ASA 5585 connected with two Act/Stby core switches

metro_ciscosupport · ‎06-02-2012

Hi all,

Let me know the concept of configuration of both senarios.

Senario 1

Needs to route ISP traffic to the act/ ASA and if act ASA is down , stby ASA will have to take over. How to configure virtual ip on the router interfaces

Senario 2:

As same as senario 1 act/ASA should route raffic to act/ Core switch usually, if any failure of act/ Core sw , stby/ core will have to do the complete job. No VSS is running.

Is these 2 senarios are possible. Pls guide

Julio Carvajal · ‎06-02-2012

Hello Rex Perera,

Scenario number one:

You can accomplish it witht an active standby failover setup. If by any chance the secondary peers detects the active one is down he will take over.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

Scenario number two:

I would say HSRP would do it as well is similart to the Active/standby purpose.

http://www.mundosysadmin.com/node/97

Those two links should explain everything about any of those features ( those are the ones I used to understand them)

Hope this helps.

Julio

Rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

metro_ciscosupport · ‎06-03-2012

Thanx, I ll check with the practical senario and confim

metro_ciscosupport · ‎06-05-2012

Hi Julio,

Let me explain again,

Senario 1 : The router feed with ISP-internet from G0/0 and it should routed to Act/ASA.if the Act/asa is down router should route all traffic to the Stby/asa. The Two asa is working properly and configured failover.My issue is how I configure the router 2 interfaces (G0/1 and G0/2) creating virtual interface.

Senario 2: How I route traffic from asa to core switch in a given time (asa G0/1) if act core is down asa connected to stnby core via asa G0/2 interface. How I configure asa's both interfaces in single subnet

thnks

Sergey Tregubov · ‎06-06-2012

Hello Rex Perera,

In your first scenario you can use IRB feature on your router.

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_tech_note09186a0080094663.shtml

or HSRP

In your second scenarion you can use redundant interfaces or etherchannel( if you use newer ASA version)

metro_ciscosupport · ‎06-06-2012

Hi ,

Thankx for the reply,

Senario 2: I tried both ways.But had some issues.

When using redundant interface configuration only G0/2 is the active interface all the time even when the Act/Core is down. How I trigger the G0/3 to UP when Act/Core is down.Please explain.

ASA-------G0/2-------------->Act/Core (TG/1)

|

G0/3

|

Stnby/Core(TG1/1)

Usually etherchannel will use between two devices (Switches or ..) . I want to know it can use to senario 2: (Within 3 devices)

Pls. explain

Sergey Tregubov · ‎06-07-2012

I assume you use 3750 stack for your core HA and all your devices stands in one rack (if not, it's not a problem i think)

If so, you can use your Core for connect ASA to the Router, just put ports of the router and asa watching to the router in same VLAN, configure failover on the asa. For interface redundancy you can use either redundant interfaces or etherchannel (8.4(*) version)

And connecting ASA to the core with etherchanel and redundant interfaces.

Marvin Rhoads · ‎06-06-2012

In scenario 1 put a switch (VLAN on a switch more accurately speaking) between your Internet router and the ASA pair. An Active-Standby ASA HA pair share a common Active IP address and virtual MAC address so the router does not need to make any choices regarding which ASA IP or MAC address to send traffic to.

In scenario 2 the core switch being down would cause the interface on the connected Active ASA to fail thus triggering a failover to the Standby unit.

metro_ciscosupport · ‎06-06-2012

Hi MARVIN,

In Senario 1 . as u said I used a switch in between the router and asa.I think it having a single point of failure.Thats why I try to overcome without a switch.

Senario 2: Please provide me a sample config as for ur suggestion.

Thanks