Solved: ASA Failover question

jvardhan29 · ‎12-27-2010

hi

1) if the AIP-SSM module is installed within the ASA firewall pair then for ASA failover to happen only the AIP-SSM hardware type needs to be same (i.e both should have say AIP-SSM-10) as mentioned in the below document or the software image also needs to be same ?

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

2) during the failover when the hello packets are sent from the failover interface of the ASA (say Primary) to the peer device (say secondary) are these hello packets initiated from the failover interface of one firewall or are these hello packets sent by the data interfaces to ther failover interafce (Gig0/3 of active) and then passed over to peer failover link(Gig0/3 of standby) .I am curious to know if the data interfaces hello packets of active are sent directly to the data interface of standby (without any failover interafce in between ?)

eg:

failover interafce - Gig0/3

data interface - Gig0/1,0/2

fadlouni · ‎12-27-2010

hi.

yes they are sent on the data interface link to the other data interface.

otherwise there is no real purpose of the data link hello, since if it's sent on the failover link, all interfaces will be considered reachable on the other side, and detection of a network level reachability issue on the data interfaces will not be effective.

btw, connecting failover lan interface back to back to the other ASA is not recommended. if the interface on one side goes down, the link will lose the signal, as a consequence the failover interface on the other ASA will also go down. while if there is a switch in the middle. only one side will ahve it's interface down and failover will properly fail to the device which still has the lan failover interface up.

Regards,

Fadi.

If this answers your question, please mark this thread as resolved.

View solution in original post

Kureli Sankar · ‎12-28-2010

Jaesh,

Say for example if the failover lan interface is severed and along with that the pri/act unit loses additional data interfaces as well. Now, what do you expect to happen? Technically the secondary unit is healthier meaning it has more interfaces up compared to the pri/act. What will happen in this case?

Prior to implementing the fix for this below defect, no failover occurs. But, since the fix, if the

CSCsw37519 ENH Failover ability to switchover if FO LAN communication is severed

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsw37519

Pri/Act ASA loses more interfaces including the failover lan interface compared to the secondary/standby then, failover will occur and Sec/Standby will become active.

Just FYI - some extra information.

-KS

View solution in original post

fadlouni · ‎12-28-2010

Please note that this comparison of healthy interfaces when lan failover interface is down will only happen once immediately after one ASA has the interface down, afterwards failover is off until the failover lan interface is brought up.

so in the case after first failover due to fover lan going down, secondary takes over if it's interface is up. if secondary later on has another interface failure, no further failovers will happen.

however in jayesh's case (failover lan interfaces are back to back), if one goes down, both sides will go down. so no failover will happen.

Regrads,

Fadi.

View solution in original post

Kureli Sankar · ‎12-29-2010

1) so does this conclude that whether crossover cable or a switch , if any of the FO LAN interfaces goes down but failover will not trigger
( but the data interfaces are up )

Correct. If failover interface only fails why does it have to failover? Now both units will be of equal health right? Both would have lost one interface. Failover only happens when the active unit is considered LESS healthy has the standby unit.

2) Fadi , as per ur statement , "if the interface fails while both devices are running, no failover will happen. but if one of the devices is reloaded and the failover link is down, it will be active. "

consider that FW A FAilover link failed , it will mark the other Firewall B LAN Failover interface also as down , now on rebooting of which of these 2 firewalls , one of the device will be active and which device wil be active ?

Both will go active. One was already active and the otherone reloads and it wouldn't find an active unit for that pair and it will go active.

3) poonguzhali , thanks for more explanation , i was unaware of this thing !! so u mean to say that only and only if the data interface is severed along with the same units' LAN FO link also getting severed then only the CSCsw37519 happens otherwise if both FO links are severed (without any of data interfces getting severed) then no Failover happens ? right ?

Correct. Same answer as question 1.

4) It is not a very good idea to connect the failover interface via the cross over able. If one end goes down the other end will also down down right?

Our configuration guide clearly says to use a switch and not cross over cable.

This is what Fadi is trying to explain I think...

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1104903

Note When you use a crossover cable for the LAN failover link, if the LAN interface fails, the link is brought down on both peers. This condition may hamper troubleshooting efforts because you cannot easily determine which interface failed and caused the link to come down.

-KS

View solution in original post

Kureli Sankar · ‎12-31-2010

Answeres inline in green

1)in context to : 1st questions' answer

If failover interface only fails why does it have to failover? Now both units will be of equal health right? Both would have lost one interface. Failover only happens when the active unit is considered LESS healthy has the standby unit.

ASA 1(inside) - switch -- (inside) ASA 2

|_________________________|

failover LAN interface

my ques : can you tell me with above n/w (with fo interface conn via crossover) that if FW A FAilover link failed , it will mark the other Firewall B LAN Failover interface also as down , now in this condition what will be failover state of both and whether traffic will be effected or not.

No failover will occur.

also consider instead of crossover cable , single switch is in place , what will be the state of both firewalls and if traffic effected or not ?

Let us say ASA1 is active and failover interface is connected to port 1 on the switch and the port goes down.

Then ASA2 will not hear from the active unit and it will go active you will end up with two active units and traffic will fail.

2) Consider that a LAN failover link is connected via switch , and if one of the ASA LAN interface fails or the corresponding switchport is down / gets faulty then also the link is brought down on both peers. so in this case also failover will not happen (consider data interfaces are healthy) then what is the benefit of the switch in place of cross cable . its fine that we can immediately find which interface failed and caused the link to come down but is that the only benefit of using the switch for FO links ? below is topology and all data i/f links and LAN FO link are connected to same switch

ASA 1(inside) - switch -- (inside) ASA 2

|__________| |___________|

failover LAN failover LAN

For the simple reason when both sides say down - which one would you think is faulty? Just because one end is faulty it will show both ends as down.

3) i am also confused about this statement by Fadi which he told in reply for CSCsw37519

"Please note that this comparison of healthy interfaces when lan failover interface is down will only happen once immediately after one ASA has the interface down, afterwards failover is off until the failover lan interface is brought up.

so in the case after first failover due to fover lan going down, secondary takes over if it's interface is up. if secondary later on has another interface failure, no further failovers will happen."

If failover interface goes down in addition to other interfaces in teh active unit, then failover will occur but, before further failover occurs you would have to fix all the broken links.

I suggest you setup a lab and test all the scenarios that you need. Sometimes it is hard to predict what will happen unless you have a failover pair you can test with.

-KS

View solution in original post

fadlouni · ‎01-05-2011

Hi.

for point 1, yes, i believe pseudo standby would be the status.

for points 2/3, well probably Development didn't have crossover situation in mind as it's not recommended. but technically, the behaviour would depend on the situation.

if both crossover and a data interface fail, then a comparison is done and the one with more active links will take over. if only crossover fails, and later data fails, nothing will happen, etc..

but anyway, due to all the explanations provided by Poonguzhali and me about what to expect in all the different scenarios you proposed, we can already see it's a mess when you have crosscable as failover interface.

so for troubleshootability purposes, and simplifying things, just avoid crossover and use a switch in between.

Regards,

Fadi.

View solution in original post

fadlouni · ‎12-27-2010

Hi.

1- yes they can different ips versions.

2- hellos are sent on all interfaces from active's interfaces to the standby interfaces (with respective destiantions being the secondary/standby ip addresses). refer to this document for more info:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

Did this answer your question? If so, please mark it Answered!

Regards,

Fadi.

jvardhan29 · ‎12-27-2010

hi fadi

thanks for taking time to answer this , but 2nd question still remain unanswered .

hello packets of data interfaces goes to thier resp. data interfaces directly (consider they are connected via switch ) or hello packets from data interface need to give the packet to failover LAN interface first which then send it to the peer (standby) failover LAN interface and then it goes to respective datta interface . consider in the below example ASA1 as Active and ASA2 standby

ASA 1(inside) - switch -- (inside) ASA 2

|_________________________|

failover LAN interface

i have gone through the documentation but there is this question for which i cannot find answer

fadlouni · ‎12-27-2010

hi.

yes they are sent on the data interface link to the other data interface.

otherwise there is no real purpose of the data link hello, since if it's sent on the failover link, all interfaces will be considered reachable on the other side, and detection of a network level reachability issue on the data interfaces will not be effective.

btw, connecting failover lan interface back to back to the other ASA is not recommended. if the interface on one side goes down, the link will lose the signal, as a consequence the failover interface on the other ASA will also go down. while if there is a switch in the middle. only one side will ahve it's interface down and failover will properly fail to the device which still has the lan failover interface up.

Regards,

Fadi.

If this answers your question, please mark this thread as resolved.

jvardhan29 · ‎12-28-2010

hi fadi

thanks for clarification of hello packets.as per your below statement related to the switch between the 2 ASA Failover link , isnt it that the failover will never happen if any of the "failover interface" is down ( but the data interfaces are up )

"only one side will have it's interface down and failover will properly fail to the device which still has the lan failover interface up."

if that is the case that Firewall A failover lan interface goes down , how is the decision that the firewall B ( having working LAN interface ) taking the role of active happens ? as per my understanding both fo link shoud be up to take that decision

fadlouni · ‎12-28-2010

Hi.

Yes if the interface fails while both devices are running, no failover will happen. but if one of the devices is reloaded and the failover link is down, it will be active. refer to this table to see what triggers a failover:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/ha_active_standby.html#wp1079567

Regards,

Fadi.

Kureli Sankar · ‎12-28-2010

Jaesh,

Say for example if the failover lan interface is severed and along with that the pri/act unit loses additional data interfaces as well. Now, what do you expect to happen? Technically the secondary unit is healthier meaning it has more interfaces up compared to the pri/act. What will happen in this case?

Prior to implementing the fix for this below defect, no failover occurs. But, since the fix, if the

CSCsw37519 ENH Failover ability to switchover if FO LAN communication is severed

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsw37519

Pri/Act ASA loses more interfaces including the failover lan interface compared to the secondary/standby then, failover will occur and Sec/Standby will become active.

Just FYI - some extra information.

-KS

fadlouni · ‎12-28-2010

Please note that this comparison of healthy interfaces when lan failover interface is down will only happen once immediately after one ASA has the interface down, afterwards failover is off until the failover lan interface is brought up.

so in the case after first failover due to fover lan going down, secondary takes over if it's interface is up. if secondary later on has another interface failure, no further failovers will happen.

however in jayesh's case (failover lan interfaces are back to back), if one goes down, both sides will go down. so no failover will happen.

Regrads,

Fadi.

jvardhan29 · ‎12-29-2010

1) so does this conclude that whether crossover cable or a switch , if any of the FO LAN interfaces goes down but failover will not trigger
( but the data interfaces are up )

2) Fadi , as per ur statement , "if the interface fails while both devices are running, no failover will happen. but if one of the devices is reloaded and the failover link is down, it will be active. "

consider that FW A FAilover link failed , it will mark the other Firewall B LAN Failover interface also as down , now on rebooting of which of these 2 firewalls , one of the device will be active and which device wil be active ?

3) poonguzhali , thanks for more explanation , i was unaware of this thing !! so u mean to say that only and only if the data interface is severed along with the same units' LAN FO link also getting severed then only the CSCsw37519 happens otherwise if both FO links are severed (without any of data interfces getting severed) then no Failover happens ? right ?

4) fadi , i was unable to understand the last point , if u can explan again it will be relly helpful

Kureli Sankar · ‎12-29-2010

1) so does this conclude that whether crossover cable or a switch , if any of the FO LAN interfaces goes down but failover will not trigger
( but the data interfaces are up )

Correct. If failover interface only fails why does it have to failover? Now both units will be of equal health right? Both would have lost one interface. Failover only happens when the active unit is considered LESS healthy has the standby unit.

2) Fadi , as per ur statement , "if the interface fails while both devices are running, no failover will happen. but if one of the devices is reloaded and the failover link is down, it will be active. "

consider that FW A FAilover link failed , it will mark the other Firewall B LAN Failover interface also as down , now on rebooting of which of these 2 firewalls , one of the device will be active and which device wil be active ?

Both will go active. One was already active and the otherone reloads and it wouldn't find an active unit for that pair and it will go active.

3) poonguzhali , thanks for more explanation , i was unaware of this thing !! so u mean to say that only and only if the data interface is severed along with the same units' LAN FO link also getting severed then only the CSCsw37519 happens otherwise if both FO links are severed (without any of data interfces getting severed) then no Failover happens ? right ?

Correct. Same answer as question 1.

4) It is not a very good idea to connect the failover interface via the cross over able. If one end goes down the other end will also down down right?

Our configuration guide clearly says to use a switch and not cross over cable.

This is what Fadi is trying to explain I think...

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1104903

Note When you use a crossover cable for the LAN failover link, if the LAN interface fails, the link is brought down on both peers. This condition may hamper troubleshooting efforts because you cannot easily determine which interface failed and caused the link to come down.

-KS

jvardhan29 · ‎12-31-2010

hi poonguzhali

got it ! thanks again !

1)in context to : 1st questions' answer

If failover interface only fails why does it have to failover? Now both units will be of equal health right? Both would have lost one interface. Failover only happens when the active unit is considered LESS healthy has the standby unit.

ASA 1(inside) - switch -- (inside) ASA 2

|_________________________|

failover LAN interface

my ques : can you tell me with above n/w (with fo interface conn via crossover) that if FW A FAilover link failed , it will mark the other Firewall B LAN Failover interface also as down , now in this condition what will be failover state of both and whether traffic will be effected or not.

also consider instead of crossover cable , single switch is in place , what will be the state of both firewalls and if traffic effected or not ?

2) Consider that a LAN failover link is connected via switch , and if one of the ASA LAN interface fails or the corresponding switchport is down / gets faulty then also the link is brought down on both peers. so in this case also failover will not happen (consider data interfaces are healthy) then what is the benefit of the switch in place of cross cable . its fine that we can immediately find which interface failed and caused the link to come down but is that the only benefit of using the switch for FO links ? below is topology and all data i/f links and LAN FO link are connected to same switch

ASA 1(inside) - switch -- (inside) ASA 2

|__________| |___________|

failover LAN failover LAN

3) i am also confused about this statement by Fadi which he told in reply for CSCsw37519

"Please note that this comparison of healthy interfaces when lan failover interface is down will only happen once immediately after one ASA has the interface down, afterwards failover is off until the failover lan interface is brought up.

so in the case after first failover due to fover lan going down, secondary takes over if it's interface is up. if secondary later on has another interface failure, no further failovers will happen."

Kureli Sankar · ‎12-31-2010

Answeres inline in green

1)in context to : 1st questions' answer

If failover interface only fails why does it have to failover? Now both units will be of equal health right? Both would have lost one interface. Failover only happens when the active unit is considered LESS healthy has the standby unit.

ASA 1(inside) - switch -- (inside) ASA 2

|_________________________|

failover LAN interface

my ques : can you tell me with above n/w (with fo interface conn via crossover) that if FW A FAilover link failed , it will mark the other Firewall B LAN Failover interface also as down , now in this condition what will be failover state of both and whether traffic will be effected or not.

No failover will occur.

also consider instead of crossover cable , single switch is in place , what will be the state of both firewalls and if traffic effected or not ?

Let us say ASA1 is active and failover interface is connected to port 1 on the switch and the port goes down.

Then ASA2 will not hear from the active unit and it will go active you will end up with two active units and traffic will fail.

2) Consider that a LAN failover link is connected via switch , and if one of the ASA LAN interface fails or the corresponding switchport is down / gets faulty then also the link is brought down on both peers. so in this case also failover will not happen (consider data interfaces are healthy) then what is the benefit of the switch in place of cross cable . its fine that we can immediately find which interface failed and caused the link to come down but is that the only benefit of using the switch for FO links ? below is topology and all data i/f links and LAN FO link are connected to same switch

ASA 1(inside) - switch -- (inside) ASA 2

|__________| |___________|

failover LAN failover LAN

For the simple reason when both sides say down - which one would you think is faulty? Just because one end is faulty it will show both ends as down.

3) i am also confused about this statement by Fadi which he told in reply for CSCsw37519

"Please note that this comparison of healthy interfaces when lan failover interface is down will only happen once immediately after one ASA has the interface down, afterwards failover is off until the failover lan interface is brought up.

so in the case after first failover due to fover lan going down, secondary takes over if it's interface is up. if secondary later on has another interface failure, no further failovers will happen."

If failover interface goes down in addition to other interfaces in teh active unit, then failover will occur but, before further failover occurs you would have to fix all the broken links.

I suggest you setup a lab and test all the scenarios that you need. Sometimes it is hard to predict what will happen unless you have a failover pair you can test with.

-KS

jvardhan29 · ‎01-01-2011

thanks for your precious time to answer this !

i am trying scenarios in lab but if u hadnt told me about the defect you mentioned , i would have always been confused .

i have some small queries left related to your previous post as follows

1) Conclusion from 1st question

whether cross cables or single switch for the FO interface , if any of fo lan i/f goes down , both units will become active which will lead to two active units and the traffic currently going via the prim/act ASA will fail

2) sorry , but my question was more related to the benefit of the switch being used for FO interfaces

3) when u mentioned about defect CSCsw37519 , fadi has replied that it might not be related to my scenario so i believe that this defect is for

failover with a single / multiple switch topology with failover and data i/f connected to switch (not for ASA failover interface connected with cross cables ) ?

fadlouni · ‎01-01-2011

Hi Jayesh.

1) Conclusion from 1st question

whether cross cables or single switch for the FO interface , if any of fo lan i/f goes down , both units will become active which will lead to two active units and the traffic currently going via the prim/act ASA will fail

Fadi: not sure if i understood the scenario poonguzhali had in mind, but i don't think this is true. if the ASAs can hear each other via the data interfaces, no failover happens (whether switched or crossover FO ). if no failover happens, secondary will remain standby and traffic will work. but if anything happens later on (another data interface fails) no further failover happens, and in that case traffic might get black-holed depending on which side lost that data interface. note that with CSCsw37519, only at the time when FO interface is cut, the amount of healthy interfaces is compared. anything happens later on, no failover happens.

2) sorry , but my question was more related to the benefit of the switch being used for FO interfaces

Fadi: so as an example, asa1 failover connected to fasteth1/1 on switch, asa2 failover connected to fasteth1/2 on switch. if asa1 failover interface goes down, only fasteth1/1 on switch goes down. however fasteth1/2 is still up and so failover of asa2 is up. then failover will happen after the enchancement bug fix (asa2 has more healthier interfaces).

3) when u mentioned about defect CSCsw37519 , fadi has replied that it might not be related to my scenario so i believe that this defect is for

failover with a single / multiple switch topology with failover and data i/f connected to switch (not for ASA failover interface connected with cross cables ) ?

Fadi: what i meant was that it doesn't apply to you since you are connecting the ASA's failover via back-to-back. so both ASAs will have their failover interface down, and so both have the same amount of healthy interfaces. so no failover will happen.

jvardhan29 · ‎01-05-2011

fadi , thanks for taking time to answer !

#with your point no. 1 (whther crossover cable / switch scenario), i agree that when one ASA Failover link fails during operation (acc to below doc) both fo link goes down and pri/active will be active but i think that the secondary/standby unit should show status as psuedo standby .correct ? the status of the devices is not mentioned in the link for the condition of "ASA Failover link failed during operation " i am also doing a lab for this and will find if traffic through the ASA in this situation is effected or not

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html

#with your point no.2 and 3 combined

i believe that the defect CSCsw37519 fix is not for the case where FO link is connected via cross cables (even in the situation where fo link failed followed by any ASA's data interface link failure) . right ?