topic Re: Local ASA active/active and multiple DC active/active in Network Security

Local ASA active/active and multiple DC active/active

Ian Terry — Tue, 12 Mar 2019 00:36:36 GMT

Hi

Trying to work through a tricky issue - customer has 2x DCs in geographically diverse locations. Each DC is resilient in terms of networking on all fronts. If a data centre fails, traffic is routed through the other DC - nothing unusual. We have multi-Gigabit links between DCs. Core backbone is N7k

In terms of security each DC is provided with a pair of active/active ASAs.

Ideally we need to get an active/active between DCs so that in the event of a full (or partial) DC failure, the other DC will be aware of the sessions traversing across the "failing" DC. Response time between DCs is well within guidelines, this is not the issue.

Any thoughts on how this could be achieved?

Many thanks in advance.

Sent from Cisco Technical Support iPad App

Local ASA active/active and multiple DC active/active

david.tran — Thu, 13 Dec 2012 02:09:21 GMT

before I can offer my opinion, can you elaborate on the followings:

- Active/Active for ASA at each data for internet facing applications?

- Any firewalls between the multi-Gigabit links between the DCs?

- can you provide a specific example for "full" or "partial" DC failure?

Re: Local ASA active/active and multiple DC active/active

Ian Terry — Thu, 13 Dec 2012 08:46:05 GMT

Hi

Firstly, thanks for taking an interest

In answer to your questions

1. The active/active ASAs in each DC are for traffic to an from the Internet
2. The DCs are connected without FWs as the links are non-public
3. The full/partial is relatively straightforward - within a DC if an ASA fails, not an issue the other takes over. If both ASAs fail, traffic needs to be routed to the other DC and ideally this needs to maintain previously initiated traffic flows hence the requirement to have active/active between the DCs.

Does this help?
Sent from Cisco Technical Support iPad App

Re: Local ASA active/active and multiple DC active/active

david.tran — Thu, 13 Dec 2012 10:18:15 GMT

1- For inbound traffic from the Internet, that will be possible if you use F5 GTM (I am a Cisco person when it comes to routers and switches but anti-cisco when it comes to Firewall, load balancers and other things, I just things there are better vendors out there than cisco); however, you will NOT be able to maintain previously traffic flows. New traffics will be re-directed to the new DC by the GTM but existing traffic flows will not be maintained. If you think about it, that makes perfect sense.

2- for outbound traffcs, assuming that you have your routing design properly, this will work as well. If both ASAs in DC1 fail, the server will know how to use multi-gigabit link between the DC and go out of ASA on DC2; however, since the ASA is "stateful" firewall, any previously initiated traffics will be lost, only new connections will work; if you want to maintain previously traffic flows, it will be possible with routers (without firewall) because routers can handle asymetric routing (or maybe ASA can handle as well with tcp-bypass feature) but I don't think it will work either because in this design, the destination servers is expecting you're coming from the same IP address (NAT'ed I assume) in both DCs. when DC1 is down and you're using DC2, you will be using a different NAT'ed, thus breaking previous traffics flow. Is it possible, yes? Difficult to achieve, hell yes.

Re: Local ASA active/active and multiple DC active/active

Ian Terry — Thu, 13 Dec 2012 12:05:21 GMT

Thanks for this - Cisco throughout I'm afraid.

Yes it is difficult and appreciate the support.

Sent from Cisco Technical Support iPad App