topic ASA Failover in Network Security

ASA Failover

M Rinaldy Aulia — Fri, 21 Feb 2020 17:36:49 GMT

Hi All,

I have a question during my project for ASA High Availability

Here's the topology :

The Failover already working, but one point was not working .

So if we remove cable from ISP 1 (orange cable / A), the traffic didn't go through ISP 2.

But if we shutdown manually connection of ASA - Switch Edge (Orange Cable / Point B) and automatically ASA Secondary Orange Cable will be shutdown due sync.. The traffic will working to ISP 2.

We are using 2 IP Route and SLA for the configuration

route Outside3 0.0.0.0 0.0.0.0 123.231.x.x 1 track 1
route Outside 0.0.0.0 0.0.0.0 202.159.x.x 2

sla monitor 1
 type echo protocol ipIcmpEcho 123.231.x.x interface Outside3
sla monitor schedule 1 life forever start-time now

track 1 rtr 1 reachability

Do you have any idea about this one? What I should to do for troubleshoot?

Re: ASA Failover

Deepak Kumar — Tue, 22 Oct 2019 04:45:32 GMT

Hi,

Try to make SLA timeout after some specific timing and packet drop as:

sla monitor 1
 type echo protocol ipIcmpEcho 123.231.x.x interface Outside3
num-packets 3
frequency 3

It will make SLA down after 9 to 12 seconds.

Second Question: Are your both WAN links under the failover monitor?

Re: ASA Failover

M Rinaldy Aulia — Tue, 22 Oct 2019 05:20:05 GMT

Hi Deepak,

Thank you.

i will confirm again at my customer site, for the timeout.

But As I remember, there’s already a timeout during the SLA.

because When I show route on ASA (if the cable from ISP1 - Switch Edge removed), route 0.0.0.0 0.0.0.0 already via ISP 2. And ASA can ping to internet

But from the user, we still can’t ping internet.

So we need to shutdown first Interface from ASA - Switch Edge (Traffic to ISP1)

No i didnt put monitor on interface WAN.

And the interface to ISP 1 and 2 doesnt have a standby IP, since availability

Re: ASA Failover

Deepak Kumar — Tue, 22 Oct 2019 06:30:22 GMT

Hi,

As you said that you can ping the Internet via ISP2 but no internet on the client system then I am assuming some more testing as:

1. Is DNS working during this downtime?

2. Is Xlate table issue?

3. Is the system failover happening after disconnecting the cable?

4. Is routing table updating (as you can ping the internet using ISP2 so I don't think routing table issue? This may be due to SLA & tracker.

Could you check the above things and share running configuration with logs.

Re: ASA Failover

M Rinaldy Aulia — Tue, 22 Oct 2019 08:59:43 GMT

Hi Deepak,

1. Is DNS working during this downtime? I assuming the DNS working, but user no internet connection during ISP 1 Fail (without shutdown the interface). I only can ping the internet from ASA

2. Is Xlate table issue? I'm not yet touching this area.

3. Is the system failover happening after disconnecting the cable? No, failover not happening.

4. Is routing table updating (as you can ping the internet using ISP2 so I don't think routing table issue? This may be due to SLA & tracker // Yes, it's updating the 0.0.0.0 0.0.0.0 to ISP2

Could you check the above things and share running configuration with logs.

Re: ASA Failover

M Rinaldy Aulia — Tue, 22 Oct 2019 09:00:27 GMT

Hi Deepak,

Attached the show run configuration