Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
804
Views
0
Helpful
5
Replies

ASA Failover

Go to solution
zekebashi
Level 4
Level 4

‎11-09-2017 11:16 AM - edited ‎02-21-2020 06:42 AM

Hello, 

 

I have a pair of ASR1002s  configured with HSRP. These ASRs are not physically connected. Each ASR has an active Internet & WAN link to the same ISP.  Each ASR connects to a  L2 downstream switch and each switch connects to an ASA. The ASAs are configured with Failover. HSRP is configured on the link connected to the ISP and another HSRP configured for the link connected to the L2 switches.

There no tracking nor SLA configured on the ASAs. 

 

Primary ASR ----- ISP 

Primary ASR ---- L2 switch 

L2 switch ------ Primary ASR 

L2 switch ------ Primary ASA 

 

Primary ASA --FO--- Standby ASA

Primary ASA --- L2 switch 

 

Standby ASR ----- ISP 

Standby ASR ---- L2 switch 

L2 switch ------ Standby ASR 

L2 switch ------ Standby ASA 

 

Standby ASA --FO--- Primary  ASA

Standby  ASA --- L2 switch 

 

My question is, if the primary/active ASR were to fail,  will the standby ASA become the active firewall? I am thinking that since the ISP will be using the HSRP VIP to forward traffic to the standby ASR so traffic will be flowing through the standby ASR downstream to L2 switch and standby ASA! 

 

Thanks in advance. 

~zK 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
mikael.lahtela
Level 4
Level 4
In response to zekebashi

‎11-09-2017 02:19 PM - edited ‎11-09-2017 02:20 PM

Hi,

That is correct, you need at least have monitoring on interface for the failover to happen in ASA.
Cant see the link, it seems to be broken for me.


br, Micke

View solution in original post

0 Helpful

Go to solution
mikael.lahtela
Level 4
Level 4
In response to mikael.lahtela

‎11-09-2017 02:24 PM

Failover Triggers
The unit can fail if one of the following events occurs:
• The unit has a hardware failure or a power failure.
• The unit has a software failure.
• Too many monitored interfaces fail.
• The no failover active command is entered on the active unit or the failover active command is
entered on the standby unit.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_active_standby.pdf

br, Micke

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Flavio Miranda
VIP
VIP

‎11-09-2017 12:16 PM

Hi @zekebashi

 If you could provide a simple draw about the topology would be easier. But, the answer is no. Firewall will not failover due change on the HSRP. 

 What trigger ASA failover is a problem on the Primary ASA or if the link between then drops and keep alive stops.

 

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

Go to solution
zekebashi
Level 4
Level 4
In response to Flavio Miranda

‎11-09-2017 02:13 PM

I don't have a diagram, sorry! 

 

Hmm, that's what I thought but I got confused by this post https://supportforums.cisco.com/t5/firewalling/best-practice-for-asa-active-standby-failover/td-p/2565068 

 

So, if there are no monitoring, tracking, or policy configured on the ASAs and one of the interfaces on the active FW were to fail, the firewalls will not failover? 

 

Best, ~zK 

 

 

 

 

0 Helpful

Go to solution
mikael.lahtela
Level 4
Level 4
In response to zekebashi

‎11-09-2017 02:19 PM - edited ‎11-09-2017 02:20 PM

Hi,

That is correct, you need at least have monitoring on interface for the failover to happen in ASA.
Cant see the link, it seems to be broken for me.


br, Micke

0 Helpful

Go to solution
mikael.lahtela
Level 4
Level 4
In response to mikael.lahtela

‎11-09-2017 02:24 PM

Failover Triggers
The unit can fail if one of the following events occurs:
• The unit has a hardware failure or a power failure.
• The unit has a software failure.
• Too many monitored interfaces fail.
• The no failover active command is entered on the active unit or the failover active command is
entered on the standby unit.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_active_standby.pdf

br, Micke
0 Helpful

Go to solution
zekebashi
Level 4
Level 4
In response to mikael.lahtela

‎11-09-2017 02:25 PM

That clears the confusion. Thank you! 

 

Best, ~zK 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card