???????????????????? Failover的需求
? 相同的型號和硬件配置（接口數量和模塊）
? 相同的軟件版本*
? 相同的加密特性（DES or 3DES）
? 相同大小的flash和RAM*

一、配置StatefulAS Lan-based FO
步驟一、
hostname ASA
interface Ethernet0/0
nameif Outside
security-level 0
ip address 202.100.1.10 255.255.255.0 standby 202.100.1.20
no shutdown
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.1.1.10 255.255.255.0 standby 10.1.1.20
no shutdown
注意:需在Primary ASA配置Standby IP，必須為同一段。

步驟二、
interface Ethernet0/2
no shutdown
failover lan unit Primary
注：指定本ASA為FO的Primary設備。
failover lan interface FO Ethernet0/2
注：指定E0/2為FO鏈路,接口名字為“FO”。
failover key cisco
注：加密與驗證用密鑰。
failover interface ip FO 192.168.1.10 255.255.255.0 standby 192.168.1.20
failover
注：啟用FO功能。
注意：一定要先啟用Primary設備這邊。

步驟三、
interface Ethernet0/2
no shutdown
failover lanunit secondary
注：指定本ASA為FO的secondary設備。
failover lan interface FO Ethernet0/2?
注：指定E0/2為FO鏈路，接口名字為“FO”
failover key cisco
注：加密與驗證用密鑰。
failover interface ip FO 192.168.1.10 255.255.255.0 standby 192.168.1.20
failover

步驟四、
ASA1查看fa信息
ASA(config)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FO Ethernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(4), Mate 8.0(4)
Last Failover at: 18:02:12 UTC Jan 18 2003
This host: Primary -Active
Active time: 3099 (sec)
slot 0: ASA5510 hw/sw rev (1.1/8.0(4)) status (Up Sys)
Interface Outside (202.100.1.10): Normal
Interface Inside (10.1.1.10): Normal
slot 1: empty
Other host: Secondary -Standby Ready
Active time: 652 (sec)
slot 0: ASA5510 hw/sw rev (1.1/8.0(4)) status (Up Sys)
Interface Outside (202.100.1.20): Normal
Interface Inside (10.1.1.20): Normal
slot 1: empty
Stateful Failover Logical Update Statistics
Link : Unconfigured.

測試
1.Inside telnet outside
Inside#telnet 202.100.1.1 （通）
2.ASA1查看會話信息
ASA(config)# sh conn
11 in use, 11 most used
TCP Outside 202.100.1.1:23 Inside 10.1.1.1:11002, idle 0:00:08, bytes 116, flags UIO
3.ASA2查看會話信息
ASA(config)# sh conn
11 in use, 11 most used
4.Shutdown ASA1 e0/1對應的交換機接口fa0/8
注：如果把ASA1 E0/1接口DOWN掉，同樣ASA2 E0/1也會DOWN掉。
Switch(config)#interfa0/8
Switch(config-if)#shutdown

ASA(config)# sh fa
Failover On
Failover unit Primary
Failover LAN Interface: FO Ethernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(3), Mate 8.0(3)
Last Failover at: 01:16:48 UTC Jul 9 2010
??????? This host: Primary - Failed
??????????????? Active time: 788 (sec)
??????????????? slot 0: ASA5510 hw/sw rev (2.0/8.0(3)) status (Up Sys)
????????????????? Interface outside (202.100.1.20): Normal
????????????????? Interface inside (10.1.1.20): No Link (Waiting)
??????????????? slot 1: empty
??????? Other host: Secondary - Active
??????????????? Active time: 81 (sec)
??????????????? slot 0: ASA5510 hw/sw rev (2.0/8.0(3)) status (Up Sys)
????????????????? Interface outside (202.100.1.10): Normal
????????????????? Interface inside (10.1.1.10): Normal (Waiting)
??????????????? slot 1: empty

Stateful Failover Logical Update Statistics
??????? Link : Unconfigured.

?no Shutdown ASA1 e0/1對應的交換機接口fa0/8
Switch(config)#interfa0/8
Switch(config-if)#no shutdown
AS FO不支持自動搶占Active功能，需要在ASA1上手動配置。
ASA(config)# failover active
Switching to Active
注：該命令在哪個設備上敲，哪個設備就是Active。

步驟五、配置Stateful鏈路
ASA1配置Stateful鏈路:
interface Ethernet0/3
no shutdown
failover link Stateful Ethernet0/3
注：指派E0/3為Stateful鏈路，接口名字為“Stateful”。
failover interface ip Stateful192.168.2.10 255.255.255.0 standby 192.168.2.20
注：配置Stateful鏈路IP地址。
注意:無需在ASA2上配置，因為FO鏈路可以把配置同步到ASA2（secondary）

ASA(config)# sh fa
Stateful Failover Logical Update Statistics
??????? Link : Stateful Ethernet0/3 (up)
??????? Stateful Obj??? xmit?????? xerr?????? rcv??????? rerr?????
??????? General???????? 4????????? 0????????? 2????????? 0????????
??????? sys cmd???????? 2????????? 0????????? 2????????? 0????????
??????? up time???????? 0????????? 0????????? 0????????? 0????????
??????? RPC services??? 0????????? 0????????? 0????????? 0????????
??????? TCP conn??????? 0????????? 0????????? 0????????? 0????????
??????? UDP conn??????? 0????????? 0????????? 0????????? 0????????
??????? ARP tbl???????? 2????????? 0????????? 0????????? 0????????
??????? Xlate_Timeout?? 0????????? 0????????? 0????????? 0????????
??????? ××× IKE upd???? 0????????? 0????????? 0????????? 0????????
??????? ××× IPSEC upd?? 0????????? 0????????? 0????????? 0????????
??????? ××× CTCP upd??? 0????????? 0????????? 0????????? 0????????
??????? ××× SDI upd???? 0????????? 0????????? 0????????? 0????????
??????? ××× DHCP upd??? 0????????? 0????????? 0????????? 0????????
??????? SIP Session???? 0????????? 0????????? 0????????? 0????????

??????? Logical Update Queue Information
??????????????????????? Cur???? Max???? Total
??????? Recv Q:???????? 0?????? 9?????? 20
??????? Xmit Q:???????? 0?????? 1024??? 1279
測試
1.Inside telnet outside
Inside#telnet 202.100.1.1 （通）
2.ASA1查看會話信息
ASA(config)# sh conn
11 in use, 11 most used
TCP Outside 202.100.1.1:23 Inside 10.1.1.1:11002, idle 0:00:08, bytes 116, flags UIO
3.ASA2查看會話信息
ASA(config)# sh conn
11 in use, 11 most used
TCP Outside 202.100.1.1:23 Inside 10.1.1.1:11002, idle 0:00:08, bytes 116, flags UIO
4.Shutdown ASA1 e0/1對應的交換機接口fa0/18
Switch(config)#inter fa0/8
Switch(config-if)#shut down

AS FO不支持自動搶占Active功能，需要在ASA1上手動配置
ASA(config)# failover active
Switching to Active

最后總結：可以拿一個接口同時當FO/Stateful
failover link Stateful Ethernet0/2
failover interface ip Stateful 192.168.2.10 255.255.255.0 standby 192.168.2.20

當我們做AS Stateful時一些信息是不能穿Standby的
* The HTTP connection table (unless HTTP replication is enabled).
* The user authentication (uauth) table.
* The routing tables.
* Multicast traffic information.
* State information for Security Service Cards.
* DHCP server address leases.
* Stateful failover for phone proxy.

以下這些信息是可以pass的
* NAT translation table.
* TCP connection states.
* UDP connection states.
* The ARP table.
* The Layer 2 bridge table (when running in Transparent mode).
* The HTTP connection states (if HTTP replication is enabled).
* The ISAKMP and IPSec SAtable.
* GTP PDP connection database.
* SIP signaling sessions.
?

?

?

透明ASA AS配置

一、基本橋接
SW1:
2??? Outside????????????????????????? active??? Fa0/1, Fa0/10
3??? Inside?????????????????????????? active??? Fa0/2, Fa0/11
4??? FO?????????????????????????????? active??? Fa0/12
5??? St?????????????????????????????? active??? Fa0/13

SW2:
2??? Outside????????????????????????? active??? Fa0/10
3??? Inside?????????????????????????? active??? Fa0/11
4??? FO?????????????????????????????? active??? Fa0/12
5??? St?????????????????????????????? active??? Fa0/13

?

Outside:
int f0/0
ip add 202.100.1.1
no sh

Inside:
int f0/0
ip add 202.100.1.2
no sh

?

?

二、ASA配置

firewall transparent
interface Ethernet0/0
?nameif outside
?no shut

interface Ethernet0/1
?nameif inside

interface Ethernet0/2
no shut

interface Ethernet0/3
no shut

ip add 202.100.1.100 255.255.255.0

failover lan unit primary
failover lan interface fover Ethernet0/2
failover key cisco
failover link Stateful Ethernet0/3
failover interface ip fover 192.168.1.10 255.255.255.0 standby 192.168.1.20
failover interface ip Stateful 192.168.2.10 255.255.255.0 standby 192.168.2.20
failover

注：如果想用同一個接口即做FO又做Stateful可以給該接口用同一個名字。

ASA2:
failover lan unit secondary
failover lan interface fover Ethernet0/2
failover key cisco
failover link Stateful Ethernet0/3
failover interface ip fover 192.168.1.10 255.255.255.0 standby 192.168.1.20
failover interface ip Stateful 192.168.2.10 255.255.255.0 standby 192.168.2.20
failover

三、測試
ASAFO-Tr(config)# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: fover Ethernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(2), Mate 8.0(2)
Last Failover at: 00:22:18 UTC Nov 30 1999
??????? This host: Primary - Active
??????????????? Active time: 743 (sec)
??????????????? slot 0: empty
????????????????? Interface outside (202.100.1.100): Normal (Waiting)
????????????????? Interface inside (202.100.1.100): Normal (Waiting)
??????????????? slot 1: empty
??????? Other host: Secondary - Standby Ready
??????????????? Active time: 0 (sec)
??????????????? slot 0: empty
????????????????? Interface outside (0.0.0.0): Normal (Waiting)
????????????????? Interface inside (0.0.0.0): Normal (Waiting)
??????????????? slot 1: empty

Stateful Failover Logical Update Statistics
??????? Link : Stateful Ethernet0/3 (up)
??????? Stateful Obj??? xmit?????? xerr?????? rcv??????? rerr?????
??????? General???????? 105??????? 0????????? 84???????? 0????????
??????? sys cmd???????? 84???????? 0????????? 84???????? 0????????
??????? up time???????? 0????????? 0????????? 0????????? 0????????
??????? RPC services??? 0????????? 0????????? 0????????? 0????????
??????? TCP conn??????? 0????????? 0????????? 0????????? 0????????
??????? UDP conn??????? 0????????? 0????????? 0????????? 0????????
??????? ARP tbl???????? 2????????? 0????????? 0????????? 0????????
??????? L2BRIDGE Tbl??? 19???????? 0????????? 0????????? 0????????
??????? Xlate_Timeout?? 0????????? 0????????? 0????????? 0????????
??????? SIP Session???? 0????????? 0????????? 0????????? 0????????

??????? Logical Update Queue Information
??????????????????????? Cur???? Max???? Total
??????? Recv Q:???????? 0?????? 2?????? 713
??????? Xmit Q:???????? 0?????? 2?????? 737
ASAFO-Tr(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: fover Ethernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(2), Mate 8.0(2)
Last Failover at: 00:00:00 UTC Nov 30 1999
??????? This host: Secondary - Standby Ready
??????????????? Active time: 0 (sec)
??????????????? slot 0: empty
????????????????? Interface outside (0.0.0.0): Normal (Waiting)
????????????????? Interface inside (0.0.0.0): Normal (Waiting)
??????????????? slot 1: empty
??????? Other host: Primary - Active
??????????????? Active time: 764 (sec)
??????????????? slot 0: empty
????????????????? Interface outside (202.100.1.100): Normal (Waiting)
????????????????? Interface inside (202.100.1.100): Normal (Waiting)
??????????????? slot 1: empty

Stateful Failover Logical Update Statistics
??????? Link : Stateful Ethernet0/3 (up)
??????? Stateful Obj??? xmit?????? xerr?????? rcv??????? rerr?????
??????? General???????? 88???????? 0????????? 109??????? 0????????
??????? sys cmd???????? 88???????? 0????????? 88???????? 0????????
??????? up time???????? 0????????? 0????????? 0????????? 0????????
??????? RPC services??? 0????????? 0????????? 0????????? 0????????
??????? TCP conn??????? 0????????? 0????????? 0????????? 0????????
??????? UDP conn??????? 0????????? 0????????? 0????????? 0????????
??????? ARP tbl???????? 0????????? 0????????? 2????????? 0????????
??????? L2BRIDGE Tbl??? 0????????? 0????????? 19???????? 0????????
??????? Xlate_Timeout?? 0????????? 0????????? 0????????? 0????????
??????? SIP Session???? 0????????? 0????????? 0????????? 0????????

??????? Logical Update Queue Information
??????????????????????? Cur???? Max???? Total
??????? Recv Q:???????? 0?????? 1?????? 1414
??????? Xmit Q:???????? 0?????? 1?????? 88

Inside#202.100.1.1
Trying 202.100.1.1 ... Open

Outside>

ASAFO-Tr(config)# sh conn
5 in use, 5 most used
TCP out 202.100.1.1:23 in 202.100.1.2:56942 idle 0:00:19 bytes 58 flags UIO

ASAFO-Tr(config)# sh conn
5 in use, 5 most used
TCP out 202.100.1.1:23 in 202.100.1.2:56942 idle 0:00:20 bytes 58 flags UIO

SW1(config)#int f0/8
SW1(config-if)#sh
ASA(config)# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: fover Ethernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(3), Mate 8.0(3)
Last Failover at: 18:53:36 UTC Nov 17 2010
??????? This host: Primary - Failed
??????????????? Active time: 288 (sec)
??????????????? slot 0: ASA5510 hw/sw rev (2.0/8.0(3)) status (Up Sys)
????????????????? Interface outside (0.0.0.0): Normal (Waiting)
????????????????? Interface inside (0.0.0.0): No Link (Waiting)
??????????????? slot 1: empty
??????? Other host: Secondary - Active
??????????????? Active time: 6 (sec)
??????????????? slot 0: ASA5510 hw/sw rev (2.0/8.0(3)) status (Up Sys)
????????????????? Interface outside (202.100.1.100): Normal (Waiting)
????????????????? Interface inside (202.100.1.100): Normal (Waiting)
??????????????? slot 1: empty

Stateful Failover Logical Update Statistics
??????? Link : fover Ethernet0/2 (up)
??????? Stateful Obj??? xmit?????? xerr?????? rcv??????? rerr?????
??????? General???????? 40???????? 0????????? 32???????? 0????????
??????? sys cmd???????? 32???????? 0????????? 32???????? 0????????
??????? up time???????? 0????????? 0????????? 0????????? 0????????
??????? RPC services??? 0????????? 0????????? 0????????? 0????????
??????? TCP conn??????? 0????????? 0????????? 0????????? 0????????
??????? UDP conn??????? 0????????? 0????????? 0????????? 0????????
??????? ARP tbl???????? 2????????? 0????????? 0????????? 0????????
??????? L2BRIDGE Tbl??? 6????????? 0????????? 8????????? 0????????
??????? Xlate_Timeout?? 0????????? 0????????? 0????????? 0????????
??????? SIP Session???? 0????????? 0????????? 0????????? 0????????

??????? Logical Update Queue Information
??????????????????????? Cur???? Max???? Total
??????? Recv Q:???????? 0?????? 8?????? 74
??????? Xmit Q:???????? 0?????? 1024??? 1538

ASA(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: fover Ethernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(3), Mate 8.0(3)
Last Failover at: 11:12:06 UTC Nov 17 2010
??????? This host: Secondary - Active
??????????????? Active time: 151 (sec)
??????????????? slot 0: ASA5510 hw/sw rev (2.0/8.0(3)) status (Up Sys)
????????????????? Interface outside (202.100.1.100): Normal (Waiting)
????????????????? Interface inside (202.100.1.100): Normal (Waiting)
??????????????? slot 1: empty
??????? Other host: Primary - Failed
??????????????? Active time: 288 (sec)
??????????????? slot 0: ASA5510 hw/sw rev (2.0/8.0(3)) status (Up Sys)
????????????????? Interface outside (0.0.0.0): Normal (Waiting)
????????????????? Interface inside (0.0.0.0): No Link (Waiting)
??????????????? slot 1: empty

Stateful Failover Logical Update Statistics
??????? Link : fover Ethernet0/2 (up)
??????? Stateful Obj??? xmit?????? xerr?????? rcv??????? rerr?????
??????? General???????? 78???????? 0????????? 60???????? 0????????
??????? sys cmd???????? 52???????? 0????????? 52???????? 0????????
??????? up time???????? 0????????? 0????????? 0????????? 0????????
??????? RPC services??? 0????????? 0????????? 0????????? 0????????
??????? TCP conn??????? 0????????? 0????????? 0????????? 0????????
??????? UDP conn??????? 3????????? 0????????? 0????????? 0????????
??????? ARP tbl???????? 0????????? 0????????? 2????????? 0????????
??????? L2BRIDGE Tbl??? 23???????? 0????????? 6????????? 0????????
??????? Xlate_Timeout?? 0????????? 0????????? 0????????? 0????????
??????? SIP Session???? 0????????? 0????????? 0????????? 0????????

??????? Logical Update Queue Information
??????????????????????? Cur???? Max???? Total
??????? Recv Q:???????? 0?????? 17????? 1381
??????? Xmit Q:???????? 0?????? 1?????? 234

注：當SW no shut之后ASA1為 Standby,也就是說和路由模式FO一樣，不支持搶占。必須手工敲。
ASA(config)# failover active

??????? Switching to Active

需要注意的是，用模擬器做該實驗，無法切換。

?

?

?

?

轉載于:https://blog.51cto.com/skybird/615060

創作挑戰賽新人創作獎勵來咯，堅持創作打卡瓜分現金大獎

總結

以上是生活随笔為你收集整理的ASA 第五天实验的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。