07-26-2011 03:40 AM - edited 03-11-2019 02:03 PM
Hi all,
I'm trying to figure out how ASAs behave in front of fault in two specific design case that I can't clearly identify in documentation.
I attach a picture for the 2 cases.
First one ('DWDM Shared.png') is an architecture where ASAs are connected through the use of intermediate switches, but these switches are connected via same DWDM. In case all DWDM devices have problem, ASAs interfaces are still 'up' thanks to the intermediate switches, but all communications between the two fail.
I've read in ASA configuration guide this phrase, but I don't know if it can apply:
In the event that all communication is cut off between the units in a failover pair, both units go into the active state, which is expected behavior
Is that my case? If all DWDM fail, my firewalls risk to become both active?
Second one ('DedicatedInterconn.png') is an architecture where ASAs are connected through the use of intermediate switches, but the switches are connected through different media: switch for inside and failover depend on DWDM devices, switches for outside depend on a direct fiber interconnection.
Here I'm in doubt for the two double fault cases: what happens if all DWDM fail and what if both direct interconnection links fail?
In one case (DWDM fault) ASAs lose communication on Inside and Failover but maintain on Outside (still all interfaces 'up'), on the other case (direct link fault) they lose communication on Outside
(still all interfaces 'up') but maintain on Inside and Failover.
Is it correct to consider that in such a cases ASAs don't switchover?
Thanks a lot for any help in claryfing it.
Solved! Go to Solution.
07-31-2011 02:38 PM
Hello,
ASA failover operation critically depends on the failover control link. When failover control communication is interrupted, the ASA will attempt to exchange data interface status with its failover peer over all of the available interfaces. If such communication cannot be established (i.e. there is not a single data interfaces which the failover peers can communicate on), the ASA will transition to the active state.
Hence, you will likely end up with a dual-active situation in the first scenario (again, provided that no communication between the ASAs is possible).
In the second scenario, the ASAs should be able to exhange interface monitoring information over an available data interface and gracefully settle the condition without going dual-active.
Andrew
08-01-2011 09:34 AM
Hello Chiara,
The outcome depends on the interface health information exchange. The peers exchange the lists of their data interfaces and the results of failover interface monitoring. If standby has more "healthy" (as determined by failover interface monitoring) interfaces, it becomes active while the active transitions to standby. In case of a tie, both peers retain their previous states. In any case, failover gets disabled after this one time exchange and until the failover control communication is restored.
Andrew
07-31-2011 02:38 PM
Hello,
ASA failover operation critically depends on the failover control link. When failover control communication is interrupted, the ASA will attempt to exchange data interface status with its failover peer over all of the available interfaces. If such communication cannot be established (i.e. there is not a single data interfaces which the failover peers can communicate on), the ASA will transition to the active state.
Hence, you will likely end up with a dual-active situation in the first scenario (again, provided that no communication between the ASAs is possible).
In the second scenario, the ASAs should be able to exhange interface monitoring information over an available data interface and gracefully settle the condition without going dual-active.
Andrew
08-01-2011 01:34 AM
Thanks Andrew for your answer,
just a piece more in order to well understand: by saying 'gracefully settle the condition without going dual-active' do you mean that units remain in their state?
Chiara
08-01-2011 09:34 AM
Hello Chiara,
The outcome depends on the interface health information exchange. The peers exchange the lists of their data interfaces and the results of failover interface monitoring. If standby has more "healthy" (as determined by failover interface monitoring) interfaces, it becomes active while the active transitions to standby. In case of a tie, both peers retain their previous states. In any case, failover gets disabled after this one time exchange and until the failover control communication is restored.
Andrew
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide