ASA 5515-X Failover Help

conor.maton · ‎07-21-2017

Hi guys,

I amin the process of configuring a pair of Cisco ASA 5515-X Firewalls. Firewall A has 5 connections and Firewall B has 6 connections so I don't believe an Active/Standby configuration will work in this instance as they go to different networks so will need both Firewalls processing traffic.

I also have a connection to a client's network and they have provided a /30 subnet to use as a P2P link (192.168.10.0/30). They will use my interface address as their next hop address for routing to my networks.

What I am trying to do is to configure the Firewalls so that the interface they will use as their next hop failovers to the standby Firewall. I think you can do this when in Active/Active or Active/Passive but I am not so sure how I go about this. I think multiple contexts with groups are used but I wouldn't know where to start or if I am indeed correct.

I have attached my topology with example interfaces and addresses. Mine and the client's Firewalls will connect via L2 switches.

Can anybody help me please and provide explanation of the solution?

Thanks in advance :)

EDIT: Updated topology attached. The customer has actually provided a /29 subnet for the P2P links, however they still only wish to use one addaress for the next hop. I need to find a way for both my Firewalls to both be passing traffic and for the 192.168.10.1 address to failover to the secondary Firewall if the normally active fails.

Aditya Ganjoo · ‎07-22-2017

Hi,

I do not think failover would work in your scenario.

Failover has these requirements:

•The same hardware model

•The same number of interfaces

•The same types of interfaces

Also, clustering cannot work on this hardware.

So we may need to think something else or ensure we have the same set of interfaces on both the devices.

Regards,

Aditya

Please rate helpful and mark correct answers

conor.maton · ‎07-22-2017

Hi Aditya, thanks for your reply.

See updated topology attached and in the OP.

From the new topology:

The customer has actually provided a 192.168.10.0/29 subnet for the Firewall P2P links via the Switches (running at Layer 2)
Both my Firewalls require to be active due to having a different numbers of connections (I've only shown the LAN but one Firewall has 3x external networks and the other has 2x external networks so both Firewalls need to be passing traffic)
I have a failover link between my two 5515-X's in the 172.16.0.0/30 subnet
The customer will have a static route to my LAN with a next hop address of 192.168.10.1
192.168.10.1 will be configured on the active Firewall, 192.168.10.2 will be configured on the secondary Firewall
I need the 192.168.10.1 address to failover to the secondary Firewall if the active Firewall fails. This is the problem I am trying to resolve

I am pretty sure this can be solved using multiple contexts but I am a little unsure how these work.

Hopefully you can help :)

cofee · ‎07-22-2017

Is there any layer 3 device at the edge, out side of firewall that you can use as a next hop for the client and then route traffic to firewall ? I think this would be a lot less complicated than trying to do this on in your current firewall set up.

conor.maton · ‎07-22-2017

Hi cofee, than you for your reply.

There is but I have no idea of the IP address as it isn't my design. Also the agreement was made a while ago and the customer has pretty much completed what they need to do from their end.

There must be a way to failover the IP address? If an Active/Standby can do it surely an Active/Active (or otherwise) can too?