Solved: Cisco ASA 5525-X redundancy with two internet connections?

EVjustincoyan · ‎03-20-2014

I have two ASA 5525-X's that I want to be redundant, either through clustering, an Active/Passive or Active/Active setup.

Currently there is one ASA with two different internet connections. I use IP SLA to track the gateways, so if one ISP is unreachable, the ASA will use the other. These connections are attached directly to the ASA, no router in front.

My questions is how can I set this up while making the ASA's redundant? Ideally I will have ISP 1 going into one ASA and ISP 2 going into the other.

Can I use an Active/Passive or Active/Active failover config in this instance, while maintaining my ISP redundancy with IP SLA?

Any input would be much appreciated.

Mike Williams · ‎03-20-2014

Hi,

I want to clear up a few things that will help you determine how to architect this.

If you do any sort of high-availability, through clustering, a/a, or a/p, each firewall needs to be configured and connected the same way. That is taken care of via the session sync on a/a and a/p firewalls. I'll admit I have not had a chance to work with clustering yet.

Clustering relies on a ECMP from an upstream and downstream switch or router in order to share the load across all clustered firewalls. This really isn't an ideal solution for most circumstances.

Active/active, last I checked, still relied on using multiple contexts. This means that one context is active on one firewall, and a second context is active on the other firewall. It's typically more problems than it's worth and also doesn't make much sense in most circumstances.

Active/passive makes the most sense in your deployment. You will connect the two firewalls via a heartbeat and state interface to sync the configs so each firewall can determine if the other is alive. It replicates the configuration and state information, such as VPN connections, NAT, and active connections, from the active firewall to the passive firewall.

The really important point to take from this is that you cannot simply connect one ISP to one firewall and a second ISP to the other firewall. You would need a connection from each ISP to each firewall the same as you do with your inside connection. Your ISP failover user IP SLA will remain the same.

Hope that was clear and helps with your deployment.

Regards,

Mike

View solution in original post

Mike Williams · ‎03-20-2014

Hi,

I want to clear up a few things that will help you determine how to architect this.

If you do any sort of high-availability, through clustering, a/a, or a/p, each firewall needs to be configured and connected the same way. That is taken care of via the session sync on a/a and a/p firewalls. I'll admit I have not had a chance to work with clustering yet.

Clustering relies on a ECMP from an upstream and downstream switch or router in order to share the load across all clustered firewalls. This really isn't an ideal solution for most circumstances.

Active/active, last I checked, still relied on using multiple contexts. This means that one context is active on one firewall, and a second context is active on the other firewall. It's typically more problems than it's worth and also doesn't make much sense in most circumstances.

Active/passive makes the most sense in your deployment. You will connect the two firewalls via a heartbeat and state interface to sync the configs so each firewall can determine if the other is alive. It replicates the configuration and state information, such as VPN connections, NAT, and active connections, from the active firewall to the passive firewall.

The really important point to take from this is that you cannot simply connect one ISP to one firewall and a second ISP to the other firewall. You would need a connection from each ISP to each firewall the same as you do with your inside connection. Your ISP failover user IP SLA will remain the same.

Hope that was clear and helps with your deployment.

Regards,

Mike

EVjustincoyan · ‎03-21-2014

I was afraid of that, but just wanted to clarify there wasn't some way to accomplish the connecting of different ISP's to the different ASA's. The only way I could think to do that was clustering (which does rely on the Equal Cost Load Balancing) or the Active/Active setup, which does rely on the separate security contexts. Neither of those were ideal for this setup, really...

Thanks for clearing that up though, I had been poking around online and could never find an article that married the redundant ASA and IP SLA configs together, they were always separate.

Thanks again!