ASA Failover pair connected through switch - what happens when failover link fails?

NazgulNr5 · ‎10-14-2019

We have an ASA failover pair but they are in two locations. The failover link goes through two switches (one on each site). As the most likely reason for a failover would be a power outage on the site with the active ASA, I was wondering if the failover actually worked. If there was a power outage, the switch would fail too and the secondary ASA just sees that the failover link is down and (might) not become active.

As this is a production network I'm not just going to pull the plug.

Has anyone some experience with this kind of setup?

Marvin Rhoads · ‎10-14-2019

Several things can trigger failover. Among them is failure to receive the heartbeat from the peer unit. That would happen whether it is a single cable connecting the units or multiple switches across two sites.

I've implemented scenarios like the one you describe and it works just fine.

NazgulNr5 · ‎10-15-2019

Thanks for the reply!

I'm refering to the statement in this document:

HA active standby config guide

Table 1-1 Failover Behavior states that there will be no failover if the failover link failes during operation.

Our setup pretty much looks like Figure 1-2 Connecting with a Double Switch—Not Recommended (minus the ISL).

Not recommended but as a complete power outage is the most likely scenario, a separate switch for the failover link would not help anyway.

Marius Gunnerud · ‎10-15-2019

As mentioned in my previous post, as long as the monitored interfaces still have connectivity between the active and standby ASAs, if the failover link fails there will be no failover. But this is why it is very important that all the interfaces on the ASAs are in a monitored state. If an interface that is not monitored fails there will be no failover and clients connected to that interface will lose connectivity.

--
Please remember to select a correct answer and rate helpful posts

Marius Gunnerud · ‎10-14-2019

What happens when the failover link fails is that the secondary ASA starts sending hello packets out the monitored interfaces (the interfaces MUST be monitored for this to happen). If the secondary ASA receive a reply it know that the primary is still active and will not assume the active role. If no reply is received after 3 attempts the secondary ASA becomes active.

--
Please remember to select a correct answer and rate helpful posts

NazgulNr5 · ‎10-15-2019

Hmm, maybe I should try in in GNS3...

The configuration guide says no failover with a failed failover link but maybe with monitored IFs...

Marius Gunnerud · ‎10-15-2019

testing in GNS3 is a pain when testing failover on ASA. You cannot just do a shutdown on the switch port to initiate a failover as the interface will always remain up as the link is virtual. You could try to remove the link connecting the ASA to the switch, though I have not tried that, but I assume it will give the result you are looking for.

But just to repeat myself. If just the failover link fails, there will be NO FAILOVER if other interfaces are monitored and connectivity is established between the primary and secondary ASAs.

If both ASAs are up, but connectivity between the ASAs on failover link and monitored interfaces fails, then you will have a split brain situation.

If an interface fails (not failover link interface) then a failover will happen, depending on what you have configured as your failover criteria.

--
Please remember to select a correct answer and rate helpful posts