ASA failover with backup WAN with only one ip address

paul amaral · ‎07-30-2020

HI, I have a pair of 5508 ASAs in failover mode. The main WAN interface has the primary and standby ip address since we were assigned a /29. I understand if this interface goes down it will switch to the secondary ASA. The WAN BACKUP interface is a DSL and its bridge, we only have one ip from the VZ provided /24.

interface GigabitEthernet1/1
nameif WAN
security-level 0
ip address xx.xx.201.20 255.255.255.248 standby xx.xx.201.21

interface GigabitEthernet1/2
description To VZ DSL backup provider
nameif Wan_backup
security-level 0
ip address xx.xx.235.47 255.255.255.0

Since the WAN backup doesn’t have a failover ip I’m assuming its not a failover trigger?

If I wanted to have the failover connected to both ASAs It looks like I would need a standby ip on the same /24 which I was not assigned by VZ. Could I technically just use another VZ ip of my choosing from the /24. I assume this will not be known to VZ and will only have local significance. I’m trying to do this in order to have the backup wan interface available to both ASA’, to avoid things switching back and forth from primary to standby a couple of times and the wan backup is no longer connected on that particular ASA when the failover state is settled.

The backup WAN will only be used when the primary WAN is down. I know that if the primary wan is unplugged from the main ASA that it will switch to the standby ASA, likewise it goes down the same with occur. Now what if the problem is that both primary WAN ports go down? Will it still switch to the standby ASA?

This is my other dilemma where should I have the VZ backup WAN connected to, standby or primary ASA? The backup wan interface is only used with SLA failure occurs with the primary wan and then it kicks in as the main default route.

Technically I will have a switch in front of the ASA for the primary wan connection, so the WAN interfaces will always be up and a failover will only occur in case of a physical/power issues with the primary ASA. So is it better to have the backup wan on the standby ASA.

If I had more then one backup ip address I could assign it as the failover and avoid this dilemma that I’m in.

Thanks, and I appreciate any pointers on this.

P

Marvin Rhoads · ‎07-30-2020

I would just put the backup WAN Ethernet connection and both ASA's backup wan interface on a L2 VLAN in an existing switch.

Even without an address you can monitor the backup WAN interface on the standby unit for interface up/down status.

Typically we use an ip sla operation to monitor WAN reachability (upstream of the ISP) and when it fails we switch the default route to the backup provider. Like this:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html

paul amaral · ‎07-30-2020

Marvin, the L2 setup is what I'm doing for the primary WAN but are you saying for the backup WAN even without a standby ip address i can have the same setup as the primary WAN and there will be no issues/ip conflict? I think I read that somewhere as well and just trying to confirm that without a standby ip there is no conflict and the mac for that ip is associated with the primary ASA.

Suppose I don't monitor the backup interface, with no monitor-interface WAN-backup does this still hold true?

Paul

Marvin Rhoads · ‎07-31-2020

Yes just use a separate VLAN for the Backup WAN.

You can use the no-monitor-interface command if you really don't care if the interface is up or down. If it will potentially carry traffic, we want to know it's ready - thus we generally recommend not using that command in a case such as this.

paul amaral · ‎07-31-2020

Marvin, thanks again

Paul