Failover 構成の ASAv で BGP を動作させる
ASA Border Gateway Protocol Configuration Example によると Cisco ASA の OS バージョン 9.2.1 以降では BGP をサポートしたそうです。
This document describes the steps required to enable Border Gateway Protocol (BGP) (eBGP/iBGP) routing, establish a BGP routing process, configure general BGP parameters, route-filtering on an Adaptive Security Appliance (ASA), and troubleshoot neighborship related issues. This feature was introduced in ASA Software Version 9.2.1.
そこで今回は ASAv を Active / Standby のFailover(HA)構成とし、更に BGP を動作させてみます。
構成
以下の構成で検証してみます。
| 対象 |
機種 |
バージョン |
| R1 |
IOSv |
15.5(2)T |
| FW1 |
ASAv |
9.3(2)200 |
| FW2 |
ASAv |
9.3(2)200 |
R1 のコンフィグ
R1 には予め、以下のコンフィグを設定しておきます。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23 | service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname IOSv
!
clock timezone JST 9 0
!
no ip domain lookup
!
interface GigabitEthernet0/1
ip address 172.16.1.1 255.255.255.0
no shutdown
!
interface GigabitEthernet0/2
ip address 192.168.1.1 255.255.255.0
no shutdown
!
router bgp 65001
bgp router-id 172.16.1.1
network 192.168.1.0
neighbor 172.16.1.2 remote-as 65002
!
end
|
ASAv の Failover 設定
ASAv に Failover 設定をしていきます。
FW1 側での設定
FW1 側に Failover 用の設定を投入します。
| interface GigabitEthernet 0/2
no shutdown
!
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet0/2
failover link FAILOVER GigabitEthernet0/2
failover interface ip FAILOVER 192.168.23.2 255.255.255.0 standby 192.168.23.3
failover
!
end
|
FW2 側での設定
続いて FW2 側に Failover 用の設定を投入します。基本的に FW1 と同じ設定ですが、failover lan unit [primary | secondary] の部分だけ、Active / Standby 機で異なります。
| interface GigabitEthernet 0/2
no shutdown
!
failover lan unit secondary
failover lan interface FAILOVER GigabitEthernet0/2
failover link FAILOVER GigabitEthernet0/2
failover interface ip FAILOVER 192.168.23.2 255.255.255.0 standby 192.168.23.3
failover
!
end
|
FW1 側のログ出力
Failiover が構成されると FW1 には以下のログが出力されました。
| ciscoasa#
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate
|
FW2 側のログ出力
FW2 には以下のログが出力されました。
| ciscoasa#
Detected an Active mate
Beginning configuration replication from mate.
Creating trustpoint "_SmartCallHome_ServerCA" and installing certificate...
Trustpoint '_SmartCallHome_ServerCA' is a subordinate CA and holds a non self-signed certificate.
Trustpoint CA certificate accepted.
WARNING: Trustpoint _SmartCallHome_ServerCA is already authenticated.
End configuration replication from mate.
|
FW1 での状態確認
show failover state で Failover 状態を確認出来ます。出力結果からこのデバイスの優先度(Priority)は「Primary」であり、現在の状態は「Active」であることが分かります。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 | ciscoasa# show failover state
State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Standby Ready None
====Configuration State===
Sync Done
====Communication State===
====VM Properties Compatibility===
vCPUs - This host: 1
Other host: 1
Memory - This host: 2048 Mhz
Other host: 2048 Mhz
Interfaces - This host: 3
Other host: 3
|
FW2 での状態確認
FW2 の優先度は Secondary であり、結果として Standby になっていることが分かります。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 | ciscoasa# show failover state
State Last Failure Reason Date/Time
This host - Secondary
Standby Ready None
Other host - Primary
Active None
====Configuration State===
Sync Done - STANDBY
====Communication State===
====VM Properties Compatibility===
vCPUs - This host: 1
Other host: 1
Memory - This host: 2048 Mhz
Other host: 2048 Mhz
Interfaces - This host: 3
Other host: 3
|
Active 側 FW で設定
Failover が構成された ASA 同士ではコンフィグが同期され、共有されます。ホスト名やアドレスも 2 台の ASA で共有されますが、Active 側しかアドレスに反応しない為、アドレスの重複は発生しません。また、設定は Active → Standby へ同期されますが、逆向き(Standby → Active)には同期されません。その為、Standby 側で設定変更しようとすると以下のエラーが発生します。
| ASAv/pri/stby# configure terminal
**** WARNING ****
Configuration Replication is NOT performed from Standby unit to Active unit.
Configurations are no longer synchronized.
ASAv/pri/stby(config)#
|
今回の検証に必要なアドレス設定等を Active 側の ASA に投入します(今回は FW1 が Active であり、そちらに設定投入したものとして継続します)。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20 | hostname ASAv
!
interface GigabitEthernet 0/0
nameif OUTSIDE
ip address 172.16.1.2 255.255.255.0 standby 172.16.1.3
no shutdown
!
interface GigabitEthernet 0/1
nameif INSIDE
ip address 192.168.2.2 255.255.255.0 standby 192.168.2.3
no shutdown
!
interface GigabitEthernet 0/2
no shutdown
!
no pager
!
prompt hostname priority state
!
end
|
2 台の ASA でホスト名まで共有されてしまう為、「今、どちら側にログインしているのか?」がわかりにくくなってしまう場合があります。このような場合は prompt hostname priority state を設定し、プロンプトにホスト名だけでなく、優先度(Priority)や状態(State)を表示させます。
| 対象 |
プロンプト表示 |
ホスト名 |
優先度 |
状態 |
| FW1 |
ASAv/pri/act# |
ASAv |
Primary |
Active |
| FW2 |
ASAv/sec/stby# |
ASAv |
Secondary |
Standby |
Active / Standby を入れ替えるには Standby になっている側で failover active を実行します。実際に FW2 で実行してみます。
| ASAv/sec/stby# failover active
Switching to Active
ASAv/sec/act#
|
FW1 側では以下のように表示されました。
| ASAv/pri/act#
Switching to Standby
ASAv/pri/stby#
|
プロンプト表示は以下のように切り替わりました。
| 対象 |
プロンプト表示 |
ホスト名 |
優先度 |
状態 |
| FW1 |
ASAv/pri/stby# |
ASAv |
Primary |
Standby |
| FW2 |
ASAv/sec/act# |
ASAv |
Secondary |
Active |
ASAv に BGP を設定する
ASAv に BGP を設定します。Cisco IOS であれば BGP ピアに対して先に「存在しない(未定義の)route-map を適用する」ことが出来、後付で「route-map を定義する」ことが可能です。しかし、ASA の場合は未定義の route-map を BGP ピアに適用すると以下のようにエラーとなります。ですので、必ず先に route-map を定義してから BGP ピアに適用する必要があります。
| ASAv/pri/act# configure terminal
ASAv/pri/act(config)# router bgp 65002
ASAv/pri/act(config-router)# address-family ipv4 unicast
ASAv/pri/act(config-router-af)# neighbor 172.16.1.1 route-map NOT-EXIST in
ERROR: Could not find route-map NOT-EXIST
|
ASAv に BGP を設定してみます。
1
2
3
4
5
6
7
8
9
10
11
12
13
14 | route-map MED-100 permit 10
set metric 100
!
route-map MED-200 permit 10
set metric 200
!
router bgp 65002
address-family ipv4 unicast
neighbor 172.16.1.1 remote-as 65001
neighbor 172.16.1.1 route-map MED-100 in
neighbor 172.16.1.1 route-map MED-200 out
network 192.168.2.0
!
end
|
ASAv での状態確認
show bgp summary の出力例は以下の通りです。
1
2
3
4
5
6
7
8
9
10
11
12
13
14 | ASAv/pri/act# show bgp summary
BGP router identifier 192.168.2.2, local AS number 65002
BGP table version is 3, main routing table version 3
2 network entries using 400 bytes of memory
2 path entries using 160 bytes of memory
3/2 BGP path/bestpath attribute entries using 624 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1208 total bytes of memory
BGP activity 2/0 prefixes, 2/0 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
172.16.1.1 4 65001 103 90 3 0 0 01:31:57 1
|
show bgp の出力例は以下の通りです。
| ASAv/pri/act# show bgp
BGP table version is 3, local router ID is 192.168.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 192.168.1.0 172.16.1.1 100 0 65001 i
*> 192.168.2.0 0.0.0.0 0 32768 i
|
show bgp neighbors の出力例は以下の通りです。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56 | ASAv/pri/act# show bgp neighbors 172.16.1.1
BGP neighbor is 172.16.1.1, context single_vf, remote AS 65001, external link
BGP version 4, remote router ID 172.16.1.1
BGP state = Established, up for 01:33:34
Last read 00:00:04, last write 00:00:54, hold time is 180, keepalive interval is 60 seconds
Neighbor sessions:
1 active, is not multisession capable (disabled)
Neighbor capabilities:
Route refresh: advertised and received(new)
Four-octets ASN Capability: advertised and received
Address family IPv4 Unicast: advertised and received
Multisession Capability:
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent Rcvd
Opens: 1 1
Notifications: 0 0
Updates: 4 3
Keepalives: 85 101
Route Refresh: 1 0
Total: 91 105
Default minimum time between advertisement runs is 30 seconds
For address family: IPv4 Unicast
Session: 172.16.1.1
BGP table version 3, neighbor version 3/0
Output queue size : 0
Index 2
2 update-group member
Inbound path policy configured
Outbound path policy configured
Route map for incoming advertisements is MED-100
Route map for outgoing advertisements is MED-200
Sent Rcvd
Prefix activity: ---- ----
Prefixes Current: 1 1 (Consumes 80 bytes)
Prefixes Total: 1 2
Implicit Withdraw: 0 1
Explicit Withdraw: 1 0
Used as bestpath: n/a 1
Used as multipath: n/a 0
Outbound Inbound
Local Policy Denied Prefixes: -------- -------
Bestpath from this peer: 1 n/a
Total: 1 0
Number of NLRIs in the update sent: max 1, min 0
Address tracking is enabled, the RIB does have a route to 172.16.1.1
Connections established 1; dropped 0
Last reset never
Transport(tcp) path-mtu-discovery is enabled
Graceful-Restart is disabled
|
Failover 時の動作(BGP ピア断)
FW2 を Active に切り替えた際の動作を確認します。実際に Failover させてみます。
| ASAv/sec/stby# failover active
Switching to Active
|
すると BGP ピアがダウンしました。
| IOSv#
*Aug 1 20:04:47: %BGP-3-NOTIFICATION: sent to neighbor 172.16.1.2 passive 6/7 (Connection Collision Resolution) 0 bytes
*Aug 1 20:04:48: %BGP-5-NBR_RESET: Neighbor 172.16.1.2 reset (Peer closed the session)
*Aug 1 20:04:48: %BGP-5-ADJCHANGE: neighbor 172.16.1.2 Down Peer closed the session
*Aug 1 20:04:48: %BGP_SESSION-5-ADJCHANGE: neighbor 172.16.1.2 IPv4 Unicast topology base removed from session Peer closed the session
*Aug 1 20:04:52: %BGP-5-NBR_RESET: Neighbor 172.16.1.2 passive reset (BGP Notification sent)
*Aug 1 20:04:52: %BGP-5-ADJCHANGE: neighbor 172.16.1.2 passive Down Error during connection collision
*Aug 1 20:05:05: %BGP-5-ADJCHANGE: neighbor 172.16.1.2 Up
|
ASA Border Gateway Protocol Configuration Example の BGP and Failover には以下の記載がありました。
- BGP is supported in Active/Standby and Active/Active HA configurations.
- Only the Active unit listens on TCP port 179 for BGP connections from peers.
- The Standby unit does not participate in BGP peering, and hence does not listen on TCP port 179 and does not maintain the BGP tables.
- BGP route additions and deletions are replicated from the Active to the Standby unit.
- Upon failover, the new Active unit listens on TCP port 179 and initiates the BGP adjacency establishment with peers.
- Without Nonstop Forwarding (NSF), adjacency establishment takes time with peer again after failover, within which BGP routes are not learned from the peer. This depends upon next BGP keepalive (default 60 seconds) from the peer for which the ASA responds with restore (RST), which leads to an old connection termination at the peer end and subsequently a next new connection is established.
- During the BGP reconvergence period, the new Active unit continues to forward traffic with the previously replicated routes.
- The BGP reconvergence timer period is currently set to 210 seconds (the show route failover command shows the timer value) in order to give sufficient time for BGP to establish adjacencies and exchange routes with its peers.
- After the BGP reconvergence timer expires, all the stale BGP routes are purged from the Routing Information Base (RIB).
- The BGP router id is synced from the Active unit to the Standby unit. The BGP router id computation is disabled on the Standby unit.
- The write standby command is strongly discouraged since the bulk sync does not happen in that case, which leads to the loss of dynamic routes on the standby.