topic Re: ASA Failover in Network Security

ASA Failover

fvanlancker — Mon, 11 Mar 2019 16:22:02 GMT

If an ASA has lan failover and statefull crossover-cables connected without an intermediate switch. If one ASA goes down the other asa senses two links are down, will this be an issue ? In the cisco the second edition of the firewall handbook it is a tip not to connect the back to back but it does not say what happens in a real situation.

Re: ASA Failover

Collin Clark — Thu, 01 Oct 2009 15:18:38 GMT

Each interface should connect to a switch port so that the link status is always up to one firewall interface if the other firewall interface fails. Otherwise, both units sense a link-down condition and assume that their own interfaces have a failure.

Re: ASA Failover

fvanlancker — Thu, 01 Oct 2009 15:22:06 GMT

Hi Collin,

Thanks for the info, but do you think that the statefull en Lan link are also monitored ? There is certainly no option to monitor them.

And what if switch would fail ? Will both asa's become active ?

Re: ASA Failover

Collin Clark — Thu, 01 Oct 2009 15:26:21 GMT

You typically attach each ASA to a different switch for full redundancy. The failover link is inherently monitored because that link is where the majority of failover communications occur. If that link fails, then each ASA thinks it's primary.

Re: ASA Failover

fvanlancker — Fri, 02 Oct 2009 12:20:53 GMT

Assume:

2 ASA connected via 2 failover interfaces in active/standby configuration. The secondary ASA goes down.

What happens ?

b: Same scenario but the primary goes down.

c: They both go down and come back up again,but the secondary is first. How will te switches mac-address tables and the routers handle their arp table ?

Re: ASA Failover

Collin Clark — Fri, 02 Oct 2009 12:33:27 GMT

a. Nothing really. The primary still thinks it's primary and continues to pass traffic.

b. Once the heartbeat fails (2 times I believe) the secondary becomes primary and starts passing traffic.

c. The ARP tables will be empty because of the ASA outage so when the ASAs come back up, the switch will populate their ARP tables as normal. Since the 2nd ASA comes up first, it will be primary.

Re: ASA Failover

fvanlancker — Fri, 02 Oct 2009 12:52:36 GMT

but the failover interfaces are monitored, so if I put the threshold on 1 no ASA will be active.

Re: ASA Failover

Collin Clark — Fri, 02 Oct 2009 12:57:10 GMT

They both think they are active. They both want to be active. The active keeps telling the secondary to 'stand down, I'm in charge right now.' The standby keeps waiting and wanting to be in charge. As soon as it doesn't here from the one in charge, it takes over and assumes the role.