說明:Cisco ASA failover active standby unit 固定 ip
例:ip address 172.16.1.253 255.255.255.0 standby 172.16.1.252
不管 active / standby unit 切換,
只要 active unit 總是使用 ip 172.16.1.253,standby unit 總是 ip 172.16.1.252
一、 failover 設定
failover 設定 : primary
failover
failover lan unit primary
failover lan interface failover Management0/0
failover replication http
failover link failover Management0/0
failover interface ip failover 1.1.1.1 255.255.255.0 standby 1.1.1.2
failover 設定 : secondary
failover
failover lan unit secondary
failover lan interface failover Management0/0
failover replication http
failover link failover Management0/0
failover interface ip failover 1.1.1.1 255.255.255.0 standby 1.1.1.2
二、網路接線
所有 ASA interface 接至一台 switch (切vlan) (含 failover interface)
三、查看 failover 狀態
ASA5520# show failover state
State Last Failure Reason Date/Time
This host - Primary
Standby Ready None
Other host - Secondary
Active None
====Configuration State===
Sync Done - STANDBY
====Communication State===
Mac set
ASA5520# failover ?
active Make this system to be the active unit of the failover pair
exec Execute command on the designated unit
reload-standby Force standby unit to reboot
reset Force an unit or failover group to an unfailed state
四、切換 Active / Standby
ASA5520# failover active (登入standby那台,將 standby 切換為 active)
五、NAT-T
狀況:當 ipsec vpn 登入內網後,但無法存取任何設備,是 NAT-T 問題,
Cisco ASA 需下以下指令
crypto isakmp nat-traversal
