06-10-2012 12:58 PM - edited 03-11-2019 04:17 PM
Hi,
We have pair of ASA5585 (ver 8.4(4) with IPS module configured with Active/Standby failover. There are total 09 interfaces are connecting to different zones in the firewall and out of which three(3) interfaces are connecting to Palo Alto 2nd layer firewall.
When we test the failover whatever interfaces not connecting Palo Alto failed or shutdown, ASA triggers the failover to other unit, however the Palo Alto is not detecting this failover and it still keeps its previous Active Palo Alto to pass traffic, thereby failing passing traffic on Active firewall through Standby Palo Alto firewall.
But when there's a interface failed or shutdonw on the interfaces where PaloAlto also connected, then once the ASA failover triggers and the same time Palo Alto also trigger its failover then both new active firewall and Palo Alto sending traffic through firewall.
However we we cant all the interfaces of ASA also to connect Palo Alto and let the Palo Alto to inspect all the interfaces, but we need our ASA to work in a situation where any of the interfaces failed, the failover to work smooth the pass the traffic via either Palo Alto device.
I just need to know is there anything tricky that we can configure on our ASA in this failover senario, or to confirm if there's no any workable solution to this situation.
Appreciate if any experts can shed some light on this design keeping ASA failover to work with PA smoothly.
I have attached the senario that I explained above. Just to emphasis the issue again, if any interface of Gig0/0, Gig0/4 or Gig0/5 failed on active firewall, ASA switching to standby firewall and act as Active, but Palo Alto still remains his Active state and the new Active ASA is not passing traffic via standby PA as its not detecting any of its interfaces as failed or unreachable..?
thanks in advance.
11-09-2012 09:54 AM
Pemasirid,
Did you happen to find a fix for this issue? I am in the same scenario with an HA Pair of ASA's connecting to an HA Pair of Palo Alto's.
Please let me know if you found a fix for this problem.
Cheers,
David
06-05-2018 10:09 AM
You need a layer 2 path between the firewalls, The switching layer will forward the traffic to the correct Palo Alto after the switches update,
The ASA sends a gratuitous arp after a fail-over. This will update the CAM on the switches and thus forward traffic as smoothly as possible.
The best solution would be a stack of switches and Ether-channel to the ISP switch to avoid your infrastructure being a single point of Failure. Although the ISP switch is still a single point of failure.
This solution could remain up even with a failure of the Primary ASA and Palo Alto 2 at the same time.
See attached:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide