Solved: Re: ASA/Firepower failover and Redundant Interface

MrBeginner · ‎07-12-2021

Hi ,

i would like to ask about redundant interfaces.

As per below reference,

https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/general/asa-97-general-config/interface-echannel.html

Cisco explain how to design and configure redundant link.So i consider the HA design without using switch between firewalls.

i create redundant interface on DB tier firewall to connect to APP tier firewall. I aslo create redundant interface on APP tier firewall to connect web tier firewall. Link monitor for HA in Web tier is WAN and LAN interface. Link monitor for HA setup in application tier is LAN interface. Link monitor for HA setup in DB tier is WAN and LAN interface
Please see the blew picture.

I only worry reason is the firewall redundant interfaces are directly connected to upper layer firewall interfaces without connect to switch .

So let me know the HA and redundancy interfaces will work properly without using switch ?
Please let me know any concern on my design ?

Marvin Rhoads · ‎07-14-2021

Yes, this: "if Active firewall go down redundant interface1 of APP firewall is still active and redundant interface 2 never take over active".

Putting a switch (or pair of switches in a stack or VSS or Nexus with VPC etc) between the firewalls is the normal solution (95% plus of deployments). You can use Etherchannels as well to add resiliency (and potentially increase throughput).

No matter what layers or redundancy you build in there are always some possible failure conditions that could interrupt service. The key is to balance the redundancy elements with their added complexity and put in enough to have done due diligence but not so much as to make the complexity and cost outweigh the added availability protection.

View solution in original post

Marvin Rhoads · ‎07-13-2021

We almost never see redundant interfaces in production because they have limited utility. Personally I have worked on well over 1000 ASAs and never seen it in use.

A redundant interface provides a very limited additional level of availability for a given interface. The presumption is that both interface would connect to the same upstream device - i.e. normally a switch. Connecting to separate upstream firewalls would result in very erratic and unpredictable behavior. Consider what happens if your upstream firewall does a failover and your active interface is now connected to the standby upstream firewall. You lose upstream connectivity altogether.

MrBeginner · ‎07-13-2021

Hi @Marvin Rhoads ,

Do you mean,as per below diagram,if Active firewall go down redundant interface1 of APP firewall is still active and redundant interface 2 never take over active ? Or do you mean redundant interface priority election process is very complicated if upstream are connected to different devices ?

Or can I use etherchannel to solve this ?

Marvin Rhoads · ‎07-14-2021

Yes, this: "if Active firewall go down redundant interface1 of APP firewall is still active and redundant interface 2 never take over active".

Putting a switch (or pair of switches in a stack or VSS or Nexus with VPC etc) between the firewalls is the normal solution (95% plus of deployments). You can use Etherchannels as well to add resiliency (and potentially increase throughput).

No matter what layers or redundancy you build in there are always some possible failure conditions that could interrupt service. The key is to balance the redundancy elements with their added complexity and put in enough to have done due diligence but not so much as to make the complexity and cost outweigh the added availability protection.