12-12-2013 06:32 PM - edited 03-11-2019 08:17 PM
Hi Everyone,
We ordered two asa5515x that will be deployed in active-active configuration. I've gone through several pages of some example configuration and deployment options but i cant find what im looking for. In our current operation, we have one 5520 that has two isp configured to it. How these two isp are being utilized is based on the traffic destination. By default, all traffic passes through the primary isp. Some traffic is being routed to the secondary isp based on the destination address/network. If there is an outage in the primary isp, all traffic will be routed out on the secondary isp. The same applies if there is an secondary isp outage, all traffic being routed out on that isp will be routed to the primary isp. Im looking to deploy these two new asa in an active-active configuration wherein it will behave the same as what we currently have in our operation. The catch is, all primary isp traffic will be routed out on the outside interface of the ASA1 and all secondary isp traffic will be routed out on the backup interface of ASA2. If ASA1 becomes unavailbable, all primary isp traffic will be handled by ASA2 via its outside interface. The same if ASA2 becomes unavailable, all secondary isp traffic will be handled by ASA1 via its backup interface. Also, in the documents that i have gone through, i can't seem to find if active-active failover supports the concept of "virtual ip" (like glbp) where in these two ASA shares a single outside / backup / inside ip address. This is a concern as it may affect our VPN connections. Is there any configuration that can support this deployment or asa can't be configured to support this at all
Solved! Go to Solution.
12-12-2013 08:50 PM
You say "Some traffic is being routed to the secondary isp based on the destination address/network". You do that with a route statement shared across the synchronized configuration file.
For a given Active ASA (or ASA context), you will use routes/interfaces to your primary and secondary ISP. If and only if that ASA (or context) moves from active state on one ASA to active on the other does the other ASA start passing traffic. When it does, it does so exactly like the formerly active unit with the exception that is is going via a physically different appliance and will land in physically different ports in the inside and outside switches.
Nothing changes in the running configuration or routing behavior.
12-12-2013 06:56 PM
Active-Active is only applicable for multi-context ASA failover clusters. Single context is Active-Standby only.
ASAs needing to optionally route to a secondary ISP typically are setup with a backup route and sla monitor job as descrtibed in this document.
Hope this helps.
12-12-2013 07:14 PM
Thanks Marvin.
Yes, this document served as my guide when i configured the isp failover using a single asa (that is my 5520). The two new asa is already configured in to multiple mode. Im looking to adapt this behaviour in the new asas, with these two asas in ha-mode / cluster (not sure if im terming it correctly, forgive me) as describe above.
Going throuhg the sample configuration that i have come across, there this line
" ip address [ip] [mask] standby [standby_ip]"
The way i understand this is, if ASA1 fails then ASA2 assumes the active role, ASA2 will also assume the standby ip, thus from the public internet perspective, im now at diffirent ip, which is the standby ip. What im looking is ASA2 assume the active role but still uses the original ip. (im referring to an appliance failure here, but isp is still good).
12-12-2013 07:25 PM
You're welcome.
The active ASA will always assert the first IP address in your interface configuration.
The standby IP address is used by the standby ASA and is there so that the Active unit in the failover cluster can verify reachability of the Standby unit (assuming that is one of the monitored interfaces for failover purposes).
The standby IP address is not for a "standby" ISP per se. When a failover occurs, the (formerly) Standby unit takes over that first address as it assumes the Active role.
12-12-2013 08:04 PM
Got it. So the virtual-ip im terming here is the first ip declaration in this syntax "ip address [ip] [mask] standby [standby_ip]"
And from my inside network, i should point my core switches' default route to the first declared ip
How about this idea.
"
By default, all traffic passes through the primary isp. Some traffic is being routed to the secondary isp based on the destination address/network. If there is an outage in the primary isp, all traffic will be routed out on the secondary isp. The same applies if there is an secondary isp outage, all traffic being routed out on that isp will be routed to the primary isp
"
...
"
The catch is, all primary isp traffic will be routed out on the outside interface of the ASA1 and all secondary isp traffic will be routed out on the backup interface of ASA2. If ASA1 becomes unavailbable, all primary isp traffic will be handled by ASA2 via its outside interface. The same if ASA2 becomes unavailable, all secondary isp traffic will be handled by ASA1 via its backup interface.
"
Thanks again
12-12-2013 08:50 PM
You say "Some traffic is being routed to the secondary isp based on the destination address/network". You do that with a route statement shared across the synchronized configuration file.
For a given Active ASA (or ASA context), you will use routes/interfaces to your primary and secondary ISP. If and only if that ASA (or context) moves from active state on one ASA to active on the other does the other ASA start passing traffic. When it does, it does so exactly like the formerly active unit with the exception that is is going via a physically different appliance and will land in physically different ports in the inside and outside switches.
Nothing changes in the running configuration or routing behavior.
12-17-2013 09:22 PM
Hi Marvin,
Just picked up my task on this one. im already int this part, not sure if im doing it correctly
In my ASA1, I created two context, C1 and C2. Have already attached corresponding interface.
These are my configuration
----------------------------------------------
sh run context
admin-context admin
context admin
config-url disk0:/admin.cfg
!
context C1
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/1
config-url disk0:/C1.cfg
!
context C2
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/2
config-url disk0:/C2.cfg
-----------------------------------------------
Context-C1
sh run interface
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 208.75.10.1 255.255.255.0 standby 208.75.10.2
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 172.16.19.111 255.255.255.0 standby 172.16.19.112
Context-C2
sh run interface
!
interface GigabitEthernet0/0
nameif inside
security-level 100
no ip address
!
interface GigabitEthernet0/2
nameif backup
security-level 0
ip address 116.50.172.1 255.255.255.0 standby 116.50.172.2
The problem is im receiving this error if im going to configure context-C1 interface g0/0
ASA1/C2(config-if)# ip add 172.16.19.111 255.255.255.0 standby 172.16.19.112
ERROR: This address conflicts with another address on net
Please refer to the attachement.
The Core switches in behind the ASAs are running glbp and the default gateway will be pointed to 172.16.19.111
Any idea how we can proceed?
12-18-2013 07:12 AM
Your command output shows you are trying to assign the same 172.16.19.111 (and .112) address on Context 2 that you have already used in context 1. They need to be unique.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide