cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
803
Views
0
Helpful
5
Replies

ASA Failover

zekebashi
Level 4
Level 4

Hello, 

 

I have a pair of ASR1002s  configured with HSRP. These ASRs are not physically connected. Each ASR has an active Internet & WAN link to the same ISP.  Each ASR connects to a  L2 downstream switch and each switch connects to an ASA. The ASAs are configured with Failover. HSRP is configured on the link connected to the ISP and another HSRP configured for the link connected to the L2 switches.

There no tracking nor SLA configured on the ASAs. 

 

Primary ASR ----- ISP 

Primary ASR ---- L2 switch 

L2 switch ------ Primary ASR 

L2 switch ------ Primary ASA 

 

Primary ASA --FO--- Standby ASA

Primary ASA --- L2 switch 

 

Standby ASR ----- ISP 

Standby ASR ---- L2 switch 

L2 switch ------ Standby ASR 

L2 switch ------ Standby ASA 

 

Standby ASA --FO--- Primary  ASA

Standby  ASA --- L2 switch 

 

My question is, if the primary/active ASR were to fail,  will the standby ASA become the active firewall? I am thinking that since the ISP will be using the HSRP VIP to forward traffic to the standby ASR so traffic will be flowing through the standby ASR downstream to L2 switch and standby ASA! 

 

Thanks in advance. 

~zK 

2 Accepted Solutions

Accepted Solutions

Hi,

That is correct, you need at least have monitoring on interface for the failover to happen in ASA.
Cant see the link, it seems to be broken for me.


br, Micke

View solution in original post

Failover Triggers
The unit can fail if one of the following events occurs:
• The unit has a hardware failure or a power failure.
• The unit has a software failure.
• Too many monitored interfaces fail.
• The no failover active command is entered on the active unit or the failover active command is
entered on the standby unit.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_active_standby.pdf

br, Micke

View solution in original post

5 Replies 5

Hi @zekebashi

 If you could provide a simple draw about the topology would be easier. But, the answer is no. Firewall will not failover due change on the HSRP. 

 What trigger ASA failover is a problem on the Primary ASA or if the link between then drops and keep alive stops.

 

 

-If I helped you somehow, please, rate it as useful.-

I don't have a diagram, sorry! 

 

Hmm, that's what I thought but I got confused by this post https://supportforums.cisco.com/t5/firewalling/best-practice-for-asa-active-standby-failover/td-p/2565068 

 

So, if there are no monitoring, tracking, or policy configured on the ASAs and one of the interfaces on the active FW were to fail, the firewalls will not failover? 

 

Best, ~zK 

 

 

 

 

Hi,

That is correct, you need at least have monitoring on interface for the failover to happen in ASA.
Cant see the link, it seems to be broken for me.


br, Micke

Failover Triggers
The unit can fail if one of the following events occurs:
• The unit has a hardware failure or a power failure.
• The unit has a software failure.
• Too many monitored interfaces fail.
• The no failover active command is entered on the active unit or the failover active command is
entered on the standby unit.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_active_standby.pdf

br, Micke

That clears the confusion. Thank you! 

 

Best, ~zK 

Review Cisco Networking for a $25 gift card