Техническая Инструкция для Cisco Cisco ASA 5555-X Adaptive Security Appliance - No Payload Encryption
designation of the booting unit.
When both units boot simultaneously, the secondary unit obtains the running configuration from the
primary unit.
When both units boot simultaneously, the secondary unit obtains the running configuration from the
primary unit.
•
When the replication starts, the security appliance console on the unit sending the configuration displays the
message "Beginning configuration replication: Sending to mate," and when it is complete, the security
appliance displays the message "End Configuration Replication to mate." During replication, commands
entered on the unit sending the configuration may not replicate properly to the peer unit, and commands
entered on the unit receiving the configuration may be overwritten by the configuration being received. Avoid
entering commands on either unit in the failover pair during the configuration replication process. Depending
upon the size of the configuration, replication can take from a few seconds to several minutes.
message "Beginning configuration replication: Sending to mate," and when it is complete, the security
appliance displays the message "End Configuration Replication to mate." During replication, commands
entered on the unit sending the configuration may not replicate properly to the peer unit, and commands
entered on the unit receiving the configuration may be overwritten by the configuration being received. Avoid
entering commands on either unit in the failover pair during the configuration replication process. Depending
upon the size of the configuration, replication can take from a few seconds to several minutes.
On the unit receiving the configuration, the configuration exists only in running memory. To save the
configuration to Flash memory after synchronization enter the write memory all command in the system
execution space on the unit that has failover group 1 in the active state. The command is replicated to the peer
unit, which proceeds to write its configuration to Flash memory. Using the all keyword with this command
causes the system and all context configurations to be saved.
configuration to Flash memory after synchronization enter the write memory all command in the system
execution space on the unit that has failover group 1 in the active state. The command is replicated to the peer
unit, which proceeds to write its configuration to Flash memory. Using the all keyword with this command
causes the system and all context configurations to be saved.
Note: Startup configurations saved on external servers are accessible from either unit over the network and do
not need to be saved separately for each unit. Alternatively, you can copy the contexts configuration files from
the disk on the primary unit to an external server, and then copy them to disk on the secondary unit, where
they become available when the unit reloads.
not need to be saved separately for each unit. Alternatively, you can copy the contexts configuration files from
the disk on the primary unit to an external server, and then copy them to disk on the secondary unit, where
they become available when the unit reloads.
Command Replication
After both units are running, commands are replicated from one unit to the other as shown:
Commands entered within a security context are replicated from the unit on which the security
context appears in the active state to the peer unit.
context appears in the active state to the peer unit.
Note: context is considered in the active state on a unit if the failover group to which it belongs is in
the active state on that unit.
the active state on that unit.
•
Commands entered in the system execution space are replicated from the unit on which failover group
1 is in the active state to the unit on which failover group 1 is in the standby state.
1 is in the active state to the unit on which failover group 1 is in the standby state.
•
Commands entered in the admin context are replicated from the unit on which failover group 1 is in
the active state to the unit on which failover group 1 is in the standby state.
the active state to the unit on which failover group 1 is in the standby state.
•
All configuration and file commands (copy, rename, delete, mkdir, rmdir, and so on) are replicated, with
the following exceptions. The show, debug, mode, firewall, and failover lan unit commands are not
replicated.
the following exceptions. The show, debug, mode, firewall, and failover lan unit commands are not
replicated.
Failure to enter the commands on the appropriate unit for command replication to occur causes the
configurations to be out of synchronization. Those changes may be lost the next time the initial configuration
synchronization occurs.
configurations to be out of synchronization. Those changes may be lost the next time the initial configuration
synchronization occurs.
You can use the write standby command to resynchronize configurations that have become out of sync. For
Active/Active failover, the write standby command behaves as shown:
Active/Active failover, the write standby command behaves as shown:
If you enter the write standby command in the system execution space, the system configuration and
the configurations for all of the security contexts on the security appliance is written to the peer unit.
This includes configuration information for security contexts that are in the standby state. You must
enter the command in the system execution space on the unit that has failover group 1 in the active
state.
the configurations for all of the security contexts on the security appliance is written to the peer unit.
This includes configuration information for security contexts that are in the standby state. You must
enter the command in the system execution space on the unit that has failover group 1 in the active
state.
•