Proxmox HA Cluster: As the name implies this allows the cluster to ‘restart’ failed virtual machines on another host in the cluster in the event of a host failure. Unlike VMware (that has a vCenter appliance to do this) in Proxmox it can be configured from any host. Which may seem like an advantage – but the GUI can get a little ‘clunky’ whilst configuring HA.
Proxmox used ‘Quorum based” or “Majority node clustering” If you’ve ever done clustering on Microsoft SQL or with Hyper-V or Set up a Microsoft Exchange DAG this should be a familiar concept. In those cases you needed a ‘witness’ if there were only two nodes in the cluster (to have the extra ‘vote’ in a fail scenario). That does not mean in Proxmox you cannot have a TWO NODE cluster, but it does mean if the nodes lose sight of each other, (to avoid a split-brain scenario) the hosts will continue to function but only in read only mode. The only way to rectify that is to manually give a host an additional vote with the following command.
[box]
pvecm expected 1
[/box]
You can also have a ‘witness node’ which would be another machine that was running corosync-qdevice but that’s outside the scope of this article
So aim for a cluster of at least THREE NODES, to keep things simple.
Solution : Proxmox HA Cluster
Proxmox HA Cluster Prerequisites
1. Proxmox VE hosts built (with Static IP addresses)
5. Optional: A dedicated NIC for replication, for small deployment this is not necessary.
Creating a Proxmox HA Cluster
Log onto your first host, Datacenter > Cluster > Create Cluster > Give the cluster a name > Create.
Clunky Alert! We are waiting for it to say TASK OK, which it will say quite quickly, but in the background, it replaced the digital certificate that was being used for the very web session you are using! So if you don’t want to stare at this screen for ages wondering what is going on, have a cup of coffee, then hit ‘refresh’ and log back in again.
Whilst in the Cluster section > Join Information > Copy Information.
Proceed to your SECOND HOST > Datacenter > Cluster > Join Cluster > Paste in the information from the previous step > Enter the Root password for the first host > Join HA Cluster. Again things can get a bit clunky – I prefer to have a management window open to host 1 so I can see what’s happening.
Again it will look like its ‘hung‘ > Wait a while and hit refresh.
Now we have a two node cluster.
Repeat those steps to add a third host.
Adding Shared Storage Proxmox HA Cluster
This is all being done in my test lab so I’ve simply created an NFS Share on a Windows Server to present as shared storage. Datacenter > Storage > Add > NFS > Add the relevant information (ENSURE you select both Disc image ANDISO Image) Add,
Adding a VM to Proxmox HA Cluster
First we need a VM, (if you already have one skip this step) Right click a host > Create VM.
Give the host a name > Next > Select the Datastore > Select the ISO* > Set the guest OS type > Next > Select you Datastore again (twice) > Bus Device set to IDE** > Next
*Note: If you can’t see you ISO file make sure it’s in the //nfs-root/template/iso folder!
**Note: If you want SCSI then read the following article.
Set the number of sockets and cores > Next > Set the amount vRAM > Next > Select Network requirements > Next > Finish.
Allow HA on a Proxmox VM
Once we have a VM created, then to protect it with HA > Datacenter > HA > Add > Select VM > Add.
Once its status reads ‘Started” it will be protected.
Testing Proxmox HA Cluster
As you can see (above) my Windows VM is running on host 1, I’m going to simulate a failure of this host (by disconnecting its network card). As you can see the constant ping I have running to that VM begins to fail.
But after a while the VM is restarted on Host 2 and my pings start getting replied to. Remember folks: On Windows you need to enable ICMP on the firewall, or it won’t respond at all!
Proxmox HA Cluster ‘HA Groups’
The final thing to be aware of are ‘HA Groups’ which you can use to enforce certain rules on hosts and guest VMs. Datacenter > HA > Groups > Create > Give the group a name.
Restricted: Think of this like a VMware affinity rule – you can define which hosts a virtual machine ‘can’ run on. Nofallback: If there is no requirement for VMs to return to the original node they resided on then select this option.
Then to add VMs to the HA Group > Datacenter > HA > Add > Select the VM and THEN SELECT THE HA-GROUP.
Here you can see I restricted the two VMs to hosts 2 and 3 and they have been migrated accordingly.
Related Articles, References, Credits, or External Links
Cisco HSRP: Normally your client machines have one route off the network, (their default gateway). But what if that goes down? HSRP aims to solve this problem by assigning a ‘Virtual IP address’ to your default gateway (or default route). So that IP can be shared amongst two or more possible devices (routers, or layer 3 switches).
Above, we have a client 192.168.1.10 that has two possible routes off the network, (.254 and .253). We will setup a virtual IP of .250 and both routers can use that IP, (if they are the active gateway). Below is a brief overview of how to set it up.
Deploy Cisco HSRP
Setting up Cisco HSRP
1. On the first router (Router0), add the standby IP address (192.168.1.250) the ‘1’ denotes the standby group (a number from 0 to 4096). It comes up as standby, then after it has checked (via multicast address 224.0.0.2 on UDP port 1985). It finds no other live HSRP devices using that IP address so it becomes ‘Active’.
[box]
Router0>enable
Router0#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router0(config)#interface GigabitEthernet0/0
Router0(config-if)#standby 1 ip 192.168.1.250
Router0(config-if)#
%HSRP-6-STATECHANGE: GigabitEthernet0/0 Grp 1 state Speak -> Standby
%HSRP-6-STATECHANGE: GigabitEthernet0/0 Grp 1 state Standby -> Active
Router0(config-if)#
[/box]
2. Repeat this on the second Router, this one discovers the ‘Active’ router and sets itself up as ‘Standby’.
[box]
Router1>
Router1>enable
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface GigabitEthernet0/0
Router1(config-if)#standby 1 ip 192.168.1.250
Router1(config-if)#
%HSRP-6-STATECHANGE: GigabitEthernet0/0 Grp 1 state Speak -> Standby
Router1(config-if)#
[/box]
3. You can prove this by running show standby (or do show standby in configure terminal mode).
[box]
Router0
Router0#show standby
GigabitEthernet0/0 - Group 1 (version 2)
State is Active
8 state changes, last state change 00:02:02
Virtual IP address is 192.168.1.250
Active virtual MAC address is 0000.0C9F.F001
Local virtual MAC address is 0000.0C9F.F001 (v2 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.055 secs
Preemption disabled
Active router is localStandby router is 192.168.1.253Priority 100 (default 100)
Group name is hsrp-Gig0/0-1 (default)
Router0#
Router1
Router1#show standby
GigabitEthernet0/0 - Group 1 (version 2)
State is Standby
3 state changes, last state change 00:10:44
Virtual IP address is 192.168.1.250
Active virtual MAC address is unknown
Local virtual MAC address is 0000.0C9F.F001 (v2 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.125 secs
Preemption disabled
Active router is 192.168.1.254Standby router is localPriority 100 (default 100)
Group name is hsrp-Gig0/0-1 (default)
Router1#
[/box]
4. That is HSRP configured! However there are a few changes you might want to make, for example, what if one router had a 100MB leased line, and the other was a 2MBADSL line, you would want the fastest one to be in use, (as long as it was up). To achieve that, give the router with the fastest connection a higher priority (you may notice above, that by default the priority is 100). Be aware, even if a router has the highest priority, it wont ‘seize’ the virtual IP, it just sits and waits until it’s available. For our 100MB and 2MB example that’s not good. We would want Router1 to seize the virtual IP as soon as it can. To do that we need to set it to preempt. (Note: This process is called ‘launching a coup’).
5. At this point it’s important to say, that in our scenario we would also need to setup a virtual IP for the ‘other side’ of the routers (i.e their GigabitEthernet 0/1 interfaces), or the remote client (172.16.1.10) would not be able to return our ‘pings’ or get any traffic back to us. So lets setup a virtual HSRP address on that side as well. Notice I just use another standby group number.
Note: To work the remote host 172.16.1.10 will need its default gateway changing to the HSRP Virtual IP of 172.16.1.250.
[box]
Router0
Router0(config)#interface GigabitEthernet0/1
Router0(config-if)#standby 2 ip 172.16.1.250
Router0(config-if)#
Router1
Router1(config)#interface GigabitEthernet0/1
Router1(config-if)#standby 2 ip 172.16.1.250
Router1(config-if)#
[/box]
6. Finally we have set Router0 with the highest priority and set it to seize the virtual IP as soon as it can. But what if another interface on Router1 goes down? e.g. If the GigabitEthernet 0/1 interface were to go down, HSRP would not do anything because it’s tracking both the GigabitEthernet 0/0 interfaces, so communications would fail.
To solve the problem we need to tell it which interfaces to ‘Track’. In our example we need to track GigabitEthernet 0/1, if that goes down we need to give the virtual IP address to the standby ‘router’. This works because once we tell it to ‘track’ the GigabitEthernet 0/1 interface, if that were to fail it will DECREMEMT the routers priority by 10. So for Router0 its priority would drop to 95, this is five less than the default value of 100 (on Router1). But Remember, at the moment that fail-over would still fail, unless you allow Router1 to preempt and launch a coup.
7. We can see that by running a ‘show standby’ on Router0.
[box]
Router0#show standby
GigabitEthernet0/0 - Group 1 (version 2)
State is Active
7 state changes, last state change 00:00:31
Virtual IP address is 192.168.1.250
Active virtual MAC address is 0000.0C9F.F001
Local virtual MAC address is 0000.0C9F.F001 (v2 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.81 secs
Preemption enabled
Active router is local
Standby router is 192.168.1.253, priority 115 (expires in 7 sec)
Priority 115 (configured 115)Track interface GigabitEthernet0/1 state Up decrement 10
Group name is hsrp-Gig0/0-1 (default)
GigabitEthernet0/1 - Group 2 (version 2)
State is Active
6 state changes, last state change 00:00:28
Virtual IP address is 172.16.1.250
Active virtual MAC address is 0000.0C9F.F002
Local virtual MAC address is 0000.0C9F.F002 (v2 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.81 secs
Preemption disabled
Active router is local
Standby router is 172.16.1.253
Priority 100 (default 100)
Group name is hsrp-Gig0/1-2 (default)
Router0#
[/box]
Related Articles, References, Credits, or External Links
One great new feature of Server is bult in network ‘Teaming’. To do this normally takes some third party software, either form the server vendor (HP Teaming) or from the NIC manufacturer.
It utilises a new Windows feature called LBFO, this lets you both aggregate links, and have links available in the event of failover.
Note: NIC Teaming only supports up to 32 network cards.
Solution
1. Launch Server manager > All Servers > Select the server you ant to create a team on > Right Click > Configure NIC Teaming.
2. Select the NICs you want to add to the team > Right Click > Add to New Team.
3. Give the Team a name > OK.
Note: By default ‘Switch independent’ will be selected, this is probably what you want (see below) > OK.
Windows Server 2012 NIC Teaming Modes
Static Teaming: Requires configuration on the switch, which must be configured for IEEE 803.3ad (draft v1).
Switch Independent: Generally requires no switch configuration and can be connected to multiple switches.
LACP: Requires configuration on the switch, which must be configured for IEEE 802.1ax, and support LACP. Note: On a Cisco Catalyst this would be a port-channel, on an HP Networking switch this would be called an LACP trunk.
4. Now if you look under ‘Network Connections’ you will see a new one with the name you created.
5. Configure this new Teamed NIC, and simply treat it as a single network card.
Configure Teaming via PowerShell
To do the same as we did above use the following command;
[box]
New-NetLbfoTeam -Name TEAM -TeamMembers NIC1,NIC2,NIC3,NIC4 -TeamingMode SwitchIndependent
[/box]
Related Articles, References, Credits, or External Links
This method provides failover to a redundant ISP link should your primary network connection go down. IT IS NOT going to load balance the traffic across both interfaces. In this example I’ve also got a VPN to a remote site and some port forwarding to contend with as well.
Where we are at the start.
Where we want to be
Solution
Before you go any further the ASA that will have the backup ISP line, needs a Security Plus Licence or it’s not going to work.
PetesASA>
PetesASA> en
Password: *******
PetesASA#
PetesASA# configure terminal
PetesASA(config)# interface Ethernet0/3
PetesASA(config-if)# nameif backup
PetesASA(config-if)# security-level 0
PetesASA(config-if)# ip address 234.234.234.234 255.255.255.248
PetesASA(config-if)# no shutdown
PetesASA(config-if)# exit
PetesASA(config)#
[/box]
2. In a ‘Failed Over’ state your traffic needs to then be NATTED to the backup interface, then setup a new route for the outside interface, and finally one for the backup interface. Note: The new primary route will be “Tracked” based on an SLA we will configure in a minute.
[box]
Configure NAT for a firewall running an OS NEWER than 8.3
PetesASA(config)# object network obj_any-01
PetesASA(config-network-object)# subnet 0.0.0.0 0.0.0.0
PetesASA(config-network-object)# nat (inside,backup) dynamic interfaceConfigure NAT for a firewall running an OS OLDER than 8.3
PetesASA(config)# global (backup) 1 interface
INFO: backup interface address added to PAT pool
Configure the Routes
PetesASA(config)# route outside 0.0.0.0 0.0.0.0 123.123.123.124 1 track 1
PetesASA(config)# route backup 0.0.0.0 0.0.0.0 234.234.234.235 2
[/box]
3. Now we are going to setup a new SLA that maintains connectivity to an IP address (In this case 4.2.2.2 via ICMP, then we are going to tie that SLA to “track 1”, )which you will remember is what keeps the default route on the Primary ISP), if that route fails, it swaps to the backup route.
[box]
PetesASA(config)# sla monitor 100
PetesASA(config-sla-monitor)# type echo protocol ipIcmpEcho 4.2.2.2 interface outside
PetesASA(config-sla-monitor-echo)# num-packets 3
PetesASA(config-sla-monitor-echo)# frequency 10
PetesASA(config-sla-monitor-echo)# sla monitor schedule 100 life forever start-time now
PetesASA(config)# track 1 rtr 100 reachability
PetesASA(config)#
[/box]
4. Any port forwarding getting done on the outside interface needs a mirror entry for the backup interface. and also will need matching ACL’s
5. Lets test it, issue a “show route” command, then disconnect your primary ISP then issue another “show route” command and it should have failed over like so;
[box]
PetesASA(config)# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 123.123.123.124 to network 0.0.0.0
C 234.234.234.0 255.255.255.248 is directly connected, backup
C 123.123.123.0 255.255.255.240 is directly connected, outside
C 10.0.0.0 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 123.123.123.124, outside
PetesASA(config)#
Now Disconnect the Primary line
PetesASA(config)# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 234.234.234.235 to network 0.0.0.0
C 234.234.234.0 255.255.255.248 is directly connected, backup
C 10.0.0.0 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [254/0] via 234.234.234.235, backup
PetesASA(config)#
[/box]
6. To enable this firewall to accept the existing VPN on its backup interface, you need to add the backup interface to that cryptomap (issue a show run crypto if your unsure). Then you need to enable ISAKMP on the backup Interface.
PetesASA(config)# wr mem
Building configuration...
Cryptochecksum: 91d190ba 2a3eb9c4 244d8c88 0da54e36
10220 bytes copied in 3.740 secs (3406 bytes/sec)
[OK]
PetesASA(config)#
[/box]
Change the ASA at the Remote VPN Site
1. Connect to the firewall at the remote site, find the cryptomap that points to the main site (show run crypto). find the one that pointing to the IP at the main site, then add the new IP address as an alternate peer address.
[box]
RemoteSite(config)# crypto map outside_map 2 set peer 123.123.123.123 234.234.234.234
[/box]
2. Then create a tunnel group for the new backup address with the same shared secret as tunnel group to the primary IP.
RemoteSite(config-tunnel-ipsec)#write mem
Building configuration...
Cryptochecksum: 7a455ca7 3b637757 cd40aa82 7f3a22d8
7842 bytes copied in 1.530 secs (7842 bytes/sec)
[OK]
RemoteSite(config-tunnel-ipsec)#
[/box]
To test the VPN fails over, at the remote site issue a “show cry isa” command, then get someone at the primary site to disconnect the primary ISP, wait a few seconds and then re-issue a “show cry isa” command and it should have flipped over.
[box]
Failover-FWall# show cry isa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 123.123.123.123
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Now Disconnect the Primary line at the Main site
Failover-FWall# show cry isa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 234.234.234.234
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
[/box]
Related Articles, References, Credits, or External Links
You have two ASA firewalls deployed in Active/Standby failover configuration, and need to upgrade either the operating system or the ASDM. As you already have a high availability solution you do not want any downtime.
Before we start, we need to make sure we know the difference between primary, secondary, active and standby.
From the rear (Active=Green, Standby=Amber)
The Primary and Secondary firewalls are physical firewalls, the primary will always be the primary, and the secondary will always be the secondary. (Unless you manually change the configuration to force things otherwise!).
The Active firewall will be the firewall that’s passing traffic and in operation, and the Standby firewall is sat waiting to take over, each physical firewall can be either active or standby.
Solution
To get updates from Cisco you need to have a valid support agreement for your firewalls and a Cisco CCO account to log in with. (download link)
In this example, I’m going to upgrade both the firewalls from 8.4(5) to 9.1(1), and the ASDM from version 7.1(1) to 7.1(1)-52. When we start, the primary firewall is the active firewall.
In the past I’ve upgraded from 8.2(5) to 8.4(5), and (here) 8.4(5) to 9.1(1). I’ve never had a problem HOWEVER, DO NOT ATTEMPT an upgrade until you have a good backup of the config.
1. First you need to upload the software to the flash memory on BOTH firewalls, you can either connect to the ASA via command line and TFTP them there, or connect to the ASDM and upload them from your PC/Laptop. If you have an AnyConnect XML profile take a backup of that also (I’ve seen them disappear).
UPLOAD THE OPERATING SYSTEM
Petes-ASA> enablePassword:*********
Petes-ASA#copy tftp flash
Address or name of remote host []? 10.0.0.127
Source filename []? asa911-k8.bin
Destination filename [disk0]? asa911-k8.bin
Accessing tftp://10.1.0.127/asa911-k8.bin.. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
<<<<Removed lots for the sake of Space>>>>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:asa911-k8.bin... !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!
<<<<Removed lots for the sake of Space>>>>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
27260928 bytes copied in 49.250 secs (556345 bytes/sec)
UPLOAD THE ASDM SOFTWARE
Petes-ASA#copy tftp flash
Address or name of remote host []? 10.0.0.127
Source filename []? asdm-711-52.bin
Destination filename [disk0]? asdm-711-52.bin
Accessing tftp://10.1.0.127/asdm-711-52.bin.. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
<<<<Removed lots for the sake of Space>>>>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:asdm-711-52.bin... !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!
<<<<Removed lots for the sake of Space>>>>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
17790720 bytes copied in 32.200 secs (555960 bytes/sec)
[/box] Upload via ASDMConnect to the ASDM > Tools > File Management > File Transfer > Between Local PC and Flash > Navigate to the file(s) on your local machine > Upload.
REMEMBER TO DO THIS FOR BOTH FIREWALLS!Note: You can copy the file to the standby firewall’s flash memory, from the primary firewall, using the following syntax (though I usually just swap the console cable over!).
2. On the Primary Active Firewall, set the new OS as the default, below I check to see what file the ASA will boot from, then I change it to the new one, finally I remove the link to the old file. You don’t need to carry out the last step, but I like to leave things tidy.
[box]
Petes-ASA# show running-config boot system
boot system disk0:/asa845-k8.bin
Petes-ASA# configure terminal
Petes-ASA(config)# boot system disk0:/asa911-k8.bin
Petes-ASA(config)# no boot system disk0:/asa845-k8.bin
Petes-ASA# show running-config boot system
boot system disk0:/asa911-k8.bin
[/box]
3. If you are also upgrading the ASDM, you need to set the new one as the default image.
[box]
Petes-ASA(config)# asdm image disk0:/asdm-711-52.bin
Petes-ASA(config)# show run asdm image
asdm image disk0:/asdm-711-52.bin
no asdm history enable
[/box]
4. Save the changes.
[box]
Petes-ASA(config)# write mem
Building configuration...
Cryptochecksum: e150e036 036082e0 6d054a3d 1c7fd9fa
16257 bytes copied in 3.350 secs (5419 bytes/sec) [OK]
[/box]
5. Whilst still on the primary active firewall, you need to reboot the secondary standby firewall with the following command:
[box]
Petes-ASA(config)# failover reload-standbyYOU MAY SEE A WARNING LIKE THE FOLLOWING - THIS IS OK
************WARNING****WARNING****WARNING********************************
Mate version 9.1(1) is not identical with ours 8.4(5)
************WARNING****WARNING****WARNING********************************
Beginning configuration replication: Sending to mate. End Configuration Replication to mate
Petes-ASA(config)#
[/box]
6. This may take a little while, remember it has to reboot, and depending on the version you are upgrading to, may need to change some of the config i.e. in this case of upgrading pasr 8.3 (and newer) all the NAT rules need to be changed. You can check to see if it’s back online by issuing a ‘show failover command (whilst still on the primary firewall). You will know when the secondary firewall is up and ready as you will see ‘Secondary – Standby Ready’.
Note: If you can see the status lights on the standby firewall watch for them to be green,green,amber,green,off (ASA5510).
Warning: Due to the limitations of HTML, your output will be formatted a little differently, you will see the output displayed like this, but the text is the same.
[box]
Petes-ASA(config)# show failover
Failover On Failover unit Primary Failover LAN Interface:
failover Management0/0 (up)
Unit Poll frequency 1 seconds,
holdtime 3 seconds
Interface Poll frequency 3 seconds,
holdtime 15 seconds
Interface Policy 1
Monitored Interfaces 3 of 110 maximum
Version: Ours 8.4(5), Mate 9.1(1)
Last Failover at: 13:25:54 GMT/BST Dec 6 2012
This host: Primary - Active Active time: 350 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(5)) status (Up Sys)
Interface outside (123.123.123.123): Normal (Monitored)
Interface inside (10.0.0.254): Normal (Monitored)
Interface backup (234.234.234.235): Normal (Monitored)
slot 1: ASA-SSM-10 hw/sw rev (1.0/CSC SSM 6.2.1599.0) status (Up/Up)
Logging port IP: 10.0.0.252/24 CSC SSM, 6.2.1599.0, Up
Other host: Secondary - Standby Ready <<<<<< Here we go!
Active time: 326 (sec) slot 0: ASA5510 hw/sw rev (2.0/9.1(1)) status (Up Sys)
Interface outside (123.123.123.124): Normal (Monitored)
Interface inside (10.0.0.249): Normal (Monitored)
Interface backup (234.234.234.234): Normal (Monitored)
slot 1: ASA-SSM-10 hw/sw rev (1.0/CSC SSM 6.3.1172.0) status (Up/Up)
Logging port IP: 10.0.0.248/24
CSC SSM, 6.3.1172.0, Up
Stateful Failover Logical Update Statistics
Link : failover Management0/0 (up)
Stateful Obj xmit xerr rcv rerr
General 1709 0 491 49
sys cmd 58 0 58 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 896 0 244 48
UDP conn 280 0 45 1
ARP tbl 474 0 141 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 1 0
VPN IKEv1 P2 1 0 1 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 0 0 1 0
Logical Update Queue Information Cur Max Total Recv Q: 0 24 2101 Xmit Q: 0 1 2311
Petes-ASA(config)#
[/box]
7. Now you need to force a failover to the secondary firewall, (again do this on the primary active firewall).
[box]
Petes-ASA(config)# no failover active
Petes-ASA(config)#
Switching to Standby
[/box]
8. Now reboot the primary firewall and that should boot to its new operating system.
[box]
Petes-ASA(config)# reload
Proceed with reload? [confirm] {Enter}
[/box]
9. Once complete, log back in and you can make the primary firewall active once more.
[box]
Petes-ASA>
Detected an Active mate Beginning configuration replication from mate.
Petes-ASA>
End configuration replication from mate.
Petes-ASA> en
Password:*********
Petes-ASA# configure terminal
**** WARNING **** Configuration Replication is NOT performed from Standby unit to Active unit. Configurations are no longer synchronized.
Petes-ASA(config)# failover active
Switching to Active
[/box]
Related Articles, References, Credits, or External Links