14-35
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 14 Configuring Failover
Configuring Failover
Enter the following commands to configure asymmetric routing support. The asr-group command is
only available in the security contexts. Stateful Failover must be enabled for asymmetric routing to
function properly.
hostname/ctx1(config)# interface phy_if
hostname/ctx1(config-if)# asr-group num
Valid values for num range from 1 to 32. You need to enter the command for each interface that
participates in the asymmetric routing group. You can view the number of ASR packets transmitted,
received, or dropped by an interface using the show interface detail command.
Figure 14-1 shows an example of using the asr-group command for asymmetric routing support.
Figure 14-1 ASR Example
Context A is active on one unit and context B is active on the other. Each context has an interface named
“outside”, both of which are configured as part of asr-group 1. The outbound traffic is routed through
the unit where context A is active. However, the return traffic is being routed through the unit where
context B is active. Normally, the return traffic would be dropped because there is no session information
for the traffic on the unit. However, because the interface is configured with an asr-group number, the
unit looks at the session information for any other interfaces with the same asr-group assigned to it. It
finds the session information in the outside interface for context A, which is in the standby state on the
unit, and forwards the return traffic to the unit where context A is active.
The traffic is forwarded though the outside interface of context A on the unit where context A is in the
standby state and returns through the outside interface of context A on the unit where context A is in the
active state. This forwarding continues as needed until the session ends.
132184
ISP A
Inside
network
Failover/State link
Context A
interface Ethernet4
nameif outside
asr-group 1
Context B
interface Ethernet2
nameif outside
asr-group 1
Outbound Traffic
Return Traffic
ISP B
To Next Page
Loading...
