将ASA防火墙替换为主用/备用故障转移对

下载选项

  • PDF     (301.0 KB)
    在各种设备上使用 Adobe Reader 查看
  • ePub     (78.6 KB)
    在 iPhone、iPad、Android、Sony Reader 或 Windows Phone 上使用各种应用查看
  • Mobi (Kindle)     (68.6 KB)
    在 Kindle 设备上查看或在多个设备上使用 Kindle 应用查看
已更新: 2024 年 11 月 1 日
文档 ID:220525

非歧视性语言

此产品的文档集力求使用非歧视性语言。在本文档集中,非歧视性语言是指不隐含针对年龄、残障、性别、种族身份、族群身份、性取向、社会经济地位和交叉性的歧视的语言。由于产品软件的用户界面中使用的硬编码语言、基于 RFP 文档使用的语言或引用的第三方产品使用的语言,文档中可能无法确保完全使用非歧视性语言。 深入了解思科如何使用包容性语言。

关于此翻译

思科采用人工翻译与机器翻译相结合的方式将此文档翻译成不同语言,希望全球的用户都能通过各自的语言得到支持性的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 Cisco Systems, Inc. 对于翻译的准确性不承担任何责任,并建议您总是参考英文原始文档(已提供链接)。

    简介

    本文档介绍如何用主用/备用故障转移对替换自适应安全设备(ASA)防火墙。

    背景信息

    ASA防火墙支持两种故障切换配置:主用/主用故障切换和主用/备用故障切换。

    有2个防火墙:

    • firewall-a is primary/active
    • 防火墙b为辅助/备用

    故障切换配置中主设备和辅助设备之间的区别

    此命令意味着此防火墙始终将活动配置推送到辅助防火墙。

    # failover lan unit primary

    此命令意味着此防火墙始终从主防火墙接收活动配置。

    # failover lan unit secondary

    故障切换配置中主用设备和备用设备之间的区别

    此命令意味着此防火墙是故障转移对中的活动运行防火墙。

    # failover active

    此命令意味着此防火墙是运行故障切换对中防火墙的备用防火墙。

    # failover standby

    替换辅助防火墙故障

    1. 验证主防火墙是否处于活动状态并处于联机状态。例如: 

    firewall-a/pri/act# show failover 
Failover On 
Failover unit Primary
Failover LAN Interface: sync Port-channel1 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 0 of 1292 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.12(4)56, Mate 9.12(4)56
Serial Number: Ours JADSERIAL1, Mate JADSERIAL2
Last Failover at: 19:54:29 GMT May 23 2023
	This host: Primary - Active 
		Active time: 2204 (sec)
		slot 0: FPR-2110 hw/sw rev (49.46/9.12(4)56) status (Up Sys)
		  Interface inside (10.0.0.1): Normal (Not-Monitored)
		  Interface outside (10.1.1.1): Normal (Not-Monitored)
		  Interface management (10.2.2.1): Normal (Not-Monitored)
	Other host: Secondary - Failed 
		Active time: 0 (sec)
		slot 0: FPR-2110 hw/sw rev (49.46/9.12(4)56) status (Up Sys)
		  Interface inside (10.0.0.2): Normal (Not-Monitored)
		  Interface outside (10.1.1.2): Normal (Not-Monitored)
		  Interface management (10.2.2.2): Normal (Not-Monitored)

    2. 关闭并实际移除辅助防火墙。

    3. 以物理方式添加新的辅助防火墙并打开其电源。

    4. 当新的辅助防火墙以默认出厂配置处于活动状态时,启用故障切换链路no shutdown(即故障切换物理链路)。

    示例:

    firewall-a/pri/act#conf t
firewall-a/pri/act#(config)#interface Port-channel1
firewall-a/pri/act#(config-if)#no shutdown
firewall-a/pri/act#(config)#exit
firewall-a/pri/act#
firewall-b/sec/stby#conf t
firewall-b/sec/stby#(config)#interface Port-channel1
firewall-b/sec/stby#(config-if)#no shutdown
firewall-b/sec/stby#(config)#exit
firewall-b/sec/stby#

    5. 配置故障切换命令。例如:

    firewall-a/pri/act# sh run | inc fail
failover
failover lan unit primary
failover lan interface sync Port-channel1
failover link sync Port-channel1
failover interface ip sync 10.10.13.9 255.255.255.252 standby 10.10.13.10
no failover wait-disable
firewall-a/pri/act# 

firewall-b/sec/stby# sh run | inc fail
no failover
failover lan unit secondary
failover lan interface sync Port-channel1
failover link sync Port-channel1
failover interface ip sync 10.10.13.9 255.255.255.252 standby 10.10.13.10
no failover wait-disable
firewall-b/sec/stby#

    6. 在新的辅助防火墙上启用故障切换。例如:

    firewall-b/sec/stby#conf t
firewall-b/sec/stby#(config)#failover
firewall-b/sec/stby#(config)#exit
firewall-b/sec/stby#
firewall-b/sec/stby# sh run | inc fail
failover
firewall-b/sec/stby#

    7. 等待活动配置同步到新设备并验证正确的故障转移状态。例如:

    firewall-a/pri/act# 
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate
firewall-a/pri/act# 
firewall-b/sec/stby# 
Beginning configuration replication from mate.
End configuration replication from mate.
firewall-b/sec/stby#
    note-icon

    注意:请注意,主防火墙(firewall-a)将配置发送到辅助防火墙(firewall-b)。

    8. 保存主/主上的配置并验证新的辅助/备用上的写入内存。例如:

    firewall-a/pri/act#write memory
Building configuration...
Cryptochecksum: ad317407 935a773c 6c5fb66a c5edc342 
64509 bytes copied in 9.290 secs (7167 bytes/sec)
[OK]
firewall-a/pri/act#
firewall-b/sec/stby# 
May 24 2023 15:16:21 firewall-b : %ASA-5-111001: Begin configuration: console writing to memory
May 24 2023 15:16:22 firewall-b : %ASA-5-111004: console end configuration: OK
May 24 2023 15:16:22 firewall-b : %ASA-5-111008: User 'failover' executed the 'write memory' command.
May 24 2023 15:16:22 firewall-b : %ASA-5-111010: User 'failover', running 'N/A' from IP x.x.x.x , executed 'write memory'
firewall-b/sec/stby#

    9. 验证故障转移对在两个防火墙上均处于up/up活动状态。例如:

    firewall-a/pri/act# show failover 
Failover On 
Failover unit Primary
Failover LAN Interface: sync Port-channel1 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 0 of 1292 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.12(4)56, Mate 9.12(4)56
Serial Number: Ours JADSERIAL1, Mate JADSERIAL2
Last Failover at: 19:54:29 GMT May 23 2023
	This host: Primary - Active 
		Active time: 71564 (sec)
		slot 0: FPR-2110 hw/sw rev (49.46/9.12(4)56) status (Up Sys)
		  Interface inside (10.0.0.1): Normal (Not-Monitored)
		  Interface outside (10.1.1.1): Normal (Not-Monitored)
		  Interface management (10.2.2.1): Normal (Not-Monitored)
	Other host: Secondary - Standby Ready 
		Active time: 0 (sec)
		slot 0: FPR-2110 hw/sw rev (49.46/9.12(4)56) status (Up Sys)
		  Interface inside (10.0.0.2): Normal (Not-Monitored)
		  Interface outside (10.1.1.2): Normal (Not-Monitored)
		  Interface management (10.2.2.2): Normal (Not-Monitored)

firewall-b/sec/stby# show failover 
Failover On 
Failover unit Secondary
Failover LAN Interface: sync Port-channel1 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 0 of 1292 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.12(4)56, Mate 9.12(4)56
Serial Number: Ours JADSERIAL2, Mate JADSERIAL1
Last Failover at: 20:51:27 GMT May 23 2023
	This host: Secondary - Standby Ready 
		Active time: 0 (sec)
		slot 0: FPR-2110 hw/sw rev (49.46/9.12(4)56) status (Up Sys)
		  Interface inside (10.0.0.2): Normal (Not-Monitored)
		  Interface outside (10.1.1.2): Normal (Not-Monitored)
		  Interface management (10.2.2.2): Normal (Not-Monitored)
	Other host: Primary - Active 
		Active time: 71635 (sec)
		slot 0: FPR-2110 hw/sw rev (49.46/9.12(4)56) status (Up Sys)
		  Interface inside (10.0.0.1: Normal (Not-Monitored)
		  Interface outide (10.1.1.1): Normal (Not-Monitored)
		  Interface management (10.2.2.1): Normal (Not-Monitored)

    替换主防火墙故障

    1. 验证辅助防火墙是否处于活动状态并处于联机状态。例如:
    firewall-b/sec/act# show failover 
Failover On 
Failover unit Secondary
Failover LAN Interface: sync Port-channel1 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 0 of 1292 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.12(4)56, Mate 9.12(4)56
Serial Number: Ours JADSERIAL2, Mate JADSERIAL1
Last Failover at: 19:54:29 GMT May 23 2023
	This host: Secondary - Active 
		Active time: 2204 (sec)
		slot 0: FPR-2110 hw/sw rev (49.46/9.12(4)56) status (Up Sys)
		  Interface inside (10.0.0.1): Normal (Not-Monitored)
		  Interface outside (10.1.1.1): Normal (Not-Monitored)
		  Interface management (10.2.2.1): Normal (Not-Monitored)
	Other host: Primary - Failed 
		Active time: 0 (sec)
		slot 0: FPR-2110 hw/sw rev (49.46/9.12(4)56) status (Up Sys)
		  Interface inside (10.0.0.2): Normal (Not-Monitored)
		  Interface outside (10.1.1.2): Normal (Not-Monitored)
		  Interface management (10.2.2.2): Normal (Not-Monitored)
    1. 关闭并实际移除主防火墙。
    2. 以物理方式添加新的主防火墙并打开其电源。
    3. 现在,新的主防火墙使用默认出厂配置激活。
    4. 启用故障切换链路,no shutdown故障切换物理链路。例如:
    firewall-a/pri/stby#conf t
firewall-a/pri/stby#(config)#interface Port-channel1
firewall-a/pri/stby#(config-if)#no shutdown
firewall-a/pri/stby#(config)#exit
firewall-a/pri/stby#

firewall-b/sec/act#conf t
firewall-b/sec/act#(config)#interface Port-channel1
firewall-b/sec/act#(config-if)#no shutdown
firewall-b/sec/act#(config)#exit
firewall-b/sec/act#
    1. 保存配置.在辅助/活动防火墙上写入内存,并确保启动配置中有故障切换lan设备“secondary”

    示例:

    firewall-b/sec/act# write memory
Building configuration...
Cryptochecksum: ad317407 935a773c 6c5fb66a c5edc342 

64509 bytes copied in 9.290 secs (7167 bytes/sec)
[OK]
firewall-b/sec/act# show start | inc unit
failover lan unit secondary
firewall-b/sec/act#
    1. 配置故障切换命令。
      1. 在辅助/活动防火墙上,必须首先设置failover lan unit primary命令,以确保活动配置从辅助/活动防火墙推送到新的默认配置主要/备用防火墙。例如:
    firewall-b/sec/act# sh run | inc unit
failover lan unit secondary
firewall-b/sec/act#

firewall-b/sec/act#conf t
firewall-b/sec/act#(config)#failover lan unit primary
firewall-b/sec/act#(config)#exit
firewall-b/sec/act# sh run | inc unit
failover lan unit primary
firewall-b/pri/act#

    b. 验证两台设备上的故障切换配置。例如:

    firewall-b/pri/act# sh run | inc fail
failover
failover lan unit primary
failover lan interface sync Port-channel1
failover link sync Port-channel1
failover interface ip sync 10.10.13.9 255.255.255.252 standby 10.10.13.10
no failover wait-disable
firewall-b/pri/act# 

firewall-a/sec/stby# sh run | inc fail
no failover
failover lan unit secondary
failover lan interface sync Port-channel1
failover link sync Port-channel1
failover interface ip sync 10.10.13.9 255.255.255.252 standby 10.10.13.10
no failover wait-disable
firewall-a/sec/stby#
    1. 在新的主防火墙上启用故障切换。例如:
    firewall-a/sec/stby#conf t
firewall-a/sec/stby#(config)#failover
firewall-a/sec/stby#(config)#exit
firewall-a/sec/stby#

firewall-a/sec/stby# sh run | inc fail
failover
firewall-a/sec/stby#
    1. 等待活动配置同步到新设备并验证正确的故障转移状态。例如:
    firewall-b/pri/act# 
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate
firewall-b/pri/act# 
firewall-a/sec/stby# 
Beginning configuration replication from mate.
End configuration replication from mate.
firewall-a/sec/stby#
    note-icon

    注意:请注意,主防火墙(firewall-b)将配置发送到辅助防火墙(firewall-a)。请勿在现在的主用/主用防火墙(firewall-b)上写入内存。

    1. 重新加载现在的主用/主用防火墙(firewall-b),使其作为辅助/备用防火墙进行备份。
    firewall-b/pri/act#reload
    1. 在您执行“firewall-b reload”命令(等待15秒)之后,立即切换到新的主防火墙(firewall-a),并输入failover lan unit primary命令,然后输入write memory
    firewall-a/sec/act#conf t
firewall-a/sec/act#(config)#failover lan unit primary
firewall-a/sec/act#(config)#exit
firewall-a/sec/act# sh run | inc unit
failover lan unit primary
firewall-a/pri/act# write memory
Building configuration...
Cryptochecksum: ad317407 935a773c 6c5fb66a c5edc342 

64509 bytes copied in 9.290 secs (7167 bytes/sec)
[OK]
firewall-a/pri/act# show start | inc unit
failover lan unit primary
firewall-a/pri/act#
    1. 等待firewall-b完全启动,然后作为辅助/备用设备加入故障转移对。例如:
    firewall-a/pri/act# 
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate
firewall-a/pri/act# 
firewall-b/sec/stby# 
Beginning configuration replication from mate.
End configuration replication from mate.
firewall-b/sec/stby#
    note-icon

    注意:请注意,主防火墙(firewall-a)将配置发送到辅助防火墙(firewall-b)。

    1. 保存配置,在主用/主用上写入内存,并验证新的辅助/备用上的写入内存。例如:
    firewall-a/pri/act#write memory
Building configuration...
Cryptochecksum: ad317407 935a773c 6c5fb66a c5edc342 

64509 bytes copied in 9.290 secs (7167 bytes/sec)
[OK]
firewall-a/pri/act#

firewall-b/sec/stby# 
May 24 2023 15:16:21 firewall-b : %ASA-5-111001: Begin configuration: console writing to memory
May 24 2023 15:16:22 firewall-b : %ASA-5-111004: console end configuration: OK
May 24 2023 15:16:22 firewall-b : %ASA-5-111008: User 'failover' executed the 'write memory' command.
May 24 2023 15:16:22 firewall-b : %ASA-5-111010: User 'failover', running 'N/A' from IP x.x.x.x , executed 'write memory'
firewall-b/sec/stby#
    1. 验证故障转移对在两个防火墙上均处于up/up活动状态。例如:
    firewall-a/pri/act# show failover 
Failover On 
Failover unit Primary
Failover LAN Interface: sync Port-channel1 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 0 of 1292 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.12(4)56, Mate 9.12(4)56
Serial Number: Ours JADSERIAL1, Mate JADSERIAL2
Last Failover at: 19:54:29 GMT May 23 2023
	This host: Primary - Active 
		Active time: 71564 (sec)
		slot 0: FPR-2110 hw/sw rev (49.46/9.12(4)56) status (Up Sys)
		  Interface inside (10.0.0.1): Normal (Not-Monitored)
		  Interface outside (10.1.1.1): Normal (Not-Monitored)
		  Interface management (10.2.2.1): Normal (Not-Monitored)
	Other host: Secondary - Standby Ready 
		Active time: 0 (sec)
		slot 0: FPR-2110 hw/sw rev (49.46/9.12(4)56) status (Up Sys)
		  Interface inside (10.0.0.2): Normal (Not-Monitored)
		  Interface outside (10.1.1.2): Normal (Not-Monitored)
		  Interface management (10.2.2.2): Normal (Not-Monitored)

firewall-b/sec/stby# show failover 
Failover On 
Failover unit Secondary
Failover LAN Interface: sync Port-channel1 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 0 of 1292 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.12(4)56, Mate 9.12(4)56
Serial Number: Ours JADSERIAL2, Mate JADSERIAL1
Last Failover at: 20:51:27 GMT May 23 2023
	This host: Secondary - Standby Ready 
		Active time: 0 (sec)
		slot 0: FPR-2110 hw/sw rev (49.46/9.12(4)56) status (Up Sys)
		  Interface inside (10.0.0.2): Normal (Not-Monitored)
		  Interface outside (10.1.1.2): Normal (Not-Monitored)
		  Interface management (10.2.2.2): Normal (Not-Monitored)
	Other host: Primary - Active 
		Active time: 71635 (sec)
		slot 0: FPR-2110 hw/sw rev (49.46/9.12(4)56) status (Up Sys)
		  Interface inside (10.0.0.1: Normal (Not-Monitored)
		  Interface outide (10.1.1.1): Normal (Not-Monitored)
		  Interface management (10.2.2.1): Normal (Not-Monitored)

    修订历史记录

    版本 发布日期 备注
    2.0
    01-Nov-2024
    大多格式化。
    1.0
    21-Jun-2023
    初始版本
    TAC Authored

    由思科工程师提供

    • 罗赫略·桑切斯·努涅斯
      思科TAC工程师

    此文档是否有帮助?

    Feedback反馈

    联系我们

    本文档适用于以下产品