1 背景
here we got 2 cisco firepower 2140 hardware appliance
we’re planning to run ASA on it. and config failover for Primary Unit and Secondary Unit
现场2台Cisco firepower 2140防火墙, 运行ASA模式, 双机组HA,心跳线使用E1/11, E1/12, 配置port-channel
先看看FPR2140物理外观长啥样?
左上角的是 管理口
左下角是console
然后就是数据接口了,12个千兆电口,4个万兆SFP+,另外最右侧还有个扩展卡,可以插万兆的SFP+子卡。
** 话说怎么管理FPR2140 ?
FPR2140面板 左上角的那个电口就是管理口,而FDM和里面跑的ASA的管理都是复用这一个管理接口
而FPR4000系列就有所不同,FXOS的管理是面板上的,ASA的管理是需要使用另外的接口。
那么这2个管理IP有啥要求?
这2个IP必须是在同一网段。
怎么设置管理口IP
以管理IP为10.248.1.211/24 ,网关为10.248.1.254为例
firepower-2110# scope system
firepower-2110 /system # scope services
firepower-2110 /system/services # disable dhcp-server
firepower-2110 /system/services* # commit-buffer
firepower-2110# scope fabric-interconnect a
firepower-2110 /fabric-interconnect #
firepower-2110 /fabric-interconnect # set out-of-band static ip 10.248.1.211 netmask 255.255.255.0 10.248.1.254
Warning: When committed, this change may disconnect the current CLI session
firepower-2110 /fabric-interconnect # commit-buffer
配置完成后,查看生效的管理IP
firepower-2140 /fabric-interconnect # show
Fire Power:
ID OOB IP Addr OOB Netmask OOB Gateway OOB IPv6 Address Prefix OOB IPv6 Gateway Operability
---- --------------- --------------- --------------- ---------------- ------ ---------------- -----------
A 10.248.1.211 255.255.255.0 10.248.1.254 :: 64 :: Operable
firepower-2140 /fabric-interconnect #
配置完成后,就可以网页 https://10.248.1.211打开GUI界面了
2 配置步骤
2.1创建互联的port-channel
FPR2100系列在ASA里面可创建不了port-channel,ASA上根本没这命令,奇葩吧
需要在FPR2100的FDM管理页面上创建 (FDM全称: Firepower Device Manager, 即firepower自带的管理平台)
长这个样子
2.1.1 interfaces —> Add Portchannel
2.1.2 指定ID及接口
另一台FPR2140也同样操作配置port-channel
2.2 进入ASA
firepower-2140# conn asa
Attaching to ASA CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.
FW-2140-1/pri/act#
2.3 查看port-channel接口
FW-2140-1/pri/act# show int ip brief
Interface IP-Address OK? Method Status Protocol
Internal-Data0/1 unassigned YES unset up up
Port-channel10 unassigned YES unset up up !!!!!这就是刚才创建的接口
Ethernet1/1 unassigned YES unset down down
Ethernet1/2 unassigned YES unset down down
Ethernet1/3 unassigned YES unset admin down down
Ethernet1/4 unassigned YES unset admin down down
Ethernet1/5 unassigned YES unset admin down down
Ethernet1/6 unassigned YES unset admin down down
Ethernet1/7 unassigned YES unset down down
Ethernet1/8 unassigned YES unset down down
Ethernet1/9 unassigned YES unset down down
Ethernet1/10 unassigned YES unset down down
Ethernet1/11 unassigned unassociated unset down down
Ethernet1/12 unassigned unassociated unset down down
Ethernet1/13 unassigned unassociated unset down down
Ethernet1/14 unassigned unassociated unset down down
Ethernet1/15 unassigned YES unset down down
Ethernet1/16 unassigned YES unset down down
Internal-Data1/1 169.254.1.1 YES unset up up
Management1/1 192.168.45.1 YES CONFIG up up
2.4 ASA配置Failover
上面在物理层面已经创建好了用于心跳的port-channel接口
(当然心跳只用单个接口也是可以的,使用port-channel只是为了有链路冗余)
- 打开failover功能
- 定义物理角色(primary or secondary)
- 指定Failover心跳使用port-channel 10这个接口
- 指定Failover状态化同步使用port-channel 10这个接口
- 配置心跳IP
2.2.1 第1台ASA配置failover
failover
failover lan unit primary //角角为primary
failover lan interface FO Port-channel10
failover link FO Port-channel10
failover interface ip FO 100.64.1.1 255.255.255.0 standby 100.64.1.2
2.2.2 第2台ASA配置failover
failover
failover lan unit secondary //角角为secondary
failover lan interface FO Port-channel10
failover link FO Port-channel10
failover interface ip FO 100.64.1.1 255.255.255.0 standby 100.64.1.2
第2台ASA配置完成后,马上弹出提示,检测到1台Active的ASA,要开始同步配置
ciscoasa(config)# .
Detected an Active mate
Configuration between unit doesn't match. Going for config sync.Beginning configuration replication from mate.
WARNING: Disabling auto import may affect Smart Licensing
/bin/sh: /asa/scripts/coredump_ops.sh: No such file or directory
livecore enabled
Creating trustpoint "_SmartCallHome_ServerCA" and installing certificate...
Trustpoint CA certificate accepted.
Creating trustpoint "_SmartCallHome_ServerCA2" and installing certificate...
Trustpoint CA certificate accepted.
WARNING: Failover is enabled but standby IP address is not configured for this interface.
WARNING: Failover is enabled but standby IP address is not configured for this interface.
INFO: object-group-search on access-control is already disabled
WARNING: This command will not take effect until interface 'outside' has been assigned an IPv4 address
WARNING: Trustpoint _SmartCallHome_ServerCA is already authenticated.
WARNING: Trustpoint _SmartCallHome_ServerCA2 is already authenticated.
End configuration replication from mate.
同步完成后,Check failover status
正常情况下,2台墙的角色分别为Active , Standby
FW-2140-1/pri/act# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FO Port-channel10 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 1293 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.18(3)56, Mate 9.18(3)56
Serial Number: Ours JAD224809ZQ, Mate JAD22460JVP
Last Failover at: 11:04:55 CST Mar 22 2024
This host: Primary - Active
Active time: 173202 (sec)
slot 0: FPR-2140 hw/sw rev (1.3/9.18(3)56) status (Up Sys)
Interface management (192.168.45.1): Normal (Waiting)
Interface outside (0.0.0.0): No Link (Waiting)
Interface inside (10.30.255.4): No Link (Not-Monitored)
Interface outside-dmz-ds (10.30.252.23): No Link (Not-Monitored)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: FPR-2140 hw/sw rev (1.3/9.18(3)56) status (Up Sys)
Interface management (0.0.0.0): Normal (Waiting)
Interface outside (0.0.0.0): No Link (Waiting)
Interface inside (10.30.255.5): Normal (Not-Monitored)
Interface outside-dmz-ds (10.30.252.24): Normal (Not-Monitored)
3 防火墙failover切换命令
在某些时候,我们需要手工强制防火墙切换主备,比如升级版本时。
切换的命令在Active墙或Standby墙上都可以实现切换
- 在当前的Active墙上
no failover active
- 在当前Standby墙上
failover active
