ASA 5585X Active/Active Failover Group Inter routing

leach_stuart · ‎03-21-2012

Hi All,

I am looking at deploying a pair of 5585X's in an active/active multiple context state. I am creating Mulitple contexts that need to be able to route to each other. I was going to deploy a type of Gateway context that has a shared interface to all of the other contexts, instead of sharing interfaces directly between the contexts, i beleive this will work as basically i am just cascadng the contexts and sharing interfaces.

The main problem i have come across, is that if i deploy active/active across two appliances using 2 failover groups i can not see a way to route between them, for example.

I have Context 1, Context 2 and Context GW A including the shared interfaces of Con1 and Con2 in failover group 1 on appliance A with the respective standbys on Appliance 2.

I have Context 2, Context 4 and Context GW B including the shared interfaces of Con 3 and Con 4 in failover group 2 on appliance B with the respective standbys on Appliance 1.

I need to be able to route traffic between Context GW A and GW B so that the contexts can communicate in normal operation and in failover. I do not beleive that I can share an interface between contexts in two separate failover groups and to be honest without adding a L3 device between the appliances i am not sure if this is possible.

Any ideas would be greatly appreciated.

Thanks

Dan-Ciprian Cicioiu · ‎03-21-2012

Hi ,

If it was for me , I was going to do a VLAN used for interconnecting Contexts, and on each context the route will be put with a next hop of the active context. This way whatever happends to that context the active IP of the interconnection will be the next hop of the route.

If you tottally want a GW context , I will go just for one , not two.

Is there any security purpose of the GW context ?

Dan

leach_stuart · ‎03-21-2012

So a separate VLAN which will be a shared interface in each context ?

If that is the case can i bring that in to both failover groups ? so that the active contexts on both appliances can see each other.

apologies if i have misunderstood.

Dan-Ciprian Cicioiu · ‎03-21-2012

Yes, this is the case.

Yes, the active contexts - on physical ASA-A or/and B - will be able to see each other through this shared segment.

The only thing the you have to do , is to route connected networks to the active IP of the context. The active IP will move in case of failover, so this wont be a issue.

Dan

leach_stuart · ‎03-21-2012

So if i use for example vlan 999 as my shared segment, when configuring i add this to every context in both failover groups.

Then when routing from Con 3 in failover group 2 on appliance B, configure a static route pointing to Con 1 in failover group 1 on appliance A, active address via the shared interface on con 3 and vice versa.

Thanks

Dan-Ciprian Cicioiu · ‎03-21-2012

Sorry , I didn't get the routing that you discribed I didnt get the issue

You will you different IPs for each context... the only thing that will be shared is an interface ( vlan in this case )

Dan

leach_stuart · ‎03-21-2012

I think i understand what you are suggesting.

i have read somewhere that you can not share an interface between failover groups, which is why i did not look at this as an option.

have you seen this in practice ?

Thanks

Dan-Ciprian Cicioiu · ‎03-21-2012

I've used this setup . The only difference is that all the contexts were active on the same physical appliance.

So I do not think that using this setup wont work in your case.

Dan

leach_stuart · ‎03-21-2012

Excellent, Thanks for your help.

Dan-Ciprian Cicioiu · ‎03-21-2012

My pleasure

Regards

Dan