Graceful Failover in ASA Pair (Active/Passive)

Today we had a memory problem on our ASA 5510’s. I had to do a passive reload, failover, then a primary reload. Luckily it fixed our problem, so I decided to write something simple up on how to do a graceful failover.

This assumes that your firewalls are already configured in an active/passive configuration. There are many Cisco documents on how to do this.

1. Save your configuration.

ASA(active)# copy running start

2. Failover your standby node.

ASA(active)# failover reload-standby

3. Verify status of your passive device.

ASA(active)# sh failover

4. If your secondary device is standby ready, you can failover the primary to it

ASA(active)# no failover active

Be careful of what device you are on at this point, if you connect via SSH to the same IP again you will be on the secondary-active node, but you already reloaded this one. Run a sh failover and get the IP of the Primary node in Standby Ready mode. Connect to that device.

5. Reload the primary device.

ASA(passive)# reload

6. Once the primary is done reloading (sh failover), you can move back to the primary or leave it on the secondary. This step is up to you.

ASA(passive)# failover active

Refer to this article for the detailed write-up.

Advertisements
Graceful Failover in ASA Pair (Active/Passive)

Configure Time on a Cisco Device

Cisco devices are not commonly members of your domain. They are separate entities so it’s important that they reference a source for time synchronization. This is especially important with logging.

Cisco devices support the NTP standard for time synchronization. I set up an NTP server and point it to pool.ntp.org. I then and point my Cisco devices to this. I’ll use internal IP of 10.100.1.50. Here are the configuration instructions.

1. Log in to the device.

2. Enter enable mode (en)

3. Enter configure terminal mode (conf t)

4. Enter the following command to sync with the server. **NOTE: source is the interface that can contact the NTP server. It must be able to contact 10.100.1.50**

ntp server 10.100.1.50 source **inside**

5. Enter the following to set the time zone.

clock timezone EST -5

6. Enter the following to set daylight savings time (second Sunday in March, First Sunday in November at 3am the clock will be adjusted one hour)

clock summer-time Eastern recurring 2 Sun Mar 3:00 1 Sun Nov 3:00

7. Save your configuration

wr mem
Configure Time on a Cisco Device

Autodelete Files by Age

In my last post I covered how to back up files based on age. This is a nice script to supplement it, this will auto-delete files based on their age. It’s an easy way to backup files to a disk somewhere and not overflow it with backups.

This example is for a Windows host, to delete a file older than 3 days:

1. Create a batch script with the following

echo on
 rem Delete files older than 3 days
 FORFILES /P C:\Admin\Test\ /S /M 1*.bmp /D -3 /c " CMD /c del /q @FILE "

2. Modify the following flags to suit your need

/p = The path to search for the files you want to check the date of and remove
/s = Recurse subdirectories contained within the path specified using /p and check them as well
/m = The search mask to be used for the file type you want to check the date on (*.* being all files)
/d = The date to compare the files against. A standard date type can also be used (dd/mm/yyyy)
/c = The command to be used on a file that matches the /m and /d criteria
/q = Used within /c to instruct the del command to delete files quietly

3. Add the batch file to the scheduler based on your need

Autodelete Files by Age

Script a Backup with Date

Lets say you have a file or folder that you want to automatically backup. The backups need to have unique names so we will name them based on the date. Use this if you want to automate a backup job that you want to FTP somewhere else or just a simple backup without involving a third party app.

This example is using 7-zip on a Windows platform. I’m sure there are a million ways to do this in Unix.

1. Install 7-zip.

2. Create a new batch file and use the following as a guide.


cd "C:\Program Files\7-Zip"
set dt=%date:~10,4%%date:~4,2%%date:~7,2%
7z a -w C:\Backups\Backup%dt% C:\inetpub\wwwroot
In this example, the backups will go to the C:\Backup directory and be called BackupDate e.g. Backup20100310. In this example we are backing up the IIS directory.


Once you have this batch file written, you can schedule it in task scheduler to run whenever you want. Schedule it daily, monthly, etc.
Script a Backup with Date

Format and Mount a new drive in RHEL (or any RedHat based Linux)

The first step is adding the disk. You can either do this by attaching a local drive to the server, zone a SAN drive to it or to add a virtual disk through VMWare. Either way the process for formatting and mounting will be the same.

1. Make sure you have privileged rights either by sudo or logging in as root.

2. Type fdisk -l

  • This will show you the physical disks detected by the OS. As you can see /dev/sda is the primary disk that the OS was installed to and it is already formatted with ext3 (Id 83).
  • /dev/sdb is the new disk that the OS has detected. This is not formatted and does not have any partitions.

3. Since /dev/sdb is the assigned device name–that is what we will format.

In this mode you can hit M at any time if you need help

4. We are creating a new partition. To do this, type N

5. Since this is a new “physical” disk, I am going to make it a primary partition, it is not a partition on an existing disk. To do this all I need to type is p.

6. It will then ask you what partition number you want to assign the disk. Anything in the range that it will allow will work. Linux allows you 4 primary partitions, after that they have to be extended.  Since this is the first partition on that disk assign it 1. This will make the partition /dev/sdb1.

7. Use defaults for the rest of the settings:

8. Type (p). This will show you the partition you just created.

9. When you are all done, type (w) to save your changes. If you do not do this, everything that you have done will not take effect.

10. If you enter df –h you will still not see the new partition you created. Why? Because it does not have a filesystem. You will have to create one.

11. Enter fdisk –l, you will see the new partition you created. The operating system labeled the device as /dev/sdb1 so this is what we will format.

12. To do so we need to run the mke2fs command. Enter the /sbin/mke2fs -j /dev/sdb1 command. (-j is just ext2 with journaling which is ext3). You will see the following if you did everything correctly.

13. Now that the filesystem is created, you need to mount it. To start this process you need to first create a directory to mount to. mkdir /u01 is what I do. If you need to mount it to something specific you can.

14. Now you need to label the partition. Do this by entering e2label /dev/sdb1 /u01. 

15.  Now you can finally mount the filesystem! To do this just enter mount /dev/sdb1 /u01. This will modify the /etc/mtab file.

16. After you enter the command if you type df –h you will see the new drive.

17. The filesystem will not auto mount the drive when the OS gets rebooted. To do this modify the /etc/fstab file. Use the bottom line from the example below as a reference.

Format and Mount a new drive in RHEL (or any RedHat based Linux)

Logical VLAN Visio Diagram (Template)

Every time that I design or discover a new network I create a logical VLAN diagram. It help others to gain an understanding of what’s going on, discover problems and aid in discussion.

Ninety-nine percent of the time I get asked for a network diagram over and over, even though I’ve sent it many times to the same people. It’s just something that’s going to happen. If you don’t have one, admins/management are going to have a tough time understanding what’s going on.

I decided to post my Visio template that I use for VLAN layout. This is very helpful to explain your design to system admins as well as management. Without this, conference calls and meetings can be painful.

Take it and modify it as needed to your network. It’s pretty simple–but that’s by design. Complicate it as needed…network people tend to do that.

I have a VPN tunnel template as well. It can be found here.

Diagram here

Logical VLAN Visio Diagram (Template)

Netflow on Cisco 6500

If you aren’t using Netflow on your internal network, you should be. It is a great way to troubleshoot chatty machines and the general flow of traffic on your network. It is also great to determine your backup windows. A lot of time admins just guess a time to kick off backups, but Netflow will give you a precise window for when to run backups.

In this tutorial I will go over how to set up Netflow on your 6500 switch. In my example I am using software version 12.2.

Enable Netflow

switch(config)#mls netflow

Enable Flows

switch(config)#mls flow ip full

or

switch(config)#mls flow ip interface-full

This enables all flows. If you only want specific flows, you can specify it with that command (example below). If you aren’t sure or don’t care, just use full.

switch(config)#mls flow ip ?
 interface-destination        interface-destination        flow keyword
 interface-destination-source interface-destination-source flow keyword
 interface-full               interface-full               flow keyword
 interface-source             interface-source only        flow keyword

Assign Flow to Layer 2 VLAN’s

switch(config)#ip flow ingress layer2-switched vlan 110-113,172,192

Assign Flow to Layer 3 Interfaces

Lets say you have a couple VLAN interfaces and an IP interface that connects to another switch/router you want to monitor. Here’s how to get flows from those interfaces.

switch(config)#interface Vlan100
switch(config-if)#ip route-cache flow

switch(config)#interface fastEthernet 1/1
switch(config-if)#ip route-cache flow

Configure Flow-exports

Configure the version you want to export. It will depend on the utility that you use to monitor your flows. Usually version 5 is safe, but most new ones support version 7.

switch(config)#mls nde sender version 5

Configure your source interface to send from, in my example VLAN100, and the destination. The destination will be your Netflow application server (10.100.1.50), note the port afterwards, be sure your server is listening on that port.

Switch(config)#ip flow-export source Vlan100

Switch(config)#ip flow-export destination 10.100.1.50 9996

Now, you have your 6500 exporting flows to your destination IP. Now it’s time to set up a Netflow server. I like ManageEngine Netflow monitor, there many others to choose from (Solarwinds, etc.) Just pick one that you are comfortable with and go with it.

Netflow on Cisco 6500