topic Re: ASA FailOver in Network Security

ASA FailOver

mellalBrahim — Sun, 05 Mar 2023 10:32:58 GMT

Greetings,

last week i have face a question and i dind'nt get the write answer for it, it is about the configuration of ASA firewall with FailOver,

the question was, when two firewall are connected with fail over, and a originated packet from the inside to the outside the firewall will create a session for this connection and track it , and we assume that the retunred packet is through the seconde firewall ,

in this senarion how the asa deal with those packet ??

* Asa will Drop the packet ?

* the State table are synchronous for each other, so the both are awared about all the session state created?

thanks in advanced.

Re: ASA FailOver

MHM Cisco World — Sun, 05 Mar 2023 11:18:20 GMT

Yes you are right, status of traffic is exchange between two FW and if return traffic is come through standby it will pass since the standby have xlate and conn of traffic.

case is happened healthy only in
active/standby failover
otherwise you have asymmetric and more info. you can see link
https://community.cisco.com/t5/security-knowledge-base/asa-asymmetric-routing-troubleshooting-and-mitigation/ta-p/3117045

Re: ASA FailOver

balaji.bandi — Sun, 05 Mar 2023 10:53:48 GMT

and we assume that the retunred packet is through the seconde firewall , --< this never happens if the HA working as expected, until the ASA HA becomes the split-brain. (means both ASA become Active/Active)

i would point to some basics below the blog explain how that works, in both Active/Active (means active standby backend for that context) - same case Active / Standby

https://network-insight.net/2015/01/06/asa-failover/

* Asa will Drop the packet ? ( as I mentioned above situation, this happens only when the HA splits - and packet will be dropped)

* the State table are synchronous for each other, so both are aware of all the session state created?

- if the fail over scenario - Active and Standby aware of full packet flow, when the switchover happens from active to standby, the traffic will seamlessly switch over and no packet drops you see here.

Re: ASA FailOver

MHM Cisco World — Sun, 05 Mar 2023 11:18:46 GMT

I add link to my previous post.

Re: ASA FailOver

mellalBrahim — Sun, 05 Mar 2023 11:56:15 GMT

thank for the sharing informations

Re: ASA FailOver

mellalBrahim — Sun, 05 Mar 2023 11:56:33 GMT

thanks for your reply

Re: ASA FailOver

MHM Cisco World — Sun, 05 Mar 2023 11:59:20 GMT

You are so so welcome.