topic Re: ASA Failover Deployment in Network Security

ASA Failover Deployment

Jon Eyes — Tue, 12 Mar 2019 03:17:16 GMT

Hi Everyone,

We ordered two asa5515x that will be deployed in active-active
configuration.
I've gone through several pages of some example configuration and
deployment options but i cant find what im looking for.

In our current operation, we have one 5520 that has two isp configured to it. How these
two isp are being utilized is based on the traffic destination. By default, all traffic
passes through the primary isp. Some traffic is being routed to the secondary isp based on
the destination address/network. If there is an outage in the primary isp, all traffic
will be routed out on the secondary isp. The same applies if there is an secondary isp
outage, all traffic being routed out on that isp will be routed to the primary isp.

Im looking to deploy these two new asa in an active-active configuration wherein it will
behave the same as what we currently have in our operation. The catch is, all primary isp
traffic will be routed out on the outside interface of the ASA1 and all secondary isp
traffic will be routed out on the backup interface of ASA2. If ASA1 becomes unavailbable,
all primary isp traffic will be handled by ASA2 via its outside interface. The same if
ASA2 becomes unavailable, all secondary isp traffic will be handled by ASA1 via its backup
interface.

Also, in the documents that i have gone through, i can't seem to find if active-active
failover supports the concept of "virtual ip" (like glbp) where in these two ASA shares a
single outside / backup / inside ip address. This is a concern as it may affect our VPN
connections.
Is there any configuration that can support this deployment or asa can't be configured to support this at all

ASA Failover Deployment

Marvin Rhoads — Fri, 13 Dec 2013 02:56:45 GMT

Active-Active is only applicable for multi-context ASA failover clusters. Single context is Active-Standby only.

ASAs needing to optionally route to a secondary ISP typically are setup with a backup route and sla monitor job as descrtibed in this document.

Hope this helps.

ASA Failover Deployment

Jon Eyes — Fri, 13 Dec 2013 03:14:55 GMT

Thanks Marvin.

Yes, this document served as my guide when i configured the isp failover using a single asa (that is my 5520). The two new asa is already configured in to multiple mode. Im looking to adapt this behaviour in the new asas, with these two asas in ha-mode / cluster (not sure if im terming it correctly, forgive me) as describe above.

Going throuhg the sample configuration that i have come across, there this line

" ip address [ip] [mask] standby [standby_ip]"

The way i understand this is, if ASA1 fails then ASA2 assumes the active role, ASA2 will also assume the standby ip, thus from the public internet perspective, im now at diffirent ip, which is the standby ip. What im looking is ASA2 assume the active role but still uses the original ip. (im referring to an appliance failure here, but isp is still good).

ASA Failover Deployment

Marvin Rhoads — Fri, 13 Dec 2013 03:25:26 GMT

You're welcome.

The active ASA will always assert the first IP address in your interface configuration.

The standby IP address is used by the standby ASA and is there so that the Active unit in the failover cluster can verify reachability of the Standby unit (assuming that is one of the monitored interfaces for failover purposes).

The standby IP address is not for a "standby" ISP per se. When a failover occurs, the (formerly) Standby unit takes over that first address as it assumes the Active role.

ASA Failover Deployment

Jon Eyes — Fri, 13 Dec 2013 04:04:02 GMT

Got it. So the virtual-ip im terming here is the first ip declaration in this syntax "ip address [ip] [mask] standby [standby_ip]"

And from my inside network, i should point my core switches' default route to the first declared ip

How about this idea.

By default, all traffic
passes through the primary isp. Some traffic is being routed to the secondary isp based on
the destination address/network. If there is an outage in the primary isp, all traffic
will be routed out on the secondary isp. The same applies if there is an secondary isp
outage, all traffic being routed out on that isp will be routed to the primary isp

...

The catch is, all primary isp
traffic will be routed out on the outside interface of the ASA1 and all secondary isp
traffic will be routed out on the backup interface of ASA2. If ASA1 becomes unavailbable,
all primary isp traffic will be handled by ASA2 via its outside interface. The same if
ASA2 becomes unavailable, all secondary isp traffic will be handled by ASA1 via its backup
interface.

Thanks again

ASA Failover Deployment

Marvin Rhoads — Fri, 13 Dec 2013 04:50:18 GMT

You say "Some traffic is being routed to the secondary isp based on the destination address/network". You do that with a route statement shared across the synchronized configuration file.

For a given Active ASA (or ASA context), you will use routes/interfaces to your primary and secondary ISP. If and only if that ASA (or context) moves from active state on one ASA to active on the other does the other ASA start passing traffic. When it does, it does so exactly like the formerly active unit with the exception that is is going via a physically different appliance and will land in physically different ports in the inside and outside switches.

Nothing changes in the running configuration or routing behavior.

ASA Failover Deployment

Jon Eyes — Wed, 18 Dec 2013 05:22:44 GMT

Hi Marvin,

Just picked up my task on this one. im already int this part, not sure if im doing it correctly

In my ASA1, I created two context, C1 and C2. Have already attached corresponding interface.

These are my configuration

----------------------------------------------

sh run context

admin-context admin

context admin

config-url disk0:/admin.cfg

context C1

allocate-interface GigabitEthernet0/0

allocate-interface GigabitEthernet0/1

config-url disk0:/C1.cfg

context C2

allocate-interface GigabitEthernet0/0

allocate-interface GigabitEthernet0/2

config-url disk0:/C2.cfg

-----------------------------------------------

Context-C1

sh run interface

interface GigabitEthernet0/1

nameif outside

security-level 0

ip address 208.75.10.1 255.255.255.0 standby 208.75.10.2

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 172.16.19.111 255.255.255.0 standby 172.16.19.112

Context-C2

sh run interface

interface GigabitEthernet0/0

nameif inside

security-level 100

no ip address

interface GigabitEthernet0/2

nameif backup

security-level 0

ip address 116.50.172.1 255.255.255.0 standby 116.50.172.2

The problem is im receiving this error if im going to configure context-C1 interface g0/0

ASA1/C2(config-if)# ip add 172.16.19.111 255.255.255.0 standby 172.16.19.112

ERROR: This address conflicts with another address on net

Please refer to the attachement.

The Core switches in behind the ASAs are running glbp and the default gateway will be pointed to 172.16.19.111

Any idea how we can proceed?

Re: ASA Failover Deployment

Marvin Rhoads — Wed, 18 Dec 2013 15:12:14 GMT

Your command output shows you are trying to assign the same 172.16.19.111 (and .112) address on Context 2 that you have already used in context 1. They need to be unique.