mini鵝的天地

ASA架構圖

ASA HA設定

第一台ASA
 ASA-1(config)#failover                                                           //啟用 failover 功能
 ASA-1(config)#failover lan unit primary                                          //指定此台為 Primary
 ASA-1(config)#failover lan interface failover GigabitEthernet0/2                        //指定 failover 介面為 GigabitEthernet0/2
 INFO: Non-failover interface config is cleared on GigabitEthernet0/2 and its sub-interfaces
 ASA-1(config)#failover interface ip failover 10.0.0.1 255.255.255.0 standby 10.0.0.2  //指定 failover 介面的 Active / Standby IP
 

第二台ASA
 ciscoasa(config)#interface GigabitEthernet0/2                                           
 ciscoasa(config-if)#no shutdown                                                   
 ciscoasa(config-if)#failover                                                       //啟用 failover 功能
 ciscoasa(config)#failover lan unit secondary                                       //指定此台為 Secondary
 ciscoasa(config)#failover lan interface failover GigabitEthernet0/2                       //指定 failover 介面為GigabitEthernet0/2
 INFO: Non-failover interface config is cleared on GigabitEthernet0/2 and its sub-interfaces
 ciscoasa(config)#failover interface ip failover 10.0.0.1 255.255.255.0 standb 10.0.0.2  //指定 failover 介面的 Active / Standby IP
 ciscoasa(config)#.                                                                 //設定成功後出現下面訊息二台 ASA 開始同步設定
 Detected an Active mate
 Beginning configuration replication from mate.                                     //開始同步設定資料
 End configuration replication from mate.                                           //同步完成
 ASA-1(config)#                                                                     //ASA 設定同步完成 (主機名稱變成一樣的)
 

Active / Standby HA 狀態確認

第一台ASA
ASA-1#show failover
Failover On 
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/2 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 61 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.4(1), Mate 9.4(1)
Last Failover at: 02:42:57 UTC Apr 24 2017
        This host: Primary - Active 
                Active time: 301 (sec)
                slot 0: empty
                  Interface inside (172.16.10.1): Normal (Monitored)
                  Interface outside (59.64.35.1): Normal (Monitored)
                  Interface management (20.20.20.1): Unknown (Waiting)
        Other host: Secondary - Standby Ready 
                Active time: 0 (sec)
                  Interface inside (172.16.10.2): Normal (Monitored)
                  Interface outside (59.64.35.2): Normal (Monitored)
                  Interface management (20.20.20.2): Unknown (Waiting)

Stateful Failover Logical Update Statistics
        Link : Unconfigured.

ASA-1# show failover state

               State          Last Failure Reason      Date/Time
This host  -   Primary
               Active         None
Other host -   Secondary
               Standby Ready  None

====Configuration State===
        Sync Done
====Communication State===
        Mac set

====VM Properties Compatibility===
vCPUs - This host:  1 
        Other host: 1 
Memory - This host:  2048 Mhz 
         Other host: 2048 Mhz 
Interfaces - This host:  7 
             Other host: 7 

ASA-1# show monitor-interface
        This host: Primary - Active 
                Interface inside (172.16.10.1): Normal (Monitored)
                Interface outside (59.64.35.1): Normal (Monitored)
                Interface management (20.20.20.1): Unknown (Waiting)
        Other host: Secondary - Standby Ready 
                Interface inside (172.16.10.2): Normal (Monitored)
                Interface outside (59.64.35.2): Normal (Monitored)
                Interface management (20.20.20.2): Unknown (Waiting)

第二台ASA
ASA-1# show failover
Failover On 
Failover unit Secondary
Failover LAN Interface: failover GigabitEthernet0/2 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 61 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.4(1), Mate 9.4(1)
Last Failover at: 02:42:43 UTC Apr 24 2017
        This host: Secondary - Standby Ready 
                Active time: 0 (sec)
                slot 0: empty
                  Interface inside (172.16.10.2): Normal (Monitored)
                  Interface outside (59.64.35.2): Normal (Monitored)
                  Interface management (20.20.20.2): Unknown (Waiting)
        Other host: Primary - Active 
                Active time: 311 (sec)
                  Interface inside (172.16.10.1): Normal (Monitored)
                  Interface outside (59.64.35.1): Normal (Monitored)
                  Interface management (20.20.20.1): Normal (Waiting)

Stateful Failover Logical Update Statistics
        Link : Unconfigured.

ASA-1# show failover state

               State          Last Failure Reason      Date/Time
This host  -   Secondary
               Standby Ready  None
Other host -   Primary
               Active         None

====Configuration State===
        Sync Done - STANDBY
====Communication State===
        Mac set

====VM Properties Compatibility===
vCPUs - This host:  1 
        Other host: 1 
Memory - This host:  2048 Mhz 
         Other host: 2048 Mhz 
Interfaces - This host:  7 
             Other host: 7 
 

ASA-1# show monitor-interface
        This host: Secondary - Standby Ready 
                Interface inside (172.16.10.2): Normal (Monitored)
                Interface outside (59.64.35.2): Normal (Monitored)
                Interface management (20.20.20.2): Unknown (Waiting)
        Other host: Primary - Active 
                Interface inside (172.16.10.1): Normal (Monitored)
                Interface outside (59.64.35.1): Normal (Monitored)
                Interface management (20.20.20.1): Unknown (Waiting)