ASA Active lights in Active/Active mode

NickSemmens · ‎03-29-2016

In our little lab I have been looking at Active/Active running for two ASA55xx-X, called FW01 and FW02. I seem to have some anomalous behaviour with the "Active" lights. I'm using asa942-11-smp-k8.bin.

Active/Active requires multiple context mode so I have System, Admin and Instance-1 defined. Instance-1 has an outside interface and two inside interfaces (as it happens).

Assume that FW01 is up and running, if I then bring up FW02 it sits there with the Active light dark, using secondary addresses. Now I disconnect the physical outside interface on FW01. FW02 takes over, the Active light illuminates on FW02, and the Active light goes out on FW01. Checking the inside switch to which they are both connected, I can see that the virtual MAC addresses have switched to the interfaces on FW02.

After this has happened, I reconnect FW01's outside interface and it sits there with the Active light dark.Now I disconnect the physical outside interface on FW02. FW01 takes over, the Active light illuminates on FW01 - but the Active light remains lit on FW02!! In fact, I can disconnect both inside interfaces as well and the Active light still remains lit on FW02.

Any ideas?

Philip D'Ath · ‎03-29-2016

If you failover to the other firewall, and then the original firewall becomes healthy it doesn't failback. So the first behaviour is expected.

I assume the failover link between the firewalls is remaining connected the whole time?

I've never liked the 9.4(2) train because I have had lots of issues in the past with it. I see an interim release has earned a gold star now. Try 9.5(2) and see how that goes.

As a bonus, 9.5(2) also gives you policy based routing.

NickSemmens · ‎03-30-2016

Hi Phil. Thanks for your reply. I've used ASA5525-X in Active/Standby for a few years but never Active-Active/multiple context which has been specified by the senior architect in this application. I'm quite happy with the behaviour up to the point where the Active light fails to go off when there are no interfaces other than the HA/State links and management.

I was using the gold-starred interim 9.4.2-11 release because it fixes the IKE vulnerability but I'll check out what else is available.

Marvin Rhoads · ‎03-30-2016

Philip,

PBR was introduced on the ASA in 9.4(1). 9.5(1) just added some lesser used feature support to PBR (IPv6, VXLAN, Trustsec etc.).

http://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/route-policy-based.html#ID-2182-000002a8

Philip D'Ath · ‎03-30-2016

Let me re-phrase that. I tried PBR in 9.4 and it was too broken to be usable. In 9.5 things worked great.

Marvin Rhoads · ‎03-30-2016

Thanks for the clarification Philip.

Interestingly there's only one publicly documented PBR-related bug documented as fixed in 9.5(x) - https://bst.cloudapps.cisco.com/bugsearch/bug/CSCus78109

It would not be surprising if there were some non-public ones that were fixed.

Philip D'Ath · ‎03-31-2016

I didn't bother logging any cases myself. When I tried 9.5(2) and everything worked I wrapped the job up.