topic Re: ASA Failover w/ EIGRP in Network Security

ASA Failover w/ EIGRP

Brian M — Mon, 11 Mar 2019 13:19:02 GMT

Does the ASA support EIGRP when failover is configured? My second appliance will not neighbor up with anyone when failover is configured.

Re: ASA Failover w/ EIGRP

steavg — Wed, 23 Jul 2008 17:39:27 GMT

Hi,

Are you talking A/A or A/S...multiple context mode (A/A) does not support EIGRP.

Assuming you are using A/S EIGRP is supported.

Do you have a debug trace of your EIGRP on the ASA ?

Cheers

stefan

Re: ASA Failover w/ EIGRP

Brian M — Wed, 23 Jul 2008 17:50:23 GMT

A/S with a pretty straight forward configuration using LAN failover and no state information. When I debug EIGRP PACKETS on the second ASA I don't get anything, it just sits. Here is the config:

interface GigabitEthernet0/0

speed 1000

duplex full

no nameif

no security-level

no ip address

interface GigabitEthernet0/0.3

vlan 3

nameif Outside

security-level 0

ip address 200.200.200.1 255.255.255.0 standby 200.200.200.2

interface GigabitEthernet0/1

speed 1000

duplex full

no nameif

no security-level

no ip address

interface GigabitEthernet0/1.252

vlan 252

nameif Inside

security-level 100

ip address 172.27.252.254 255.255.255.0 standby 172.27.252.253

interface GigabitEthernet0/2

speed 1000

duplex full

nameif DMZ

security-level 50

ip address 192.168.199.1 255.255.255.0 standby 192.168.199.2

interface GigabitEthernet0/3

description LAN Failover Interface

interface Management0/0

nameif Management

security-level 100

ip address 172.27.0.12 255.255.255.0

management-only

...

failover

failover lan unit secondary

failover lan interface failover GigabitEthernet0/3

failover key *****

failover interface ip failover 192.168.1.1 255.255.255.252 standby 192.168.1.2

...

router eigrp 16855

no auto-summary

network 172.27.0.15 255.255.255.255

network 172.27.252.0 255.255.255.0

network 192.168.199.1 255.255.255.255

passive-interface default

no passive-interface Inside

The 172.27.252.0 network is the one I need EIGRP running on

Re: ASA Failover w/ EIGRP

pmccubbin — Fri, 05 Sep 2008 17:51:39 GMT

Brian,

Did you ever resolve your issue?

This is how it is documented by Cisco and I would like to know if anyone has done it this way. Thanks in advance.

!outside interface configuration

interface GigabitEthernet0/0

description outside interface connected to the Internet

nameif outside

security-level 0

ip address 100.10.10.1 255.255.255.0

!inside interface configuration

interface GigabitEthernet0/1

description interface connected to the internal network

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0

!EIGRP authentication is configured on the inside interface

authentication key eigrp 10 cisco123 key-id 1

authentication mode eigrp 10 md5

!management interface configuration

interface Management0/0

nameif management

security-level 99

ip address 10.10.20.1 255.255.255.0 management-only

!EIGRP Configuration - the CLI configuration is very similar to the

!Cisco IOS router EIGRP configuration.

router eigrp 10

no auto-summary

eigrp router-id 10.10.10.1

network 10.10.10.0 255.255.255.0

!This is the static default gateway configuration

route outside 0.0.0.0 0.0.0.0 100.10.10.2 1

!Interface that connects to the Cisco ASA. Notice the EIGRP authentication paramenters.

interface FastEthernet0/0

ip address 10.10.10.2 255.255.255.0

ip authentication mode eigrp 10 md5

ip authentication key-chain eigrp 10 MYCHAIN

! EIGRP Configuration

router eigrp 10

network 10.10.10.0 0.0.0.255

network 10.20.20.0 0.0.0.255

network 172.18.124.0 0.0.0.255

network 192.168.10.0

no auto-summary

Re: ASA Failover w/ EIGRP

suschoud — Wed, 10 Sep 2008 20:09:09 GMT

Guys,

Saw this unresolved post today.....

Here you go :

Basically what is going on here is that when a pair of firewalls operates

asa failover pair they are regarded as a single device as far as the routed

path is concerned. The active is supposed to forward traffic and the standby

is supposed to wait until the active fails and then jump in and take over.If

the standby was to participate in the eigrp domain it would cause traffic to

be routed to it and then be dropped because it is not actively forwarding

traffic.

When an actual failover occurs the standby will become active and then begin

to participate in the eigrp domain. The IP addresses of the active firewall

remain constant through out the process and so from the perspective of our

internal eigrp routers the "firewall" missed a few hello messages and then

came back up.

But we can put the static route on primary firewall for the network from

where we want to monitor the secondary firewall. And that route will

replicate to secondary firewall as it is not a dynamic route and this will

help up us in accessing the secondary firewall for management purpose from

the inside subnets .

PLEASE RATE IF HELPS. 🙂

Regards,

Sushil

Re: ASA Failover w/ EIGRP

francisco_1 — Wed, 10 Sep 2008 20:40:48 GMT

Brian,

The mode you are using Active/standby does support EIGRP with version 8 software.

Is EIGRP working on the acive ASA? The standby peer is not forwarding any traffic when in standby mode and will not form any EIGRP neighbour relationship. Based on your config you are using active/standby in a routed mode. Only one ASA isactive and the active ASA can form EIGRP neighbour relationship.

If you need configuration help with EIGRP routing on the ASA, let us know.

Francisco.

ASA Failover w/ EIGRP

vciric — Mon, 04 Feb 2013 11:44:53 GMT

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_overview.html

"In Version 8.4 and later, Stateful Failover participates in dynamic routing protocols, like OSPF and EIGRP, so routes that are learned through dynamic routing protocols on the active unit are maintained in a Routing Information Base (RIB) table on the standby unit. Upon a failover event, packets travel normally with minimal disruption to traffic because the Active secondary ASA initially has rules that mirror the primary ASA. Immediately after failover, the re-convergence timer starts on the newly Active unit. Then the epoch number for the RIB table increments. During re-convergence, OSPF and EIGRP routes become updated with a new epoch number. Once the timer is expired, stale route entries (determined by the epoch number) are removed from the table. The RIB then contains the newest routing protocol forwarding information on the newly Active unit."