ASA5515-x: Failover Interface

Ve Con · ‎12-09-2016

Hello,

I am using 2 ASA, standby and active. They hook up to one switch. Each ASA has a port connected to a port on the switch for failover purposes.

These 2 ports on the switch has a separate/independent Vlan.

The management port on each ASA is connected to another switch with different vlan

My questions:

Since I have only 1 port on each ASA use for the failover, what if that interface on the ASA or the switch port it's connected to or the cable goes faulty?

Both ASA become active as they lost communication to each other? Secondary doesn't receive hello from primary anymore and it thinks the primary is down, so it makes itself active?
What problem will it cause when both of the ASA become active? Traffics problem at all?
How should I avoid this problem (if any)? I heard about making port channel but not sure how this works and if I want to make that change, what should I expect for downtime and how should I proceed? The ASA are in production, so, i want to make better plan (lay out pros and cons, plus plan for down time) if I introduce change to this configuration.

Thanks!

mattjones03 · ‎12-10-2016

Hi,

Depending on your agreed business SLA requirements, and budget, I would consider having a second switch for added resilience.

I know Cisco recommend that a switch is used for the failover, and sync interface, but using a cross-over cable between the two ASA's, but this way each ASA is immediately aware of the state of its mate.

If both firewalls go into active state, this would surely cause ARP issues as both firewalls would assume the active firewall MAC address and IP address.

I would suggest either a stacked switch or independent switch solution.

ASA (1)

Outside Int - ISP

Inside Int - Switch 1

DMZ Int - Switch 1

Failover Int - ASA (2) [Dedicated VLAN]

Sync Int - ASA (2) [Dedicated VLAN]

ASA (2)

Outside Int - ISP

Inside Int - Switch 2

DMZ Int - Switch 2

Failover Int - ASA (1) [Dedicated VLAN]

Sync Int - ASA (1) [Dedicated VLAN]

*Consider configuring http replication, for stateful http failover during a failover instance.

cofee · ‎12-10-2016

My questions:

Since I have only 1 port on each ASA use for the failover, what if that interface on the ASA or the switch port it's connected to or the cable goes faulty?If you have an interface that’s being monitored by the primary and standby firewall and keep alives are being received on the monitored interface then failover will not occur even if the failover link fails. If your failover interface is up but monitored interface-s fail depending upon the failover interface policy failover will occur, by default it’s set to 1 which means only 1 interface has to fail for failover to take place. Inside interface is monitored by default (if you choose nameif inside) all other interfaces have to be set manually for monitoring.

Both ASA become active as they lost communication to each other? Secondary doesn't receive hello from primary anymore and it thinks the primary is down, so it makes itself active? Not if keep alives are received on monitored interfaces. If you have a situation where failover link fails due to a faulty cable or a layer 2 misconfiguration at the start up both firewalls may become active, but that's rare situation and you will need to fix the failover link to resolve the issue.
What problem will it cause when both of the ASA become active? Traffics problem at all?As Maltjones03 has pointed out that you will have routing issues.
How should I avoid this problem (if any)? I heard about making port channel but not sure how this works and if I want to make that change, what should I expect for downtime and how should I proceed? The ASA are in production, so, i want to make better plan (lay out pros and cons, plus plan for down time) if I introduce change to this configuration. - There is a redundant feature where you can have two interfaces bundled together and they work as active/standy, if the active interface goes down standby interface will take over and no port channel configuration is needed on the switch side and they will be configured as individual access ports on the switch side. Usually this is beneficial when you have single firewall and you want redundancy at the interface level. But to my knowledge this doesn't apply to failover interface, I don't think this feature can be used to configure redundant failover pair.

Ve Con · ‎02-07-2017

Thanks Cofee for a great explanation. And also thanks everyone for your inputs

Both ASA become active as they lost communication to each other? Secondary doesn't receive hello from primary anymore and it thinks the primary is down, so it makes itself active? Not if keep alives are received on monitored interfaces. If you have a situation where failover link fails due to a faulty cable or a layer 2 misconfiguration at the start up both firewalls may become active, but that's rare situation and you will need to fix the failover link to resolve the issue

What if the failover link fails due to a fault cable (or loose connection) NOT at the start up of both firewalls, but in middle of the night, then 30 mins later 1 of the monitored face is down, I assume the failover cannot happen at all, correct? I have failover policy set to 1. What else will it try to do when such things happened and eventually what will the be the state of the ASA?

What is the Management interface for? I know it's for the FirePOWER modules to communicate, not sure if anything else use this Management interface.