topic problem with ASA 5520 Failover implementation in Network Security

problem with ASA 5520 Failover implementation

houjil — Tue, 12 Mar 2019 03:11:25 GMT

Hi all,

I'am preparing a failover implementation of our ASA 5520, we have two builduing A and B, between them i have onlly one fibre cable available : i will connecte with it a 3750 on each side, and i will use a UTP cable to connect the ASA on a dedicated physical interface.

the goal of this scenario is offering the maximum redundancy betweend equipement with just the exsistanet equipements, for exemple : if devices on buidl A fail then traffic will pass trough Building B and so on, (except for the WAN routers).

I reorgnised the actual configurations on all equipement, and i got the optimesed schema in the picture bellow :

i have two link between the CDR (4500) and the ASA :

the first link is a trunk link, it is dedicatd to the opertaionnal flow (project, visio ..).
the other pysical link is dedicated to the failover : (1sub interface for the FOLINK vlan 200, and another subinterface for the failover state vlan 201).

here is a part of the configuration on the firts ASA:

first ASA -

failover

failover lan unit primary

failover lan interface FOLINK GigabitEthernet2.1

failover polltime unit 1 holdtime 3

failover link FOSTATE GigabitEthernet2.2

failover interface ip FOLINK 192.168.1.1 255.255.255.0 standby 192.168.1.2

failover interface ip FOSTATE 192.168.2.1 255.255.255.0 standby 192.168.2.2

interface GigabitEthernet2.2

description STATE Failover Interface

vlan 201

ASASecondary(config)# sh run int g2.1

interface GigabitEthernet2.1

description LAN Failover Interface

vlan 200

second ASA :

failover

failover lan unit secondary

failover lan interface FOLINK GigabitEthernet2.1

failover polltime unit 1 holdtime 3

failover link FOSTATE GigabitEthernet2.2

failover interface ip FOLINK 192.168.1.1 255.255.255.0 standby 192.168.1.2

failover interface ip FOSTATE 192.168.2.1 255.255.255.0 standby 192.168.2.2

interface GigabitEthernet2.2

description STATE Failover Interface

vlan 201

ASAProduction(config)# sh run int g2.1

interface GigabitEthernet2.1

description LAN Failover Interface

vlan 200

Problem :

With these configurations I can ping the statefull link from both sides. but i can ping the FOLINK, when I change the switch by a direct cable i got a successful ping for the FOlink and the STATEFULL link!!

Questions:

can you please have a look at this implementation and tell me if is correct what I did or if I need to add other things?
Is there any command configuration that I missed while configuring the Failover?
is the switch betweend the two ASA will permit or not the the failover implementation?

thank you in advance.

Regards

problem with ASA 5520 Failover implementation

Julio Carvajal — Mon, 02 Dec 2013 18:10:33 GMT

Hello,

can you please have a look at this implementation and tell me if is correct what I did or if I need to add other things?

It looks good, I mean I guess you will use HSRP on the internal L3 domain for more redundancy right?

Is there any command configuration that I missed while configuring the Failover?

No, the configuration is good.

is the switch betweend the two ASA will permit or not the the failover implementation?

Yes, Cisco actually recommends to use a switch between the failover units, what you need to make sure is that the traffic will go through the switch. Check the Vlan setup on the switch and the access-port definition bud.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

problem with ASA 5520 Failover implementation

houjil — Tue, 03 Dec 2013 10:04:57 GMT

Hi Julio and thanks for the answer,

After more reflexion, I changed the scenario to the new bellow; I decided to place the two asa in the same building since I have a problem with insufficient cables.

So, for the new scenario, I used port channels on both sides of switches connected successively to the ASAs, I have just a direct question:

Will the scenario work on just with the failover configuration or should I need to add HSRP config as you said? I guess I don’t need it, but I need a confirmation to avoid surprises while deploying.

The goal also for this implementation is to assume redundancy and load balancing firewall, is this schema will offer these goals.

Thanks you all in advance for your answers.

problem with ASA 5520 Failover implementation

Julio Carvajal — Tue, 03 Dec 2013 16:42:41 GMT

Hello Hicham,

I mean this will certanly work but the thing is you will now have a single point of failure at the Core level.

If The Switch that connects to the ASA goes down bum the entire network is down. I liked the previous scenario before.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com