topic Your latest attachment is in Network Security

ASA active/active failover back to back

ksherwood — Tue, 26 Mar 2019 00:54:06 GMT

Hi,

for HA I want to connect 4 ASA's in active/active failover with each ASA having two contexts.

The reason I need this is to separate two domains. Each domain has the ASA pair in active/active failover.

Is this possible and what would you need to do it ie a switch or two in between ?

I know you need switches or vlans to do the LAN side as the failover context needs to be in the same network. So I'm assuming you would need to do something similar between the 4 ASA's ???

Would you put 2 switches trunked together carrying two vlans, one for each context ?

-| CTX1 |- ? -| CTX1 |-

-| CTX2 |- ? -| CTX2 |-

| | | |

-| CTX1 |- ? -| CTX1 |-

-| CTX2 |- ? -| CTX2 |-

Thanks in advance.

Your diagram shows CTX1 and

Marvin Rhoads — Sat, 08 Nov 2014 14:51:38 GMT

Your diagram shows CTX1 and CTX2 on both pairs. Is that what you want?

Why wouldn't you have a single pair of ASAs with four contexts each? That would be closer to the secure multitenant data center reference architecture.

Hi Marvin,

ksherwood — Sun, 09 Nov 2014 04:40:39 GMT

Hi Marvin,

yes, that would be much easier, but both pairs of ASA's are owned by separate parties who each want to control their firewalls and filtering, hence my comment about two different domains.

One of us (domains) might have to give way as this design is turning out to be quite a challenge.

Any ideas ?

Well quite frankly if I were

Marvin Rhoads — Sun, 09 Nov 2014 04:59:18 GMT

Well quite frankly if I were the CIO of these warring parties I'd exercise some adult supervision and tell them to play nicely.

That aside, if you really really need to do this the you would just connect the failover ports between each pair back-to-back.

Put a pair of switches (or a stack) between the two pairs of ASAs for redundancy's sake. Each context has an interface dedicated facing the other domain's ASAs across that switch fabric.

Do you mind drawing it up for

ksherwood — Sun, 09 Nov 2014 08:38:55 GMT

Do you mind drawing it up for me. I'm cautious that it's no good putting the same contexts onto the same switch as this would negate any failover possibility if that switch went down.

I've attached what I thought might work to cover any redundancies. Would this work ?

Your latest attachment is

Marvin Rhoads — Sun, 09 Nov 2014 14:53:17 GMT

Your latest attachment is pretty close to what I was thinking.

I would add a second interface on each ASA to the switches.

So (considering the "Inside" interfaces of ASA1 for example) it would have one physical interface allocated to context 1 and connected to a port in VLAN2 and a second physical interface allocated to context 2 and connected to a port in VLAN 3.

An alternative would be to stick with a single physical interface and allocate subinterfaces (on a trunk) to each context.

You could further add redundancy by creating Etherchannels (with either the physical or logical interface approach).

Isn't that what i have done ?

ksherwood — Sun, 09 Nov 2014 23:53:52 GMT

Isn't that what i have done ?

Your drawing only showed an

Marvin Rhoads — Mon, 10 Nov 2014 04:11:24 GMT

Your drawing only showed an inside interface from the left hand ASAs going to V2 for ASA1 and V3 for ASA2.

I was suggesting both ASA1 and 2 should have connections to both V2 and V3 to account for the failover scenario. Likewise for ASA3 and ASA4.

Hi Marvin, Would you be able

Ravi — Mon, 10 Nov 2014 10:12:19 GMT

Hi Marvin,

Would you be able to assist me on this question:

https://supportforums.cisco.com/discussion/12316661/asa-5505-lan-no-internet-tcp-teardown-deny-connection-logs#comment-10062986

I desperately need help to get it sorted. Would really appreciate help

Thank you

I'm not sure what you mean.

ksherwood — Sat, 15 Nov 2014 07:08:04 GMT

I'm not sure what you mean. The facing ASA's are all on the outside. I'm also thinking the Trunk is not necessary.

Just to clarify, ASA1 would be active for context 1 and standby for context 2.

ASA2 would be active for context 2 and standby for context 1.

That's why the failover interfaces cross to continue the path. Does this sound right ?