ASA5515x MEC to two 3750X and two 4500X

john.dejesus · ‎06-18-2015

Hi

I have a design wherein two ASA5515Xs (ASA1 and ASA2) are configured as multicontext mode. ASA's Interface G0/1 and G0/3 respectively are conected to two 3750Xs for OUTSIDE traffic Po1. And ASA's Interface G0/0 and G0/2 respectively to two 4500X (configured as VSS) for INSIDE traffic Po2. These physical interfaces are configured as etherchannel.

Inside the two ASAs, are two contexts, CTX1 and CTX2. CTX1 is active on ASA1 and CTX2 is active on ASA2. On top of 3750x-SW1 I have a CE_ROUTER connected to G1/0/2 and below the 4500x-SW1-G1/1/2 is connected to InternalRTR.

Everything works fine, until I encounter a failover on the OUTSIDE interface of CTX1, so CTX1's outside interface had failover to ASA2. Then after the failover, the BGP communications between CE_ROUTER and InternalRTR was stopped (OpenSent/Active). I run a packet capture inside the CTX1 and there was no syn/ack ack from InternalRTR. Bi-drectional ping was successful but BGP was not able to establish. But If I move the InternalRTR to port G2/1/2 of 4500xSW2 the BGP connection was able to establish.

My assumption on this issue is the Multi-Chassis Etherchannel configuration of ASA to two 3750X and 4500X. Am I correct? My question here are the ff.

1. Is ASA supports MEC? I have read the cluster configuration of ASA, but Im not sure if this is the solution.

2. It seems to me, that somewhere along the port channels, the bgp tcp packets was asymmetrically traversing the network. How do I mitigate this kind of issue?

3. What is the best practice design for two ASAs (ACTIVE/ACTIVE configuration) to leverage the technology of VSS in 4550x and stackwise technology in 3750X.

Please advise, thank you in advanced.

Marvin Rhoads · ‎06-18-2015

There was a pretty thorough blog post over at netcraftsmen.com on this topic - focusing on the Catalyst 3k side.

Have a look at it and see if some of that info may point you in the right direction.

john.dejesus · ‎06-18-2015

Here is my network diagram for your reference. Please advise if this is a good design or I need to adjust something.

Marvin Rhoads · ‎06-18-2015

Seems a bit complex - especially with multiple contexts on a 5515-X. However, it should be supportable.

From your description and looking at the diagram, I'd suspect the issue lies in the VSS cluster. Potentially it could be an arp vs cam timer mismatch as described here (see figure 3-19).

Personally I'd open a TAC case on it because it is best troubleshot by doing some interactive commands on the devices involved.

john.dejesus · ‎06-18-2015

I just read the article. thanks for your help. tried searching for a know issue on the ASA v9.x software regarding the cross stack. and I've found a couple of bug that cisco is still working on.

https://tools.cisco.com/bugsearch/bug/CSCtw63011.

Marvin Rhoads · ‎06-18-2015

The workaround for that bug was the one Carol mentioned in her blog post.

I'd definitely go the TAC route - they can tell you definitively if you're hitting that or a similar bug - remember not all bugs are published..

john.dejesus · ‎06-18-2015

Thanks for your help. Yes, I will open a case with cisco TAC. I'll keep you posted. thanks again.