Tuesday, August 11, 2009

PIX or ASA Stateful Failover Configuration

I subscribe to RSS feeds from some 20 or more Cisco centric blogs, many of them maintained by CCIE's or those studying for CCIE's.

Occassionally someone posts a PIX/ASA failover configuration example. Generally I feel they fall short of the mark in providing a detailed secure and real-world example on how to configure stateful failover.

This configuration below is as complete as it gets however. And it is relevent to both PIX and ASA devices. More so for ASA as they do not have a serial interface that was used for PIX failover once upon a time in the networking dark ages.

The configuration below uses two physical interfaces on each firewall. It's seems somewhat a waste however Cisco does recommend doing so in various documents. I've not had a problem mixing both failover communication and traffic state replication on a single interface. To use just one interface remove the references with "failover-state" on the line.

Take note however, some people tend to use the Management0/0 interface on ASA firewalls as the failover or state link. It can be OK to use the 10/100mbit Man0/0 interface for failover communication as this does not utilise much bandwidth. You should however avoid using it for failover state however. Particularly on ASA models with Gigabit interfaces as state replication requires the lowest possible latency and zero packet loss to work reliably and avoid having your firewalls fail over randomly or lag behind in maintaining traffic state when they do fail over for the right reason. With multiple Gigabit interfaces simply replicating connection state information for that the traffic being permitted through the firewall can exceed the capacity of a single 100mbit interface.

And if you're not using Man0 properly for out of band management of the device you really should be!

I've also used 169.254.x.x link-local addresses on the failover and failover state links. As PIX and ASA do not have a VRF/private routing table concept they do add routes to the IP addresses you configure to their routing table. Worse still they do seem to actually route/accept traffic for the IP's you configure on failover links/state interfaces from your other interfaces.

You would of course need to accept the traffic in an ACL but it's not uncommon for some people to permit all RFC-1918 addresses to particular services. Not a good idea.

169.254.x.x are supposed to be link-local self-configuration addresses and any decently configured intermediary router should route them to null0 so provided you don't accidentally permit them in an ACL there should be no way for anyone to try and talk to your firewall on those IP's.


! ---------------------- FAILOVER CONFIG PRIMARY ------------------------ !
!
failover lan unit primary
failover lan interface failover Ethernet3
failover link failover-state Ethernet4
failover key <%FAILOVER KEY%>
failover replication http
failover interface ip failover 169.254.255.1 255.255.255.252 standby 169.254.255.2
failover interface ip failover-state 169.254.255.5 255.255.255.252 standby 169.254.255.6
failover lan enable
failover
!
int Eth3
no shut
int Eth4
no shut
!
! If you're running a 7.2 image or newer the following is also recommended.
! It will change the CLI prompt to indicate the configured type and state of the device you're connected to,
! ie if your firewall's hostname was FW0 the prompt would look like,
!
! FW0/pri/act#
!
! Indicating it's configured as the primary and it is currently active.
!
prompt hostname priority state
!
! ---------------------- FAILOVER CONFIG STANDBY ------------------------ !
! Everything else will sync over from the primary
!
failover lan unit secondary
failover lan interface failover Ethernet3
failover link failover-state Ethernet4
failover key <%FAILOVER KEY%>
failover replication http
failover interface ip failover 169.254.255.1 255.255.255.252 standby 169.254.255.2
failover interface ip failover-state 169.254.255.5 255.255.255.252 standby 169.254.255.6
failover lan enable
failover
!
int Eth3
no shut
int Eth4
no shut
!
! EOF

1 comment:

Stefan said...

Hi
Great article.. I have a couple of questions please.

Would it be possible to apply this configuration to local interfaces.

Example
Ethernet 0/0 and 0/2 are outside links, primary and failover.

Ethernet 0/1 and 0/3 are internal trunks to the core switch. 0/1 contains all sub-interfaces/vlans.

Thanks
Stefan