Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3173
Views
0
Helpful
3
Replies

ASA Failover fault cases without down of interfaces

Go to solution
CSCO10235163
Level 1
Level 1

‎07-26-2011 03:40 AM - edited ‎03-11-2019 02:03 PM

Hi all,

I'm trying to figure out how ASAs behave in front of fault in two specific design case that I can't clearly identify in documentation.

I attach a picture for the 2 cases.

First one ('DWDM Shared.png') is an architecture where ASAs are connected through the use of intermediate switches, but these switches are connected via same DWDM. In case all DWDM devices have problem, ASAs interfaces are still 'up' thanks to the intermediate switches, but all communications between the two fail.

I've read in ASA configuration guide this phrase, but I don't know if it can apply:

In the event that all communication is cut off  between the units in a failover pair, both units go into the active  state, which is expected behavior

Is that my case? If all DWDM fail, my firewalls risk to become both active?

Second one ('DedicatedInterconn.png') is an architecture where ASAs are connected through the use of intermediate switches, but the switches are connected through different media: switch for inside and failover depend on DWDM devices, switches for outside depend on a direct fiber interconnection.

Here I'm in doubt for the two double fault cases: what happens if all DWDM fail and what if both direct interconnection links fail?

In one case (DWDM fault) ASAs lose communication on Inside and Failover but maintain on Outside (still all interfaces 'up'), on the other case (direct link fault) they lose communication on Outside

(still all interfaces 'up') but maintain on Inside and Failover.

Is it correct to consider that in such a cases ASAs don't switchover?

Thanks a lot for any help in claryfing it.

Labels:
Preview file
155 KB
Preview file
165 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Andrew Ossipov
Cisco Employee
Cisco Employee

‎07-31-2011 02:38 PM

Hello,

ASA failover operation critically depends on the failover control link. When failover control communication is interrupted, the ASA will attempt to exchange data interface status with its failover peer over all of the available interfaces. If such communication cannot be established (i.e. there is not a single data interfaces which the failover peers can communicate on), the ASA will transition to the active state.

Hence, you will likely end up with a dual-active situation in the first scenario (again, provided that no communication between the ASAs is possible).

In the second scenario, the ASAs should be able to exhange interface monitoring information over an available data interface and gracefully settle the condition without going dual-active.

Andrew

View solution in original post

0 Helpful

Go to solution
Andrew Ossipov
Cisco Employee
Cisco Employee
In response to CSCO10235163

‎08-01-2011 09:34 AM

Hello Chiara,

The outcome depends on the interface health information exchange. The peers exchange the lists of their data interfaces and the results of failover interface monitoring. If standby has more "healthy" (as determined by failover interface monitoring) interfaces, it becomes active while the active transitions to standby. In case of a tie, both peers retain their previous states. In any case, failover gets disabled after this one time exchange and until the failover control communication is restored.

Andrew

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Andrew Ossipov
Cisco Employee
Cisco Employee

‎07-31-2011 02:38 PM

Hello,

ASA failover operation critically depends on the failover control link. When failover control communication is interrupted, the ASA will attempt to exchange data interface status with its failover peer over all of the available interfaces. If such communication cannot be established (i.e. there is not a single data interfaces which the failover peers can communicate on), the ASA will transition to the active state.

Hence, you will likely end up with a dual-active situation in the first scenario (again, provided that no communication between the ASAs is possible).

In the second scenario, the ASAs should be able to exhange interface monitoring information over an available data interface and gracefully settle the condition without going dual-active.

Andrew

0 Helpful

Go to solution
CSCO10235163
Level 1
Level 1
In response to Andrew Ossipov

‎08-01-2011 01:34 AM

Thanks Andrew for your answer,

just a piece more in order to well understand: by saying 'gracefully settle the condition without going dual-active' do you mean that units remain in their state?

Chiara

0 Helpful

Go to solution
Andrew Ossipov
Cisco Employee
Cisco Employee
In response to CSCO10235163

‎08-01-2011 09:34 AM

Hello Chiara,

The outcome depends on the interface health information exchange. The peers exchange the lists of their data interfaces and the results of failover interface monitoring. If standby has more "healthy" (as determined by failover interface monitoring) interfaces, it becomes active while the active transitions to standby. In case of a tie, both peers retain their previous states. In any case, failover gets disabled after this one time exchange and until the failover control communication is restored.

Andrew

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card