Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2081
Views
0
Helpful
2
Replies

ASA 9.8 in active/standby HA and BGP

Stuart Patton
Level 1
Level 1

‎11-20-2019 07:02 AM - edited ‎02-21-2020 09:42 AM

Hi,

 

Need some advice please.  I have 2x ASA5516-X firewalls running in active/standby HA and running eBGP with a service provider.  The provider have two CPEs on site, connected via a common subnet with the outside interfaces of the firewalls.  We neighbour with both CPEs - one of the CPEs is designated primary and so we advertise prefixes to them, and advertise the same prefixes to the secondary CPE but with some prepending.  We then weight the neighbours to prefer the primary over the secondary.  The provider are running unicast RPF on their network.

 

During failover (such as during ASA upgrades), we have seen short outages of around 3 minutes.  The provider have since enabled graceful restart on the CPEs (I've always had this enabled), and now during failover, I see the BGP neighbour come back up quicker but we still see a connectivity outage to services on the provider's network.

 

According to the document below, NSF is needed and from what I've read elsewhere, this is achieved through graceful restart.  The provider are suggesting we run BFD but I have no experience of this.  Is this not counter-intuitive (ie we don't want to detect a failure during failover)?

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118050-config-bgp-00.html#anc7

 

I totally get that if a CPE failed (power loss to CPE, bearer circuit failure etc), there may be some time for BGP to converge on the provider's side to the secondary CPE, but am I chasing an impossible dream here, that ASA failover with BGP to the primary CPE can't be almost seamless?

 

We have VoIP data running through other HA ASAs running EIGRP and we barely notice any packet loss during failover on those.

 

Thanks for any advice!

0 Helpful
2 Replies 2

lwilfredoflor
Level 1
Level 1

‎11-21-2019 08:46 AM

Hi there, if you are looking for no traffic outage, and you provider doesnt give you advise for tune bgp, then a quick way to archive this is the following:

-assuming you are receiving only default route from cpe to you fw, and you are advertising your public prefixes, then you could create a default route with a high AD pointing to the cpe, with this when you go with the upgrade process the bgp peer will be restarted and the 0/0 learned through bgp will be withdraw, so the static one will appear on you fw and traffic will not be loose it. 

regards,  

0 Helpful

Stuart Patton
Level 1
Level 1
In response to lwilfredoflor

‎11-25-2019 03:29 AM

Unfortunately, there are something like 2000 prefixes that I learn, which are redistributed into my internal EIGRP AS.  This is a closed extranet with no access to the internet (plus I have a default route on my LAN pointing elsewhere), so a default route is not appropriate.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card