取消
显示结果 
搜索替代 
您的意思是: 
cancel
5795
查看次数
18
有帮助
5
回复

思科ASA防火墙Failover未配置stanby参数

Zhixin
Level 1
Level 1
防火墙ASA 5585-SSP-20,version 8.4(1),主墙在配置接口地址时未配置standby地址,fo能否正常工作,主墙能否切换到备墙,流量能否不中断转发?
部分配置如下:
failover
failover lan unit primary
failover lan interface FWFAIL GigabitEthernet0/6
failover replication http
failover link state GigabitEthernet0/7
failover interface ip FWFAIL 192.168.2.1 255.255.255.252 standby 192.168.2.2
failover interface ip state 192.168.3.1 255.255.255.252 standby 192.168.3.2
interface TenGigabitEthernet0/9.501
vlan 101
nameif outside
security-level 0
ip address 10.5.201.4 255.255.255.248
exi
5 条回复5

qiangzh2
Cisco Employee
Cisco Employee
不配置standby ip,你无法完整判断数据端口是否正常可用,你只能因为unit级别的failure导致设备切换

fortune
VIP Alumni
VIP Alumni
这个 肯定要配置啊,你还是按照手册来配置吧

Rockyw
Spotlight
Spotlight
楼主想要实现什么样的需求才想到要这样配置?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rockyw | If it solves your problem, please mark as answer. Thanks !

Zhixin
Level 1
Level 1
不是我配置的,是看到生产网的一个配置,想问是否可以实现HA

xiaocqu
Spotlight
Spotlight
本帖最后由 xiaocqu 于 2018-10-8 05:47 编辑
zhixincui 发表于 2018-3-13 13:38
不是我配置的,是看到生产网的一个配置,想问是否可以实现HA

问题:
主墙在配置接口地址时未配置standby地址,fo能否正常工作,主墙能否切换到备墙,流量能否不中断转发?
回答:
1/ fo正常工作
ciscoasa/pri/act(config)# interface Management0/0
ciscoasa/pri/act(config-if)# ip address 10.1.1.1 255.255.255.0
WARNING: Failover is enabled but standby IP address is not configured for this interface.
ciscoasa/pri/act(config-if)
----------------------------------------------------------
ciscoasa/pri/act(config)# show run failover
failover
failover lan unit primary
failover lan interface FO GigabitEthernet0/4
failover link ST GigabitEthernet0/5
failover interface ip FO 192.168.1.1 255.255.255.0 standby 192.168.1.2
failover interface ip ST 192.168.2.1 255.255.255.0 standby 192.168.2.2
----------------------------------------------------------
ciscoasa/pri/act(config)# sho failover state
State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Standby Ready Comm Failure 04:26:12 UTC Sep 20 2018
====Configuration State===
Sync Done
====Communication State===
Mac set
ciscoasa/pri/act(config)#
2/ 主墙能否切换到备墙,流量会无中断切换。
测试过程:
1)利用PC 长ping Management0/0 IP address 10.1.1.1
C:\Users\xiaocqu>ping 10.1.1.1 -t
Pinging 10.1.1.1 with 32 bytes of data:
Reply from 10.1.1.1: bytes=32 time<1ms TTL=252
Reply from 10.1.1.1: bytes=32 time=1ms TTL=252
Reply from 10.1.1.1: bytes=32 time<1ms TTL=252
Reply from 10.1.1.1: bytes=32 time=1ms TTL=252
Reply from 10.1.1.1: bytes=32 time<1ms TTL=252
……
然后做手动failover切换(standby 上执行“failover active”),全程无流量中断切换。
3/ 建议:
配置standby ip,否则备墙上对应接口无地址,影响备墙的数据连通性。详细如下:
ciscoasa/pri/act(config)# sho ip
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/4 FO 192.168.1.1 255.255.255.0 unset
GigabitEthernet0/5 ST 192.168.2.1 255.255.255.0 unset
Management0/0 management 10.1.1.1 255.255.255.0 manual
Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/4 FO 192.168.1.1 255.255.255.0 unset
GigabitEthernet0/5 ST 192.168.2.1 255.255.255.0 unset
Management0/0 management 10.1.1.1 255.255.255.0 manual
-----------------------------------------------------------------
ciscoasa/sec/stby(config)# sho ip
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/4 FO 192.168.1.1 255.255.255.0 unset
GigabitEthernet0/5 ST 192.168.2.1 255.255.255.0 unset
Management0/0 management 10.1.1.1 255.255.255.0 manual
Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/4 FO 192.168.1.2 255.255.255.0 unset
GigabitEthernet0/5 ST 192.168.2.2 255.255.255.0 unset
ciscoasa/sec/stby(config)#
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接