remove the failover key, and configure the new shared key.
ASA Modules Failover

If Advanced Inspection and Prevention Security Services Module (AIP-SSM) or Content Security and Control Security Services Module (CSC-SSM) are used in active and standby units, then it operates independently of the ASA in terms of failover. Modules must be configured manually in active and standby units, the failover will not replicate the module configuration. In terms of failover, both ASA units that have AIP-SSM or CSC-SSM modules must be of the same hardware type. For example, if the primary unit have the ASA-SSM-10 module, the secondary unit must have the ASA-SSM-10 module. In order to replace the AIP-SSM module on a failover pair of ASAs, you must run the hw-module module 1 shutdown command before you remove the module. In addition, the ASA must be powered down as the modules are not hotswapable. For more information on how to install and remove AIP-SSM, refer to Installation and Removal Instructions.
Failover message block alloc failed

Error Message %PIX|ASA-3-105010: (Primary) Failover message block alloc failed Explanation: Block memory was depleted. This is a transient message, and the security appliance should recover. Primary can also be listed as Secondaryfor the secondary unit.
Recommended Action: Use the show blocks command in order to monitor the current block memory.
AIP Module Failover Problem

If you have two ASAs in a failover configuration and each has an AIP-SSM, you must manually replicate the configuration of the AIP-SSMs. Only the configuration of the ASA is replicated by the failover mechanism. The AIP-SSM is not included in the failover. First, the AIP-SSM operates independently of the ASA in terms of failover. For failover, all that is needed from an ASA perspective is that the AIP modules be of the same hardware type. Beyond that, as with any other portion of failover, the configuration of the ASA between the active and standby must be in sync. As for the set up of the AIPs, they are effectively independent sensors. There is no failover between the two, and they have no awareness of each other. They can run independent versions of code. That is, they do not have to match, and the ASA does not care about the version of code on the AIP with respect to failover. ASDM initiates a connection to the AIP through the management interface IP that you configured on the AIP. In other words, it connects to the sensor typically through HTTPS depending on how you set up the sensor. You could have a failover of the ASA independent of the IPS (AIP) modules. You will still be connected to the same one because you connect to its management IP. In order to connect to the other AIP, you must reconnect to its manangement IP to configure it and access it. For sample configurations on how to send network traffic that passes through the Cisco ASA 5500 Series Adaptive Security Appliance (ASA) to the Advanced Inspection and Prevention Security Services Module (AIP-SSM) (IPS), refer to ASA: Send Network Traffic from the ASA to the AIP SSM Configuration Example .
Unable to Upgrade the ASA Failover Pair from Ethernet Card to Optical Interface
Complete these steps in order to upgrade the ASA failover pair from Ethernet card to optical interface: 1. Ensure that the primary device is active, shut down the secondary/standby ASA, and add the new interface card. 2. Remove all cables and boot the secondary/standby ASA to test that the new hardware is operational. 3. Shut down the secondary/standby ASA again, and reconnect the cables. 4. Shut down the primary/active ASA, and boot the secondary ASA. Note: Do not allow both ASAs to become active at the same time. 5. Confirm that the secondary ASA is up and passing traffic, and then make the secondary device active with the failover active command. 6. Install the new interface on the primary ASA, and remove the cables. 7. Boot the primary ASA, and test the new hardware. 8. Shut down the primary ASA, and reconnect the cables. 9. Boot the primary ASA, and make the primary device active with the failover active command.
Note: Verify the failover status on both devices with the show failover command. If failover status is OK, you can configure the interfaces on the primary active device, which will be replicated on the secondary standby.
ERROR: Failover cannot be configured while the local CA server is configured.

This error message appears when a user attempts to configure failover on an ASA: ERROR: Failover cannot be configured while the local CA server is configured. Please remove the local CA server configuration before configuring failover. This error occurs because the ASA does not support configuring local CA server and failover at the same time.
%ASA-1-104001: (Secondary) Switching to ACTIVE - Service card in other unit has failed
I receive this error message on my failover ASA pair: %ASA-1-104001: (Secondary) Switching to ACTIVE - Service card in other unit has failed This issue usually occurs because of the IPS CSC module and not because of the ASA itself. If you receive this message in the error log, verify the configuration of the modules or try reseating them. Refer to Cisco Bug ID CSCtf00039 (registered customers only) for more information.
Known Issues
Error: The name on the security certificate is invalid or does not match the name of the site When a user attempts to access the ASDM on the secondary ASA with version 8.x software and ASDM version 6.x for failover configuration, this error is received: Error: The name on the security certificate is invalid or does not match the name of the site In the certificate, the Issuer and the Subject Name is the IP address of the active unit (not the IP address of the standby unit). In ASA version 8.x, the internal (ASDM) certificate is replicated from the active unit to the standby unit, which causes the error message. However, if the same firewall runs on version 7.x code with 5.x ASDM and you try to access ASDM, you will receive the regular security warning: The security certificate has a valid name matching the name of the page you are trying to view When you check the certificate, the issuer and the subject name is the IP address of the standby unit. Error: %ASA-ha-3-210007: LU allocate xlate failed
This error is received: %ASA-ha-3-210007: LU allocate xlate failed This issue has been observed and logged in Cisco Bug ID CSCte08816 (registered customers only) . In order to resolve this issue, you must upgrade to one of the software versions in which this bug has been fixed. Standby ASA reloads during xlate replication from Primary For the moment, this issue is seen with releases 8.4.2 and 8.4.1.11. Try to upgrade to 8.4.2.4 in order to fix the issue. Refer to Cisco bug IDCSCtr33228 for more information.
Cisco Support Community - Featured Conversations

is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers. Below are just some of the most recent and relevant conversations happening right now.
Cisco Support Community
Want to see more? Join us by clicking here PIX/ASA Failover conditionsshobithk1 Reply05.11.2007 2:47 Helloerfernandez1 Reply10.06.2007 6:16 Connection to Pix Issuescliffordpa1 Reply20.07.2007 11:30 Failover Replication Warningh.parsons2 Replies21.08.2007 12:30 Failover --> Sending mail when switchingdimensyssrl3 Replies04.01.2008 6:11 Active and Standby ASA in HP Openviewljohnson211 Reply11.04.2008 14:22 ASA failover times.jdevoll8 Replies21.07.2008 10:19 ASA Failover Connection--why need a...yaogongyuan1 Reply23.10.2009 6:54 Pix 525 with 2 -PIX-4FE-66 and VAC+kbeaul1 Reply20.08.2007 7:29 ASA5505failoverframe-grilled1 Reply29.06.2010 21:08 Need help on ASA Active/Stanby Ethernet...m-abooali4 Replies27.06.2012 13:32
Subscribe Start A New Discussion
Related Information

Redundanta Cisco ASA-PIX

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Redundanta Cisco ASA-PIX

Încărcat de

Drepturi de autor:

Formate disponibile

PDF Downloads

Document ID: 77809

PIX/ASA Active/Standby Failover Configuration Example

Share on printShare on emailShare on favoritesShare on googleShare on twitterShare on facebook

Aceast seciune descrie Active / Standby Failover si include urmatoarele subiecte:

Active/Standby Failover Overview

Primary/Secondary Status and Active/Standby Status

Device Initialization and Configuration Synchronization

Unitatea activ este determinat de acestea:

n cazul n care o unitate porneste i nu detecteaz un peer, devine unitatea activ

dac introducei comenzi care nu afecteaz configuraia.

The unit can fail if one of these events occurs:

Unitatea are o defeciune hardware sau o pan de curent.

Unitatea are o defeciune software

Prea multe interfee monitorizate se defecteaza.

Mark failover interface as failed

interface as failed No failover Mark failover interface as failed

Failover link failed at startup

No action No action Mark active as failed

Mark standby as No action failed

Regular and Stateful Failover

Informaiile de stare vehiculate catre unitatea de ateptare includ urmatoarele:

Cable-Based Active/Standby Failover Configuration (PIX Security Appliance Only)

Acest document utilizeaz aceast configuratie pentru reea:

Porniti unitatea primara

hostname(config-if)#ip address <active_addr> <netmask> standby <standby_addr>

hostname(config-if)#ip address 172.16.1.1 255.255.0.0 standby 172.16.1.2

n scopul de a permite failover dinamic, configurai link-ul de failover dinamic

Specificati interfata ce va fi folosita ca link dynamic de failover

b. hostname(config)#failover link if_name phy_if c.

hostname(config)#failover link state Ethernet2

Atribuie o adres IP activ si standby pentru link-ul de failover dinamic:

e. hostname(config)#failover interface ip <if_name> <ip_addr> <mask> f. standby <ip_addr> g.

hostname(config)#failover interface ip state 10.0.0.1 255.0.0.0 standby 10.0.0.2

i. hostname(config)#interface phy_if j. k. hostname(config-if)#no shutdown

10. hostname(config)#copy running-config startupconfig

! service-policy global_policy global prompt hostname context Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e : end

LAN-Based Active/Standby Failover Configuration

Primary Unit Configuration

hostname(config-if)#ip address active_addr netmask standby standby_addr

hostname(config-if)#ip address 172.16.1.1 255.255.0.0 standby 172.16.1.2

2. (PIX security appliance platform only) Enable the LAN-based failover.

Activeaza failover folosind LAN

3. hostname(config)#failover lan enable

Desemneaz unitatea ca unitate primar.

5. hostname(config)#failover lan unit primary

Defineste interfata de failover.

Specifica interfata care va fi folosita ca interfata de failover.

b. hostname(config)#failover lan interface if_name phy_if c.

hostname(config)#failover lan interface failover Ethernet3

d. Assign the active and standby IP address to the failover link

Atribuie o adres IP activ si standby pentru link-ul de failover :

e. hostname(config)#failover interface ip if_name ip_addr mask f. standby ip_addr g.

hostname(config)#failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2

h. Enable the interface

i. hostname(config)#interface phy_if j. k. l. hostname(config-if)#no shutdown

hostname(config)#interface ethernet3 hostname(config-if)#no shutdown

n scopul de a permite failover dinamic, configurai link-ul de failover dinamic

Specificai interfaa ce va fi utilizata ca link de failover dinamic

b. hostname(config)#failover link if_name phy_if c. d.

hostname(config)#failover link state Ethernet2

e. Assign an active and standby IP address to the stateful failover link.

Atribuie o adres IP activ si standby pentru link-ul de failover dinamic:

hostname(config)#failover interface ip if_name ip_addr mask standby ip_addr