cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1095
Views
3
Helpful
6
Replies

ASA FailOver

mellalBrahim
Level 1
Level 1

Greetings, 

last week i have face a question and i dind'nt get the write answer for it, it is about the configuration of ASA firewall with FailOver, 

the question was, when two firewall are connected with fail over, and a originated packet from the inside to the outside the  firewall will create a session for this connection and track it , and we assume that the retunred packet is through the seconde firewall ,  

   in this senarion how the asa deal with those packet   ?? 

       * Asa will Drop the packet ? 

       * the State table are synchronous for each other, so the both are awared about all the session state created? 

 

thanks in advanced.

 

 

2 Accepted Solutions

Accepted Solutions

Yes you are right, status of traffic is exchange between two FW and if return traffic is come through standby it will pass since the standby have xlate and conn of traffic.

case is happened healthy only in 
active/standby failover 
otherwise you have asymmetric and more info. you can see link 
 https://community.cisco.com/t5/security-knowledge-base/asa-asymmetric-routing-troubleshooting-and-mitigation/ta-p/3117045

View solution in original post

balaji.bandi
Hall of Fame
Hall of Fame

and we assume that the retunred packet is through the seconde firewall ,    --< this never happens if the HA working as expected, until the ASA HA becomes the split-brain. (means both ASA  become Active/Active)

i would point to some basics below the blog explain how that works, in both Active/Active (means active standby backend for that context) - same case Active / Standby 

https://network-insight.net/2015/01/06/asa-failover/

        * Asa will Drop the packet ?   ( as I mentioned above situation, this happens only when the HA splits - and packet will be dropped)

       * the State table are synchronous for each other, so both are aware of all the session state created? 

    - if the fail over scenario - Active and Standby aware of full packet flow, when the switchover happens from active to standby, the traffic will seamlessly switch over and no packet drops you see here.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

6 Replies 6

Yes you are right, status of traffic is exchange between two FW and if return traffic is come through standby it will pass since the standby have xlate and conn of traffic.

case is happened healthy only in 
active/standby failover 
otherwise you have asymmetric and more info. you can see link 
 https://community.cisco.com/t5/security-knowledge-base/asa-asymmetric-routing-troubleshooting-and-mitigation/ta-p/3117045

thanks for your reply 

You are so so welcome. 

balaji.bandi
Hall of Fame
Hall of Fame

and we assume that the retunred packet is through the seconde firewall ,    --< this never happens if the HA working as expected, until the ASA HA becomes the split-brain. (means both ASA  become Active/Active)

i would point to some basics below the blog explain how that works, in both Active/Active (means active standby backend for that context) - same case Active / Standby 

https://network-insight.net/2015/01/06/asa-failover/

        * Asa will Drop the packet ?   ( as I mentioned above situation, this happens only when the HA splits - and packet will be dropped)

       * the State table are synchronous for each other, so both are aware of all the session state created? 

    - if the fail over scenario - Active and Standby aware of full packet flow, when the switchover happens from active to standby, the traffic will seamlessly switch over and no packet drops you see here.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

thank for the sharing informations 

I add link to my previous post.

Review Cisco Networking for a $25 gift card