Cisco firepower 2140 run ASA and config failover
1 背景
here we got 2 cisco firepower 2140 hardware appliance
we’re planning to run ASA on it. and config failover for Primary Unit and Secondary Unit
现场2台Cisco firepower 2140防火墙, 运行ASA模式, 双机组HA,心跳线使用E1/11, E1/12, 配置port-channel
先看看FPR2140物理外观长啥样?
左上角的是 管理口
左下角是console
然后就是数据接口了,12个千兆电口,4个万兆SFP+,另外最右侧还有个扩展卡,可以插万兆的SFP+子卡。
** 话说怎么管理FPR2140 ?
FPR2140面板 左上角的那个电口就是管理口,而FDM和里面跑的ASA的管理都是复用这一个管理接口
而FPR4000系列就有所不同,FXOS的管理是面板上的,ASA的管理是需要使用另外的接口。
那么这2个管理IP有啥要求?
这2个IP必须是在同一网段。
怎么设置管理口IP
以管理IP为10.248.1.211/24 ,网关为10.248.1.254为例
firepower-2110# scope system
firepower-2110 /system # scope services
firepower-2110 /system/services # disable dhcp-server
firepower-2110 /system/services* # commit-buffer
firepower-2110# scope fabric-interconnect a
firepower-2110 /fabric-interconnect #
firepower-2110 /fabric-interconnect # set out-of-band static ip 10.248.1.211 netmask 255.255.255.0 10.248.1.254
Warning: When committed, this change may disconnect the current CLI session
firepower-2110 /fabric-interconnect # commit-buffer
配置完成后,查看生效的管理IP
firepower-2140 /fabric-interconnect # show
Fire Power:
ID OOB IP Addr OOB Netmask OOB Gateway OOB IPv6 Address Prefix OOB IPv6 Gateway Operability
---- --------------- --------------- --------------- ---------------- ------ ---------------- -----------
A 10.248.1.211 255.255.255.0 10.248.1.254 :: 64 :: Operable
firepower-2140 /fabric-interconnect #
配置完成后,就可以网页 https://10.248.1.211打开GUI界面了
2 配置步骤
2.1创建互联的port-channel
FPR2100系列在ASA里面可创建不了port-channel,ASA上根本没这命令,奇葩吧
需要在FPR2100的FDM管理页面上创建 (FDM全称: Firepower Device Manager, 即firepower自带的管理平台)
长这个样子
2.1.1 interfaces —> Add Portchannel
2.1.2 指定ID及接口
另一台FPR2140也同样操作配置port-channel
2.2 进入ASA
firepower-2140# conn asa
Attaching to ASA CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.
FW-2140-1/pri/act#
2.3 查看port-channel接口
FW-2140-1/pri/act# show int ip brief
Interface IP-Address OK? Method Status Protocol
Internal-Data0/1 unassigned YES unset up up
Port-channel10 unassigned YES unset up up !!!!!这就是刚才创建的接口
Ethernet1/1 unassigned YES unset down down
Ethernet1/2 unassigned YES unset down down
Ethernet1/3 unassigned YES unset admin down down
Ethernet1/4 unassigned YES unset admin down down
Ethernet1/5 unassigned YES unset admin down down
Ethernet1/6 unassigned YES unset admin down down
Ethernet1/7 unassigned YES unset down down
Ethernet1/8 unassigned YES unset down down
Ethernet1/9 unassigned YES unset down down
Ethernet1/10 unassigned YES unset down down
Ethernet1/11 unassigned unassociated unset down down
Ethernet1/12 unassigned unassociated unset down down
Ethernet1/13 unassigned unassociated unset down down
Ethernet1/14 unassigned unassociated unset down down
Ethernet1/15 unassigned YES unset down down
Ethernet1/16 unassigned YES unset down down
Internal-Data1/1 169.254.1.1 YES unset up up
Management1/1 192.168.45.1 YES CONFIG up up
2.4 ASA配置Failover
配置failover需要2台独立的ASA设备,通过1条专用的failover-link互联(可以使用以太网链路),并且可以再增加1条stateful link,但stateful link不是必须的,可以与failover-link共用1条。
当主设备或受监控的端口出现问题触发failover条件,就会发生failover.
ASA支持2种failover 模式, Active/Active failover 和 Active/Standby failover.
2种模式的工作方法不同,如下:
• Active/Standby failover, 只有active转发流量,standby不会转发流量。当failover发生后active角色发生切换,原来的standby成为active并转发流量。
• Active/Active failover, 2台ASA都能转发流量,但需要配置多实例,即启用虚墙才能实现。这种场合下,是将ASA划分为2个failover group,每个failover group对应1个实例。
上面在物理层面已经创建好了用于心跳的port-channel接口
(当然心跳只用单个接口也是可以的,使用port-channel只是为了有链路冗余)
- 打开failover功能
- 定义物理角色(primary or secondary)
- 指定Failover心跳使用port-channel 10这个接口
- 指定Failover状态化同步使用port-channel 10这个接口
- 配置心跳IP
2.2.1 第1台ASA配置failover
failover
failover lan unit primary //角角为primary
failover lan interface FO Port-channel10
failover link FO Port-channel10
failover interface ip FO 100.64.1.1 255.255.255.0 standby 100.64.1.2
2.2.2 第2台ASA配置failover
failover
failover lan unit secondary //角角为secondary
failover lan interface FO Port-channel10
failover link FO Port-channel10
failover interface ip FO 100.64.1.1 255.255.255.0 standby 100.64.1.2
第2台ASA配置完成后,马上弹出提示,检测到1台Active的ASA,要开始同步配置
ciscoasa(config)# .
Detected an Active mate
Configuration between unit doesn't match. Going for config sync.Beginning configuration replication from mate.
WARNING: Disabling auto import may affect Smart Licensing
/bin/sh: /asa/scripts/coredump_ops.sh: No such file or directory
livecore enabled
Creating trustpoint "_SmartCallHome_ServerCA" and installing certificate...
Trustpoint CA certificate accepted.
Creating trustpoint "_SmartCallHome_ServerCA2" and installing certificate...
Trustpoint CA certificate accepted.
WARNING: Failover is enabled but standby IP address is not configured for this interface.
WARNING: Failover is enabled but standby IP address is not configured for this interface.
INFO: object-group-search on access-control is already disabled
WARNING: This command will not take effect until interface 'outside' has been assigned an IPv4 address
WARNING: Trustpoint _SmartCallHome_ServerCA is already authenticated.
WARNING: Trustpoint _SmartCallHome_ServerCA2 is already authenticated.
End configuration replication from mate.
同步完成后,Check failover status
正常情况下,2台墙的角色分别为Active , Standby
FW-2140-1/pri/act# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FO Port-channel10 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 1293 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.18(3)56, Mate 9.18(3)56
Serial Number: Ours JAD224809ZQ, Mate JAD22460JVP
Last Failover at: 11:04:55 CST Mar 22 2024
This host: Primary - Active
Active time: 173202 (sec)
slot 0: FPR-2140 hw/sw rev (1.3/9.18(3)56) status (Up Sys)
Interface management (192.168.45.1): Normal (Waiting)
Interface outside (0.0.0.0): No Link (Waiting)
Interface inside (10.30.255.4): No Link (Not-Monitored)
Interface outside-dmz-ds (10.30.252.23): No Link (Not-Monitored)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: FPR-2140 hw/sw rev (1.3/9.18(3)56) status (Up Sys)
Interface management (0.0.0.0): Normal (Waiting)
Interface outside (0.0.0.0): No Link (Waiting)
Interface inside (10.30.255.5): Normal (Not-Monitored)
Interface outside-dmz-ds (10.30.252.24): Normal (Not-Monitored)
3 防火墙failover切换命令
在某些时候,我们需要手工强制防火墙切换主备,比如升级版本时。
切换的命令在Active墙或Standby墙上都可以实现切换
- 在当前的Active墙上
no failover active
- 在当前Standby墙上
failover active
4 Q&A
4.1 查看failover 状态
show failover state
ASA5550# show failover state
State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Standby Ready Comm Failure 00:42:02 UTC Nov 4 2024
====Configuration State===
Sync Done
====Communication State===
Mac set
上面显示当前登录的这一台是Primary,运行的角色是Active
如果要查看详细的Failover状态,直接输入show failover
show failover
可以看到各个接口的failover状态,因为组成双机后,防火墙会检测接口的状态,正常情况下,接口状态是Monitored, 即被监控。 啥意思呢?
就是说这个接口属于Failover监控的范围,并且当前状态是在监控中,是正常的。如果接口down了,就会触发Failover切换,接口状态也会成为No Link(Waiting)
ASA5550# show failover
Failover On
Failover unit Primary
Failover LAN Interface: Failover/State GigabitEthernet1/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 410 maximum
Version: Ours 9.1(7)20, Mate 9.1(7)20
Last Failover at: 02:00:21 UTC Dec 4 2024
This host: Primary - Active
Active time: 5789777 (sec)
slot 0: ASA5550 hw/sw rev (2.0/9.1(7)20) status (Up Sys)
Interface inside (10.19.246.201): Normal (Monitored)
Interface outside (200.100.1.1): No Link (Waiting)
slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
Other host: Secondary - Standby Ready
Active time: 308 (sec)
slot 0: ASA5550 hw/sw rev (2.0/9.1(7)20) status (Up Sys)
Interface inside (10.19.246.202): Normal (Monitored)
Interface outside (200.100.1.2): No Link (Waiting)
slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
Stateful Failover Logical Update Statistics
Link : Failover/State GigabitEthernet1/3 (up)
Stateful Obj xmit xerr rcv rerr
General 1282489 0 1118209 0
sys cmd 1118207 0 1118207 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 4 0 0 0
UDP conn 0 0 0 0
ARP tbl 164277 0 2 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 1 0 0 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 4 1119023
Xmit Q: 0 27 5824041
XYF-J05-1U-2U-TEST-ASA5550#
4.2 查看failover接口
show failover interface
这里指的是2台墙用于双机互联的接口
ASA5550# show failover interface
interface Failover/State GigabitEthernet1/3
System IP Address: 100.64.1.1 255.255.255.252
My IP Address : 100.64.1.1
Other IP Address : 100.64.1.2
4.3 查看Failover切换的历史记录
show failover history
ASA5550# show failover history
==========================================================================
From State To State Reason
==========================================================================
06:19:47 UTC Nov 4 2024
Active Applying Config Active Config Applied Other unit wants me Active
06:19:47 UTC Nov 4 2024
Active Config Applied Active Other unit wants me Active
12:47:12 UTC Nov 9 2024
Active Standby Ready Set by the config command
12:47:30 UTC Nov 9 2024
Standby Ready Just Active Other unit wants me Active
12:47:31 UTC Nov 9 2024
Just Active Active Drain Other unit wants me Active
浙公网安备 33010602011771号