11-22-2018 03:09 AM - edited 02-21-2020 08:29 AM
I am after anyone who has deployed anything similar and what to expect regarding failover behaviour and times.
The scenario I am working with is a multi-site network, each site with two connections to the same ISP using either /30 or /31 IPv4 addressing. These will be brought into a L2 switch on two VLANs and then trunked up to two sub-interfaces on the HA pair of ASA's. I appreciate ASA HA works better with at least /29's on each interface so the standby can have an IPv4 address as well, however I don't have that luxury. In fact /31's will probably earn me some brownie points.
BGP will be used on each link and extended communities outbound on the ASA will be used to influence the inbound path for the public subnet sat on the inside of the ASA with one link primary and one secondary. To influence the outbound traffic from the ASA, weight or local preference will be set with a route-map or neighbor statement for the incoming default route the ISP will advertise to us, again giving us a primary and secondary path.
I am fairly confident that this will work and if it was a single ASA I don't see any issues apart from the obvious single point of failure. However if its a HA pair of ASA's I believe forwarding will still happen for the 1st 15-seconds outbound if there is a failover, however the BGP sessions will need to be reestablished and I am not too sure on how this will behave or how long it will take. There are only three prefixes advertised by the ASA (two P2P connected interfaces and the LAN segment), inbound we will just receive a default.
I have had a search but can't find exactly what I am proposing anywhere. If anyone has anything similar and would like to share experiences I'd appreciate it.
Cheers, Andy
11-24-2018 03:59 PM
11-25-2018 12:45 AM
Hi Steven, thanks for the reply however that is not really what I was asking. The SP provides a /29 prefix, however they will route this down a /31 or /30 P2P link. If dual circuits are provided then eBGP must be used - there is no choice in this with the SP. This is a wires-only service so I need to terminate the circuits and eBGP on something. There is no budget for any new hardware so I am looking at what I have available to me. There is a HA pair of ASA5500-X series firewalls so with ASA 9.2(4)+ BGP is available and with 9.7+ /31 IPv4 addressing is available.
Therefore with what I have available I can terminate the circuits on a L2 switch (it will actually be a couple of VLANs on an existing DMZ switch that has four free interfaces) and then bring them into two sub-interfaces on the ASA's (four with HA) and then run eBGP. I know this will work. One advantage of terminating the P2P circuits on the ASA is the public prefix doesn't then need assigning to a physical interface and the whole eight addresses can be used with NAT.
My question was how will it work with ASA HA? I know monitoring is affected due to the standby not having an IPv4 address, however physical monitoring will still work (link up/down). The BGP sessions will need to be reestablished so I am guessing there might be some downtime? My understanding is the FIB continues for 15-seconds after switchover, however during this 15-seconds routing adjacencies need to be reform?
I am after anyone's experiences with running eBGP on a HA pair of ASA's and if possible on /30 or /31 circuits.
11-26-2018 06:39 AM
11-26-2018 07:14 AM - edited 11-26-2018 07:36 AM
Hi Steven, I don't think I can explain it any clearer TBH..... Two Ethernet P2P links to the same ISP - one primary and one backup. Each link will be either a /30 or a /31 public subnet. These will come into a L2 switch with a VLAN dedicated to each link. A HA pair of ASA's will also link into this L2 switch and connect to each circuit. The ISP only supports eBGP. I therefore have to configure eBGP on the ASA with a peer at the end of each link. The ISP will announce a default downstream and the ASA will announce the /29 public prefix outbound. Route-maps will be used inbound and outbound to influence the primary and backup paths.
However this isn't the question as I know it will work... I want to know when ASA HA is thrown into the mix how will it behave?
11-26-2018 07:21 AM
11-26-2018 07:44 AM
11-26-2018 07:47 AM
11-26-2018 07:54 AM
11-26-2018 08:00 AM
11-26-2018 08:16 AM
Had the exact same setup for one of my customers using Firepwower running FTD's and 2 Comcast circuits. No WAN IP address for both circuits on the secondary Firewall. Failover was pretty seamless from what I saw. Since the standby maintains the same ip address and the failover process takes care of the initial traffic flow, there was no downtime noticed.
One effect that was seen was when both the circuits had the same cost/weight. On initial setup, the route would point to circuit-1. A failover scenario would cause the route to take the secondary circuit route to take over (established earlier that primary) in some cases. This really depended on which BGP session established first. I don't think this should affect our scenario since there is a weight set from the other end.
11-26-2018 09:30 AM - edited 11-26-2018 10:31 AM
Hi Rahul
With BGP there will be only one path in the table so with what you are describing (i.e. no influencing the paths with BGP attributes) then it will flip between the two with failover but will stick and BGP won't fail back to the preferred path. With what I am proposing it should sort itself out. We use extended communities to distinguish the primary path from the secondary and then the ISP (which is us anyway) sets local preference on the PE routers with a match of the community.
I think I need to get it up and running and test it.
Cheers
Andy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide