らくがきちょう

なんとなく

Failover 構成の ASAv で BGP を動作させる

ASA Border Gateway Protocol Configuration Example によると Cisco ASA の OS バージョン 9.2.1 以降では BGP をサポートしたそうです。

This document describes the steps required to enable Border Gateway Protocol (BGP) (eBGP/iBGP) routing, establish a BGP routing process, configure general BGP parameters, route-filtering on an Adaptive Security Appliance (ASA), and troubleshoot neighborship related issues. This feature was introduced in ASA Software Version 9.2.1.

ASA Border Gateway Protocol Configuration Example

そこで今回は ASAv を Active / Standby のFailover(HA)構成とし、更に BGP を動作させてみます。

構成

以下の構成で検証してみます。

対象 機種 バージョン
R1 IOSv 15.5(2)T
FW1 ASAv 9.3(2)200
FW2 ASAv 9.3(2)200

f:id:sig9:20150801172808p:plain

R1 のコンフィグ

R1 には予め、以下のコンフィグを設定しておきます。

service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname IOSv
!
clock timezone JST 9 0
!
no ip domain lookup
!
interface GigabitEthernet0/1
 ip address 172.16.1.1 255.255.255.0
 no shutdown
!
interface GigabitEthernet0/2
 ip address 192.168.1.1 255.255.255.0
 no shutdown
!
router bgp 65001
 bgp router-id 172.16.1.1
 network 192.168.1.0
 neighbor 172.16.1.2 remote-as 65002
!
end

ASAv の Failover 設定

ASAv に Failover 設定をしていきます。

FW1 側での設定

FW1 側に Failover 用の設定を投入します。

interface GigabitEthernet 0/2
 no shutdown
!
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet0/2
failover link FAILOVER GigabitEthernet0/2
failover interface ip FAILOVER 192.168.23.2 255.255.255.0 standby 192.168.23.3
failover
!
end

FW2 側での設定

続いて FW2 側に Failover 用の設定を投入します。基本的に FW1 と同じ設定ですが、failover lan unit [primary | secondary] の部分だけ、Active / Standby 機で異なります。

interface GigabitEthernet 0/2
 no shutdown
!
failover lan unit secondary
failover lan interface FAILOVER GigabitEthernet0/2
failover link FAILOVER GigabitEthernet0/2
failover interface ip FAILOVER 192.168.23.2 255.255.255.0 standby 192.168.23.3
failover
!
end

FW1 側のログ出力

Failiover が構成されると FW1 には以下のログが出力されました。

ciscoasa#
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate

FW2 側のログ出力

FW2 には以下のログが出力されました。

ciscoasa#
Detected an Active mate
Beginning configuration replication from mate.
Creating trustpoint "_SmartCallHome_ServerCA" and installing certificate...

Trustpoint '_SmartCallHome_ServerCA' is a subordinate CA and holds a non self-signed certificate.

Trustpoint CA certificate accepted.

WARNING: Trustpoint _SmartCallHome_ServerCA is already authenticated.
End configuration replication from mate.

FW1 での状態確認

show failover state で Failover 状態を確認出来ます。出力結果からこのデバイスの優先度(Priority)は「Primary」であり、現在の状態は「Active」であることが分かります。

ciscoasa# show failover state

               State          Last Failure Reason      Date/Time
This host  -   Primary
               Active         None
Other host -   Secondary
               Standby Ready  None

====Configuration State===
	Sync Done
====Communication State===

====VM Properties Compatibility===
vCPUs - This host:  1
        Other host: 1
Memory - This host:  2048 Mhz
         Other host: 2048 Mhz
Interfaces - This host:  3
             Other host: 3

FW2 での状態確認

FW2 の優先度は Secondary であり、結果として Standby になっていることが分かります。

ciscoasa# show failover state

               State          Last Failure Reason      Date/Time
This host  -   Secondary
               Standby Ready  None
Other host -   Primary
               Active         None

====Configuration State===
	Sync Done - STANDBY
====Communication State===

====VM Properties Compatibility===
vCPUs - This host:  1
        Other host: 1
Memory - This host:  2048 Mhz
         Other host: 2048 Mhz
Interfaces - This host:  3
             Other host: 3

Active 側 FW で設定

Failover が構成された ASA 同士ではコンフィグが同期され、共有されます。ホスト名やアドレスも 2 台の ASA で共有されますが、Active 側しかアドレスに反応しない為、アドレスの重複は発生しません。また、設定は Active → Standby へ同期されますが、逆向き(Standby → Active)には同期されません。その為、Standby 側で設定変更しようとすると以下のエラーが発生します。

ASAv/pri/stby# configure terminal
**** WARNING ****
	Configuration Replication is NOT performed from Standby unit to Active unit.
	Configurations are no longer synchronized.
ASAv/pri/stby(config)#

今回の検証に必要なアドレス設定等を Active 側の ASA に投入します(今回は FW1 が Active であり、そちらに設定投入したものとして継続します)。

hostname ASAv
!
interface GigabitEthernet 0/0
 nameif OUTSIDE
 ip address 172.16.1.2 255.255.255.0 standby 172.16.1.3
 no shutdown
!
interface GigabitEthernet 0/1
 nameif INSIDE
 ip address 192.168.2.2 255.255.255.0 standby 192.168.2.3
 no shutdown
!
interface GigabitEthernet 0/2
 no shutdown
!
no pager
!
prompt hostname priority state
!
end

2 台の ASA でホスト名まで共有されてしまう為、「今、どちら側にログインしているのか?」がわかりにくくなってしまう場合があります。このような場合は prompt hostname priority state を設定し、プロンプトにホスト名だけでなく、優先度(Priority)や状態(State)を表示させます。

対象 プロンプト表示 ホスト名 優先度 状態
FW1 ASAv/pri/act# ASAv Primary Active
FW2 ASAv/sec/stby# ASAv Secondary Standby

Active / Standby を入れ替えるには Standby になっている側で failover active を実行します。実際に FW2 で実行してみます。

ASAv/sec/stby# failover active

	Switching to Active
ASAv/sec/act#

FW1 側では以下のように表示されました。

ASAv/pri/act#
	Switching to Standby

ASAv/pri/stby#

プロンプト表示は以下のように切り替わりました。

対象 プロンプト表示 ホスト名 優先度 状態
FW1 ASAv/pri/stby# ASAv Primary Standby
FW2 ASAv/sec/act# ASAv Secondary Active

ASAv に BGP を設定する

ASAv に BGP を設定します。Cisco IOS であれば BGP ピアに対して先に「存在しない(未定義の)route-map を適用する」ことが出来、後付で「route-map を定義する」ことが可能です。しかし、ASA の場合は未定義の route-map を BGP ピアに適用すると以下のようにエラーとなります。ですので、必ず先に route-map を定義してから BGP ピアに適用する必要があります。

ASAv/pri/act# configure terminal
ASAv/pri/act(config)# router bgp 65002
ASAv/pri/act(config-router)# address-family ipv4 unicast
ASAv/pri/act(config-router-af)# neighbor 172.16.1.1 route-map NOT-EXIST in
ERROR: Could not find route-map NOT-EXIST

ASAv に BGP を設定してみます。

route-map MED-100 permit 10
 set metric 100
!
route-map MED-200 permit 10
 set metric 200
!
router bgp 65002
 address-family ipv4 unicast
  neighbor 172.16.1.1 remote-as 65001
  neighbor 172.16.1.1 route-map MED-100 in
  neighbor 172.16.1.1 route-map MED-200 out
  network 192.168.2.0
!
end 

ASAv での状態確認

show bgp summary の出力例は以下の通りです。

ASAv/pri/act# show bgp summary
BGP router identifier 192.168.2.2, local AS number 65002
BGP table version is 3, main routing table version 3
2 network entries using 400 bytes of memory
2 path entries using 160 bytes of memory
3/2 BGP path/bestpath attribute entries using 624 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1208 total bytes of memory
BGP activity 2/0 prefixes, 2/0 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
172.16.1.1      4        65001 103     90             3    0    0 01:31:57  1

show bgp の出力例は以下の通りです。

ASAv/pri/act# show bgp

BGP table version is 3, local router ID is 192.168.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop        Metric LocPrf Weight  Path
*> 192.168.1.0      172.16.1.1         100             0  65001 i
*> 192.168.2.0      0.0.0.0              0         32768  i

show bgp neighbors の出力例は以下の通りです。

ASAv/pri/act# show bgp neighbors 172.16.1.1

BGP neighbor is 172.16.1.1,  context single_vf,  remote AS 65001, external link
  BGP version 4, remote router ID 172.16.1.1
  BGP state = Established, up for 01:33:34
  Last read 00:00:04, last write 00:00:54, hold time is 180, keepalive interval is 60 seconds
  Neighbor sessions:
    1 active, is not multisession capable (disabled)
  Neighbor capabilities:
    Route refresh: advertised and received(new)
    Four-octets ASN Capability: advertised and received
    Address family IPv4 Unicast: advertised and received
    Multisession Capability:
  Message statistics:
    InQ depth is 0
    OutQ depth is 0

                   Sent       Rcvd
    Opens:         1          1
    Notifications: 0          0
    Updates:       4          3
    Keepalives:    85         101
    Route Refresh: 1          0
    Total:         91         105
  Default minimum time between advertisement runs is 30 seconds

 For address family: IPv4 Unicast
  Session: 172.16.1.1
  BGP table version 3, neighbor version 3/0
  Output queue size : 0
  Index 2
  2 update-group member
  Inbound path policy configured
  Outbound path policy configured
  Route map for incoming advertisements is MED-100
  Route map for outgoing advertisements is MED-200
                           Sent       Rcvd
  Prefix activity:         ----       ----
    Prefixes Current:      1          1          (Consumes 80 bytes)
    Prefixes Total:        1          2
    Implicit Withdraw:     0          1
    Explicit Withdraw:     1          0
    Used as bestpath:      n/a        1
    Used as multipath:     n/a        0

                                Outbound    Inbound
  Local Policy Denied Prefixes: --------    -------
    Bestpath from this peer:     1          n/a
    Total:                       1          0
  Number of NLRIs in the update sent: max 1, min 0

  Address tracking is enabled, the RIB does have a route to 172.16.1.1
  Connections established 1; dropped 0
  Last reset never
  Transport(tcp) path-mtu-discovery is enabled
  Graceful-Restart is disabled

Failover 時の動作(BGP ピア断)

FW2 を Active に切り替えた際の動作を確認します。実際に Failover させてみます。

ASAv/sec/stby# failover active

	Switching to Active

すると BGP ピアがダウンしました。

IOSv#
*Aug  1 20:04:47: %BGP-3-NOTIFICATION: sent to neighbor 172.16.1.2 passive 6/7 (Connection Collision Resolution) 0 bytes
*Aug  1 20:04:48: %BGP-5-NBR_RESET: Neighbor 172.16.1.2 reset (Peer closed the session)
*Aug  1 20:04:48: %BGP-5-ADJCHANGE: neighbor 172.16.1.2 Down Peer closed the session
*Aug  1 20:04:48: %BGP_SESSION-5-ADJCHANGE: neighbor 172.16.1.2 IPv4 Unicast topology base removed from session  Peer closed the session
*Aug  1 20:04:52: %BGP-5-NBR_RESET: Neighbor 172.16.1.2 passive reset (BGP Notification sent)
*Aug  1 20:04:52: %BGP-5-ADJCHANGE: neighbor 172.16.1.2 passive Down Error during connection collision
*Aug  1 20:05:05: %BGP-5-ADJCHANGE: neighbor 172.16.1.2 Up

ASA Border Gateway Protocol Configuration Example の BGP and Failover には以下の記載がありました。

  • BGP is supported in Active/Standby and Active/Active HA configurations.
  • Only the Active unit listens on TCP port 179 for BGP connections from peers.
  • The Standby unit does not participate in BGP peering, and hence does not listen on TCP port 179 and does not maintain the BGP tables.
  • BGP route additions and deletions are replicated from the Active to the Standby unit.
  • Upon failover, the new Active unit listens on TCP port 179 and initiates the BGP adjacency establishment with peers.
  • Without Nonstop Forwarding (NSF), adjacency establishment takes time with peer again after failover, within which BGP routes are not learned from the peer. This depends upon next BGP keepalive (default 60 seconds) from the peer for which the ASA responds with restore (RST), which leads to an old connection termination at the peer end and subsequently a next new connection is established.
  • During the BGP reconvergence period, the new Active unit continues to forward traffic with the previously replicated routes.
  • The BGP reconvergence timer period is currently set to 210 seconds (the show route failover command shows the timer value) in order to give sufficient time for BGP to establish adjacencies and exchange routes with its peers.
  • After the BGP reconvergence timer expires, all the stale BGP routes are purged from the Routing Information Base (RIB).
  • The BGP router id is synced from the Active unit to the Standby unit. The BGP router id computation is disabled on the Standby unit.
  • The write standby command is strongly discouraged since the bulk sync does not happen in that case, which leads to the loss of dynamic routes on the standby.
ASA Border Gateway Protocol Configuration Example