Cisco firepower 2140 run ASA and config failover

1 背景

在这里插入图片描述 here we got 2 cisco firepower 2140 hardware appliance
we’re planning to run ASA on it. and config failover for Primary Unit and Secondary Unit
现场2台Cisco firepower 2140防火墙，运行ASA模式，双机组HA，心跳线使用E1/11, E1/12, 配置port-channel

先看看FPR2140物理外观长啥样？

在这里插入图片描述

左上角的是管理口
左下角是console
然后就是数据接口了，12个千兆电口，4个万兆SFP+,另外最右侧还有个扩展卡，可以插万兆的SFP+子卡。
在这里插入图片描述

** 话说怎么管理FPR2140 ？

FPR2140面板 左上角的那个电口就是管理口，而FDM和里面跑的ASA的管理都是复用这一个管理接口
而FPR4000系列就有所不同，FXOS的管理是面板上的，ASA的管理是需要使用另外的接口。

那么这2个管理IP有啥要求？
这2个IP必须是在同一网段。

怎么设置管理口IP

以管理IP为10.248.1.211/24 ，网关为10.248.1.254为例

firepower-2110# scope system
firepower-2110 /system # scope services
firepower-2110 /system/services # disable dhcp-server
firepower-2110 /system/services* # commit-bufferfirepower-2110# scope fabric-interconnect a
firepower-2110 /fabric-interconnect # 
firepower-2110 /fabric-interconnect # set out-of-band static ip 10.248.1.211 netmask 255.255.255.0 10.248.1.254
Warning: When committed, this change may disconnect the current CLI session
firepower-2110 /fabric-interconnect # commit-buffer

配置完成后，查看生效的管理IP

firepower-2140 /fabric-interconnect # showFire Power:ID   OOB IP Addr     OOB Netmask     OOB Gateway     OOB IPv6 Address Prefix OOB IPv6 Gateway Operability---- --------------- --------------- --------------- ---------------- ------ ---------------- -----------A    10.248.1.211   255.255.255.0    10.248.1.254   ::               64     ::               Operable
firepower-2140 /fabric-interconnect #

配置完成后，就可以网页 https://10.248.1.211打开GUI界面了

2 配置步骤

2.1创建互联的port-channel

FPR2100系列在ASA里面可创建不了port-channel，ASA上根本没这命令，奇葩吧
需要在FPR2100的FDM管理页面上创建（FDM全称： Firepower Device Manager, 即firepower自带的管理平台）
长这个样子
在这里插入图片描述

2.1.1 interfaces —> Add Portchannel
在这里插入图片描述

2.1.2 指定ID及接口
在这里插入图片描述

另一台FPR2140也同样操作配置port-channel

2.2 进入ASA

firepower-2140# conn asa 
Attaching to ASA CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.
FW-2140-1/pri/act#

2.3 查看port-channel接口

FW-2140-1/pri/act# show int ip brief
Interface                  IP-Address      OK?           Method Status      Protocol
Internal-Data0/1           unassigned      YES           unset  up          up  
Port-channel10           unassigned      YES           unset  up          up         !!!!!这就是刚才创建的接口
Ethernet1/1                unassigned      YES           unset  down        down
Ethernet1/2                unassigned      YES           unset  down        down
Ethernet1/3                unassigned      YES           unset  admin down  down
Ethernet1/4                unassigned      YES           unset  admin down  down
Ethernet1/5                unassigned      YES           unset  admin down  down
Ethernet1/6                unassigned      YES           unset  admin down  down
Ethernet1/7                unassigned      YES           unset  down        down
Ethernet1/8                unassigned      YES           unset  down        down
Ethernet1/9                unassigned      YES           unset  down        down
Ethernet1/10               unassigned      YES           unset  down        down
Ethernet1/11               unassigned      unassociated  unset  down        down
Ethernet1/12               unassigned      unassociated  unset  down        down
Ethernet1/13               unassigned      unassociated  unset  down        down
Ethernet1/14               unassigned      unassociated  unset  down        down
Ethernet1/15               unassigned      YES           unset  down        down
Ethernet1/16               unassigned      YES           unset  down        down
Internal-Data1/1           169.254.1.1     YES           unset  up          up  
Management1/1              192.168.45.1    YES           CONFIG up          up

2.4 ASA配置Failover

上面在物理层面已经创建好了用于心跳的port-channel接口
（当然心跳只用单个接口也是可以的，使用port-channel只是为了有链路冗余）

打开failover功能
定义物理角色（primary or secondary)
指定Failover心跳使用port-channel 10这个接口
指定Failover状态化同步使用port-channel 10这个接口
配置心跳IP

2.2.1 第1台ASA配置failover

failover
failover lan unit primary    //角角为primary
failover lan interface FO Port-channel10
failover link FO Port-channel10
failover interface ip FO 100.64.1.1 255.255.255.0 standby 100.64.1.2

2.2.2 第2台ASA配置failover

failover
failover lan unit secondary    //角角为secondary
failover lan interface FO Port-channel10
failover link FO Port-channel10
failover interface ip FO 100.64.1.1 255.255.255.0 standby 100.64.1.2

第2台ASA配置完成后，马上弹出提示，检测到1台Active的ASA，要开始同步配置

ciscoasa(config)# .Detected an Active mate
Configuration between unit doesn't match. Going for config sync.Beginning configuration replication from mate.
WARNING: Disabling auto import may affect Smart Licensing
/bin/sh: /asa/scripts/coredump_ops.sh: No such file or directory
livecore enabled
Creating trustpoint "_SmartCallHome_ServerCA" and installing certificate...Trustpoint CA certificate accepted.
Creating trustpoint "_SmartCallHome_ServerCA2" and installing certificate...Trustpoint CA certificate accepted.
WARNING: Failover is enabled but standby IP address is not configured for this interface.
WARNING: Failover is enabled but standby IP address is not configured for this interface.
INFO: object-group-search on access-control is already disabled
WARNING: This command will not take effect until interface 'outside' has been assigned an IPv4 address
WARNING: Trustpoint _SmartCallHome_ServerCA is already authenticated.
WARNING: Trustpoint _SmartCallHome_ServerCA2 is already authenticated.
End configuration replication from mate.

同步完成后，Check failover status
正常情况下，2台墙的角色分别为Active ， Standby

FW-2140-1/pri/act# show failover 
Failover On 
Failover unit Primary
Failover LAN Interface: FO Port-channel10 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 1293 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.18(3)56, Mate 9.18(3)56
Serial Number: Ours JAD224809ZQ, Mate JAD22460JVP
Last Failover at: 11:04:55 CST Mar 22 2024This host: Primary - Active Active time: 173202 (sec)slot 0: FPR-2140 hw/sw rev (1.3/9.18(3)56) status (Up Sys)Interface management (192.168.45.1): Normal (Waiting)Interface outside (0.0.0.0): No Link (Waiting)Interface inside (10.30.255.4): No Link (Not-Monitored)Interface outside-dmz-ds (10.30.252.23): No Link (Not-Monitored)Other host: Secondary - Standby Ready Active time: 0 (sec)slot 0: FPR-2140 hw/sw rev (1.3/9.18(3)56) status (Up Sys)Interface management (0.0.0.0): Normal (Waiting)Interface outside (0.0.0.0): No Link (Waiting)Interface inside (10.30.255.5): Normal (Not-Monitored)Interface outside-dmz-ds (10.30.252.24): Normal (Not-Monitored)