Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2719
Views
0
Helpful
3
Replies

BGP with ASA 5525 in HA

YHam
Level 1
Level 1

‎05-06-2020 10:37 AM

Hello All,

 

I need to establish the BGP neighborship from Cisco Routers to ASA 5525 firewalls which are in HA Active-Standby. The security team manages the firewalls as usual and I'm researching the design option. My question is do routers and ASAs have one-to-one peering OR do routers peer with the active firewall only?

I googled it and read some docs on  ASA BGP but they all cover a single ASA neighborship with a router, didn't answer how to do with HA.

ASA-BGP-Options.jpg

Regards

0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎05-06-2020 11:25 AM

Hi,

In ASA Active/Standby configuration, BGP is established with the Active ASA, the standby ASA does not participate in BGP peering, upon failover the new active ASA iniates the BGP adjancency with peers. Reference here.

 

So your option 2.

 

HTH

 

0 Helpful

YHam
Level 1
Level 1
In response to Rob Ingram

‎05-06-2020 12:11 PM

Thank RJI,
I read that reference document earlier. The confusion I still have is whether my both routers peer with Active IP 10.10.10.1 and so both BGP sessions will up OR
BGP session #1 - router-1 (10.10.10.5) to ASA-1 (10.10.10.1) and
BGP session #2 - router-1 (10.10.10.6) to ASA-1 (10.10.10.2)
and in this case whichever the firewall is the Active, its BGP session will be up and other session will stay down until that firewall becomes Active.

Regards
0 Helpful

Heino Human
Level 1
Level 1
In response to YHam

‎05-09-2020 10:19 PM

Hey mate, 

 

I assume your BGP peering will be with the inside interface and in this case, 10.10.10.1. When the primary firewall dies or fails, that inside IP of 10.10.10.1, will go over to the standby ASA and it will then have the active IP of 10.10.10.1. You should also allocate a static MAC address to that 10.10.10.1 IP, so when it fails over, the MAC entry will move to the second ASA too. This way, the peering will always be with 10.10.10.1 (MAC entry of aaaa.aaaa.aaa1), no matter which one is primary. 

 

On a side note, as your BGP peering will probably have standard timers of 180 seconds, there should be no interruption with the failover. 

 

Think of the ASA pair as one device and who ever is the primary, will be the one you peer with on the same configuration. 

 

Thank you

Heino 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card