topic HA firewall to single ASA in Network Security

HA firewall to single ASA

Reece Boucher — Tue, 12 Mar 2019 04:13:51 GMT

Greetings,

I have a client who is replacing a single firewall with dual HA firewalls (in different locations) connected by fibre.

The current connection is a single copper connection, using static routes.

Q: Is there a way to utilise the single ASA5510 we have and connect to both these firewalls and maintain connectivity in the event of a failure of their primary firewall ?

A picture is worth a 1,000 words. Apologies for not including sooner.

Hi Boucher ,

SANTHOSHKUMAR SARAVANAN — Thu, 22 May 2014 04:01:41 GMT

Hi Boucher ,

Yes it possible to run HA between two ASA with help of fiber link , the main criteria is you need to have two separate fiber link (one of fail over interface & another for Data monitoring interface) , similarly the network latency to reach other end via your fiber must be very least .

Failover link can be connected back to back directly /via switch to your asa failover interface , but for data interface you will have inside and outside interface which will be monitored for fail over status , for this connectivity you need have layer 2 switch at both end , passing both your inside & outside vlan of your firewall . The fiber link between this layer 2 swtich , should be used a trunk link .

Fiber link 1 - failover link

Fiber Link 2 - Data link for outside & inside interface of firewall , must be configured as trunk

You have to tweak failover polltime to standby device using below commands

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/77809-pixfailover.html#prereq

Failover Polltime

In order to specify the failover unit poll and hold times, use the failover polltime command in global configuration mode.

The failover polltime unit msec [time] represents the time interval in order to check the standby unit's existence by polling hello messages.

Similarly, the failover holdtime unit msec [time] represents the setting a time period during which a unit must receive a hello message on the failover link, after which the peer unit is declared failed.

In order to specify the data interface poll and hold times in an Active/Standby failover configuration, use the failover polltime interface command in global configuration mode. In order to restore the default poll and hold times, use the no form of this command.

failover polltime interface [msec] time [holdtime time]

Use the failover polltime interface command in order to change the frequency at which hello packets are sent out on data interfaces. This command is available for Active/Standby failover only. For Active/Active failover, use the polltime interfacecommand in the failover group configuration mode instead of the failover polltime interface command.

You cannot enter a holdtime value that is less than 5 times the interface poll time. With a faster poll time, the security appliance can detect failure and trigger failover faster. However, faster detection can cause unnecessary switchovers when the network is temporarily congested. Interface testing begins when a hello packet is not heard on the interface for over half the hold time.

HTH

Sandy

Not sure if I understood your

jpl861 — Thu, 22 May 2014 05:44:40 GMT

Not sure if I understood your question but from what I understood, both locations will have dual ASA FWs but there is only one link in between which is fiber. If that is the case then you will need to terminate your WAN link to an L2 switch in each location then your firewalls to that L2 switch as well so all firewalls have connectivity to the WAN.

John, The correct topology is

Reece Boucher — Fri, 23 May 2014 02:13:26 GMT

John,

The correct topology is a single ASA 5510 (our f/w) to dual f/w's (unknown make) at the other end. I am not sure there is a L2 switch at their end. That would make life so much easier.

Actually that is nto a big

jpl861 — Fri, 23 May 2014 04:38:15 GMT

Actually that is nto a big iasue if they have two firewalls. It would work on their end but there will be no redundancy if their secondary firewall does not have connectivity to the WAN. We had that problem before as the ISP gave us a /30 WAN IP so we can only use one. I assigned the IP to the active firewall with no standby IP (this is for ASA anyway) but I terminated the link to an L2 switch into its own VLAN. So whenever I switch active roles between primary/secondary, the second firewall can communicate to the WAN. So not a big issue if you just have one on your side.