topic Re: ASA Active/Standby in Network Security

ASA Active/Standby

cowetacoit — Mon, 11 Mar 2019 15:54:59 GMT

Couple questions. About to implement this scenario with two ASA5520s. I plan to have these two connected to two 4506s running as core switches. My question is do the ASAs need a dedicated link to each other for their communication or can they communicate active/standby info with each other through their links to the dual 4506s? The 4506s will be running EIGRP with default routes to the ASAs. The 4 devices will be connected with a /29 subnet. Please see the attachment. The ASAs do not have sub interfaces. They are connected to the 4506s on the same vlan, vlan 2. Will i need a direct link between the two ASAs? Thanks. I just want to make sure i understand this right.

Re: ASA Active/Standby

Todd Pula — Tue, 14 Jul 2009 17:41:24 GMT

You will need to dedicate an interface on each ASA for failover. These interfaces can either connect back to your core switches on an isolated VLAN or can be connected directly with a crossover cable. Please refer to the following doc for failover requirements and configuration on the ASA platform.

Re: ASA Active/Standby

Todd Pula — Tue, 14 Jul 2009 17:42:40 GMT

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1058096

Re: ASA Active/Standby

cowetacoit — Tue, 14 Jul 2009 17:59:14 GMT

so i would keep my current IP config but add 1 more interface per ASA and connect them to a layer 2 vlan on the dual cores? Also i have a question about my default routes on the dual 4506s. As i mentioned i'm running EIGRP on the 4506s. Since i'll have two 4506s and 2 ASAs what will my default route point to?

Re: ASA Active/Standby

Todd Pula — Tue, 14 Jul 2009 19:03:51 GMT

Your existing IP config will need to be updated to include standby IP addresses for the pair. In an active/standby scenario, the active ASA will manage the primary interface IPs and will use the failover link for replication and keepalives. In a failure scenario, the secondary ASA will take over control of the primary interface IPs. This will allow you to point your default route to the same IP irrespective of what ASA is active at that time. Below is a sample failover config.

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 11.11.11.11 255.255.255.0 standby 11.11.11.12

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.10.10.11 255.255.255.0 standby 10.10.10.12

interface GigabitEthernet0/2

description LAN/STATE Failover Interface

failover

failover lan unit primary

failover lan interface Failover GigabitEthernet0/2

failover key *****

failover link Failover GigabitEthernet0/2

failover interface ip Failover 10.1.1.1 255.255.255.252 standby 10.1.1.2

Re: ASA Active/Standby

cowetacoit — Tue, 14 Jul 2009 19:08:15 GMT

Nice, you answered my question. Any issues running this on a production ASA or should i wait until a maintenance window?

Re: ASA Active/Standby

cowetacoit — Tue, 14 Jul 2009 19:52:06 GMT

One last question....I see you have a Standby IP on the OUTSIDE interface...is this needed? I have a public IP on my ASAs OUTSIDE interface, would i need a second public IP for the second ASA OUTSIDE int?

Re: ASA Active/Standby

Todd Pula — Tue, 14 Jul 2009 20:27:14 GMT

You will want both the inside and outside interfaces configured with a secondary address. This address must be from the same subnet as the active IP address.

Re: ASA Active/Standby

cowetacoit — Tue, 14 Jul 2009 22:47:11 GMT

I've read through some documentation and see where Cisco recommends adding the secondary IP address for all data interfaces. I am trying to understand how certain things like S2S and remote access VPNs will work now. We have several remote ASAs that use the primary public IP for S2S and clients that are configured to use the primary public IP. Could you explain this a little more? Thank you so much for your help

Re: ASA Active/Standby

Kureli Sankar — Tue, 14 Jul 2009 23:47:40 GMT

This not secondary address but, standby address.

The rolls are primary and secondary but the states are active and standby.

Which ever unit is active it will assume the active mac in layer 2 and the active IP for layer 3. This active mac and active IP is always the primary unit's except the failover interface. These will continue to use their own IP and mac.

When we failover we always send gratuitous arp so, the adjacent devices can update the arp and mac-address table.

So, even for the outside interface you should have a standby IP otherwise monitoring interfaces will not be possible. Failover will still work.

Re: ASA Active/Standby

cowetacoit — Wed, 15 Jul 2009 01:34:29 GMT

Ok. So which ever device is active will assume the role of the active MAC and IP address (All interfaces except failover). So if the active ASA failed, the standby ASA would take over using the active Mac and IP of the Active ASA?

Re: ASA Active/Standby

Todd Pula — Wed, 15 Jul 2009 12:35:16 GMT

Correct

Re: ASA Active/Standby

cowetacoit — Wed, 12 Aug 2009 12:17:22 GMT

i need to bring this topic back up. Since each ASA will be connected to 2 4506s on the LAN side, i assume i will have an SVI on each 4506 for int vlan 2? Then i'll just include vlan 2 in the trunk between the two 4506s? Thanks!

4506_1

vlan 2

name 4506_ASA

interface vlan 2

ip address 10.10.2.2 255.255.255.0

4506_2

vlan 2

name 4506_ASA

interface vlan 2

ip address 10.10.2.3 255.255.255.0

Then trunk vlan 2 between the 4506s

Re: ASA Active/Standby

Todd Pula — Wed, 12 Aug 2009 13:07:18 GMT

You got it. VLAN 2 will be defined on both switches. You may also look into using HSRP on the core 4506s in order to provide for further resiliency. As for the dedicated failover link, you can either configure it in a similar fashion as above using a dedicated VLAN or you can use an xover connection between the two chassis.

Re: ASA Active/Standby

cowetacoit — Wed, 12 Aug 2009 13:13:41 GMT

for failover, i'm using a dedicated layer 2 vlan. I am already running HSRP on a few DC vlans, everything else is P2P links with EIGRP. I wouldn't run HSRP on the vlan 2 SVIs would i? Seems like it would conflict with my ASA failover on the LAN side.