Solved: Yes you are on the right

dcanady55 · ‎02-10-2015

Hello,

ASA 5525 8.6.

Current situation- packets bound for a particular network leave the FW on a specific interface go to the DMZ and finally hit router A that sends these packets out the WAN to their destination.

What needs to happen-if router A goes down I need these packets to go out router B. These packets would leave the FW on the same interface and go to the same DMZ the only difference is from the DMZ they would go to router B instead of A. This process needs to happen dynamically.

On the ASA there are no dynamic routing protocols setup it's all static routes. It looks like there could be several different ways to accomplish this I was hoping to get feedback on what I read about and perhaps others I am missing.

1. setup EIGRP on the FW and both routers A and B.

2. Configure Static Route Tracking on the ASA- I have not used this before but thought it would be the easiest solution. If I understood it correctly, I could add static route tracking to router A then track this using ICMP and if an echo reply is not received within a set time period the route to A is removed and the backup route to B would be used?

3. ECMP was another thought. This looks like it balances the network between both A and B which would be fine really and if either went down I would assume all traffic would just dynamically flow to the router that was up and then go back to balancing each other once the issue was resolved?

4. What if I leave the static route on the FW currently to A but then add another static route to B but change the AD to 10. If A goes down the FW should see this and start routing packets out the next route to B correct?

Thanks for any input!

Jon Marshall · ‎02-11-2015

Just to clarify.

If they are using different providers how can it be the same path over the WAN ?

HSRP will be able to track the WAN interfaces of the routers or more specifically router A.

If you want to track further into the WAN then route tracking may be better so it would help if you could clarify the above question.

Jon

View solution in original post

Jon Marshall · ‎02-11-2015

Yes you are on the right track.

In terms of which IP to use it is entirely up to ie. change the ASA route or use existing IP as VIP.

Isn't going to make any difference in terms of functionality.

If you use the existing IP as VIP then you may need to clear that entry in the arp cache on the ASA.

If you changed the route on the ASA to a different next hop IP you wouldn't.

Whatever is easiest for you.

Jon

View solution in original post

Jon Marshall · ‎02-10-2015

It depends on what exactly the routers are doing.

Are the LAN interfaces of the routers in the same subnet as the ASA DMZ interface ?

Do the routers use completely different paths over the WAN to get to the remote destination or do they use the same path across the WAN and are just there for redundancy to the WAN ?

Are they receiving EIGRP routes already ?

Depending on the answers to the above 1) and 2) are options and potentially just running HSRP on the routers but that does depend on their WAN connectivity and the path they take to get to the remote networks.

3) and 4) are not options as far as i can see because unless the ASA is connected directly to the router, ie. not via a switch, and it can't be as there are two of them it has no way of knowing if the router has gone down.

Jon

dcanady55 · ‎02-11-2015

Jon,

Yes, the LAN interfaces of the routers are in the same subnet as the ASA/DMZ interface. The routers use the same path over the WAN there just on different providers for redundancy. Router A has EIGRP setup but not actually receiving anything via EIGRP and router B does not have EIGRP setup. I have not setup HSRP before and will look into this. In your opinion now that you know more of the setup you would suggest HSRP over static route tracking?

Thanks,

Jon Marshall · ‎02-11-2015

Just to clarify.

If they are using different providers how can it be the same path over the WAN ?

HSRP will be able to track the WAN interfaces of the routers or more specifically router A.

If you want to track further into the WAN then route tracking may be better so it would help if you could clarify the above question.

Jon

dcanady55 · ‎02-11-2015

Sorry for the confusion. Yes, there different paths to the routers but the routers are sending the packets to the same gateway and those gateways go to different vendors equipment. Hopefully, that clarifies it for you?

dcanady55 · ‎02-11-2015

I am not sure how HSRP would work in this situation as it's the ASA that routes the packets through the DMZ and ultimately to either router A or B. I would think I would have to setup HSRP on the ASA to monitor both A and B? I just started to read up on HSRP so I'm not all that familiar with it yet.

Jon Marshall · ‎02-11-2015

LAN interfaces of routers = those in the same subnet as ASA

WAN interfaces of routers = those connecting to gateway

HSRP would be run on the LAN interfaces of the routers. They each have a physical IP and they share a VIP (virtual IP).

Router A would be active for the VIP.

If the LAN or WAN interface of router A went down then router B takes over the VIP.

There is nothing to configure on the ASA, you simply use the VIP as the next hop IP address instead of the physical IPs.

So outbound is easy.

I'm just trying to work out how the gateway on the WAN side would know which router to send packets to eg. if router A lost it's LAN or WAN interface and switched to router B how does the gateway know it should not send return packets to router A ?

If you aren't comfortable with HSRP then by all means use route tracking, it would achieve the same thing only you would configure it on the ASA and not the routers.

It still doesn't answer the question of return traffic though ie. you can switch between routers but how does the gateway on the WAN side know which router is being used

It may not be an issue but I don't understand currently how the WAN side of things works.

Jon

dcanady55 · ‎02-11-2015

Thanks for the quick reply. I don't feel partial to either one as I have never setup either one before. I'm going to reach out to our vendors engineer so he could explain the return side because it doesn't make sense either. I have read some posts online saying don't use HSRP as it caused problems but I have also read where it's worked just fine. I'm assuming you have used both of these methods in a production environment. Did you find one worked better over the other?

Thanks,

Jon Marshall · ‎02-11-2015

I have used HSRP many many times.

I have used route tracking (IP SLA) but not on an ASA but the principle is the same.

My personal preference is wherever possible use a dynamic routing protocol but if the gateway is the same on the WAN side this gives you nothing ie. if one router stops receiving the routes then so does the other.

HSRP is mainly for end clients but can be used in this scenario.

Route tracking is useful if the path taken by the routers is different ie. if the path to the destination went over different links, routers etc. then you can track an IP at the far end.

This means if there is a failure anywhere down the line you can failover.

Again the same considerations apply as to a dynamic routing protocol ie. if there is only one gateway on the WAN side you can only really track the availability of router A or B.

So if there are different paths it comes down to a dynamic routing protocol vs route tracking and I would more often than not use a dynamic routing protocol if the routers were receiving routes but both aren't currently and you may not want to set that up.

Finally some people don't like firewalls running routing protocols on anything other than the inside interface so again route tracking may be preferable if you feel that way.

It really comes down to how the WAN side is working as to which is the better option.

You may also need to setup something on the WAN side depending on how it works.

Jon

dcanady55 · ‎02-11-2015

Jon,

Still don't have any info on the WAN side. I'm a little confused about your comment "My personal preference is wherever possible use a dynamic routing protocol but if the gateway is the same on the WAN side this gives you nothing ie. if one router stops receiving the routes then so does the other." Did you mean to say LAN side?

To make sure were not miss communicating.

Packets come into ASA bound for 10.50.63.0 255.255.255.0 there is a static route for this network 10.50.63.0 255.255.255.0 [1/0] via 162.15.10.2, XYZ-DMZ

where 162.15.10.2 is the LAN interface of the router A. This LAN interface of A is plugged into the DMZ and the address falls under xyz's subnet. Then A sends those packets out it's WAN interface.

Currently, there is not static route on the ASA going to router B but router B's LAN interface also sits on the same DMZ and has an address in the same subnet of A's LAN interface.

What I don't get from what you suggested above is setting up HSRP on the LAN interfaces of both A and B. then if the WAN link goes down how do the routers know this since there only monitoring the LAN side? Similar if I use route tracking I would set this up on the ASA and I would tell it to monitor the LAN interface of router A but if the WAN side goes down on A how does the ASA know to flip it to the other static route going to B?

Thanks,

dcanady55 · ‎02-11-2015

I think I understand HSRP a little better and it looks like that's what I"m going to have to use. If I wanted to use static tracking I would need another interface on the ASA and set router B off this interface.

I can use HSRP within the confines of my current setup being there's an ASA first then DMZ the two routers of this DMZ. I need to create a virtual address and put this on both A and B and set this up in the LAN side then track the WAN interface of A. Then if this goes down packets get sent to the backup router. The question becomes do I change the static route on the ASA or make my virtual IP the same as what the ASA has currently then change the LAN IP of router A. Am I on the right track?

Jon Marshall · ‎02-11-2015

Yes you are on the right track.

In terms of which IP to use it is entirely up to ie. change the ASA route or use existing IP as VIP.

Isn't going to make any difference in terms of functionality.

If you use the existing IP as VIP then you may need to clear that entry in the arp cache on the ASA.

If you changed the route on the ASA to a different next hop IP you wouldn't.

Whatever is easiest for you.

Jon

Jon Marshall · ‎02-11-2015

If the routers are sending traffic to the same gateway does that mean their WAN interfaces are also on a common subnet with the gateway ?

Sorry for the questions but I'm trying to avoid traffic being dropped.

So failing over from the ASA side could use HSRP or tracking and both would work fine.

But what about return traffic ie. how does the gateway on the other side know which router is up or not ?

Jon

dcanady55 · ‎02-11-2015

No problem at all, the more questions the better as I learn more. Yes, both WAN interfaces have the exact same IP and subnet mask. I didn't design this mind you. My task is just to get this to dynamically to fail over. To answer your return traffic question I don't know. That's a good question and will look into it.

Jon Marshall · ‎02-11-2015

Yes, both WAN interfaces have the exact same IP and subnet mask.

Do you mean IPs from same subnet ie. not the same IP on both routers as that wouldn't work.

Let me know about the WAN side of things.

It's really if both routers use the same next hop on the WAN side then you only need to take account of interfaces or the whole router failing.

If they use different next hops then using HSRP may not be appropriate.

But either way we may also need to make sure if we switch routers from the ASA (however we do that) we also need to do the same for return traffic.

Jon

ASA Routing Question