cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2623
Views
10
Helpful
7
Replies

Is a router required for an ASA active/standby failover pair?

it
Level 1
Level 1

Hi everyone,

I'm planning a failover ASA deployment and I'm going by this guide:  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

In the diagram for "LAN-Based Active/Stanby Failover Configuration" they depict a router ahead of the two ASAs and then the "outside" interfaces of the ASAs having local addresses and physically connecting into the head-end router.

So my question is this; is there a way to do this without using a head-end router?  My idea is to use a switch instead of a router - plug the internet connection into the switch, configure the "outside" interface on the Active ASA with the public IP from the ISP and then a bogus "1.1.1.1" address on the failover ASA.  As I understand it, when the Active ASA goes offline/becomes unavailable the failover ASA configures itself with the Active ASA's configuration.  So in theory it should delete it's own bogus "1.1.1.1" ip and configure itself with the Active ASA's public IP and MAC address.

Would that work?

If the head-end router is absolutely required, how do I terminate L2L and Remote Access VPN connections on the ASA rather than the head-end router?

Thanks!

7 Replies 7

Maykol Rojas
Cisco Employee
Cisco Employee

Hi,

Not recommended, but yes. Remember that the bogus IP needs to be on the same range as the outside of the primary Unit, in order to for the hello packets to be exchanged between the interfaces and in case the interface fails, it can do failover.

Hope it makes sense.

Mike

Mike

Thank you for your reply.

Out of curiosity, why is having the head-end router recomended?  I thought the ASA was designed to be an edge/border device?

Also, I was just thinking about it some more and I don't really understand why the outside interface on the failover ASA needs to be on the same subnet as the Active ASA?  You said it was for failover but I thought there were two ports on each ASA (or a single physical port and a virtual interface) dedicated to failover and state information?  Why would the two "outside" ports need to communicate on a common subnet?

Thanks!

Hi,

The edge router is simulating the service provider Router, the one that provides internet. Each secondary IP that you put on the ASA firewall has a purpose. Hello packets are being sent from the Active Unit to the standby Unit thru those IP addresses. If the outside interface has a bogus IP that is not on the same subnet as the Active Unit outside, failover will be bouncing around because hello packets are not heard.

If you have questions feel free to ask.

Mike

Mike

Well, I'm going to have to use a head-end router since my ISP can't expand my current public subnet and so I'd have to get all new IPs which isn't really an option at this time.

Bummer!

Andrew Ossipov
Cisco Employee
Cisco Employee

Hello,

Actually, the ASAs would physically connect to the switch that represents the outside segment; the router in the diagram depicts your ISP. Since it is not mandatory to assign a standby IP on a particular interface unless you want to take advantage of interface monitoring, your proposed topology should work just fine. The only requirement for the ASA failover peers is to have their respective interfaces on the same Layer 2 segments.

Andrew

it
Level 1
Level 1

I implemented the standby ASA this weekend according to the plan I outlined in my first post and everything worked.  The failover isn't as seamless as I had hoped even with the state information being sync'd between the ASAs.  Maybe I just need to tweak the failover criteria?

Anyways, thanks for the help!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: