Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
795
Views
0
Helpful
1
Replies

ASA Failover A/S EIGRP

kkeelan
Visitor

‎12-07-2012 03:28 PM - edited ‎03-11-2019 05:34 PM

Greetings,

This is a question concerning EIGRP and static routes on our ASA Failover pair in an A/S configuration. The Active ASA is participating in an EIGRP AS and the Standby doesn’t receive any of the EIGRP routes, which, if I understand correctly, is the expected behavior. The problem that we are trying to solve is how to use a Network Management Server (NSM) to actively monitor via ICMP the Standby in case it goes down. This is not working now because NMS is not directly connected to the A/S failover pair and thus it cannot ping the Standby firewall since there is no route back to the NMS. Our proposed solution is to add a static route that points to the NMS. We believe the best way to do this is to configure the route with higher administrative distance than EIGRP (>90) so the Standby firewall would have a route back to the NMS and it wouldn’t affect the active EIGRP routing. Please let me know if we what were are proposing is a good practice. Any suggestions would be appreciated. Thanks for the assitance.

fwco01# show running-config router 

!

router eigrp 200

no auto-summary

eigrp stub connected static summary

network 10.NNN.0.0 255.0.0.0

passive-interface default

no passive-interface DMZ

no passive-interface OUTSIDE

no passive-interface OUTSIDE-BACKUP

redistribute static

!

Proposed Route:

route DMZ 10.NNN.79.250 255.255.255.255 10.NNN.249.252 100

Labels:
0 Helpful
1 Reply 1

Julio Carvajal
VIP Alumni
VIP Alumni

‎12-07-2012 10:53 PM

Hello Ken,

To be honest with you, that sounds good but what I am not sure is the fact that the standby unit does not have a routing table at all so wheter it has a route on its routing table is not gonna use it.

So what I would do is to take advantage of the Proxy-arp feature with ARP

We know the Standby ASA knows how to reach the primary unit right ( If this were not the case how would it exchange hello packets with the primary one) so what we could do is to let the primary ( Active) ASA the following:

-Perfom a nat translation from the NMS machine to the asa primary interface ip address when the destination is the standby ip addres In this case the secondary unit will receive the packet and it will know where to reply...

Let me know if you could test both of them and of course share the result

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card