03-20-2014 09:51 AM - edited 03-11-2019 08:58 PM
I have two ASA 5525-X's that I want to be redundant, either through clustering, an Active/Passive or Active/Active setup.
Currently there is one ASA with two different internet connections. I use IP SLA to track the gateways, so if one ISP is unreachable, the ASA will use the other. These connections are attached directly to the ASA, no router in front.
My questions is how can I set this up while making the ASA's redundant? Ideally I will have ISP 1 going into one ASA and ISP 2 going into the other.
Can I use an Active/Passive or Active/Active failover config in this instance, while maintaining my ISP redundancy with IP SLA?
Any input would be much appreciated.
Solved! Go to Solution.
03-20-2014 07:17 PM
Hi,
I want to clear up a few things that will help you determine how to architect this.
If you do any sort of high-availability, through clustering, a/a, or a/p, each firewall needs to be configured and connected the same way. That is taken care of via the session sync on a/a and a/p firewalls. I'll admit I have not had a chance to work with clustering yet.
Clustering relies on a ECMP from an upstream and downstream switch or router in order to share the load across all clustered firewalls. This really isn't an ideal solution for most circumstances.
Active/active, last I checked, still relied on using multiple contexts. This means that one context is active on one firewall, and a second context is active on the other firewall. It's typically more problems than it's worth and also doesn't make much sense in most circumstances.
Active/passive makes the most sense in your deployment. You will connect the two firewalls via a heartbeat and state interface to sync the configs so each firewall can determine if the other is alive. It replicates the configuration and state information, such as VPN connections, NAT, and active connections, from the active firewall to the passive firewall.
The really important point to take from this is that you cannot simply connect one ISP to one firewall and a second ISP to the other firewall. You would need a connection from each ISP to each firewall the same as you do with your inside connection. Your ISP failover user IP SLA will remain the same.
Hope that was clear and helps with your deployment.
Regards,
Mike
03-20-2014 07:17 PM
Hi,
I want to clear up a few things that will help you determine how to architect this.
If you do any sort of high-availability, through clustering, a/a, or a/p, each firewall needs to be configured and connected the same way. That is taken care of via the session sync on a/a and a/p firewalls. I'll admit I have not had a chance to work with clustering yet.
Clustering relies on a ECMP from an upstream and downstream switch or router in order to share the load across all clustered firewalls. This really isn't an ideal solution for most circumstances.
Active/active, last I checked, still relied on using multiple contexts. This means that one context is active on one firewall, and a second context is active on the other firewall. It's typically more problems than it's worth and also doesn't make much sense in most circumstances.
Active/passive makes the most sense in your deployment. You will connect the two firewalls via a heartbeat and state interface to sync the configs so each firewall can determine if the other is alive. It replicates the configuration and state information, such as VPN connections, NAT, and active connections, from the active firewall to the passive firewall.
The really important point to take from this is that you cannot simply connect one ISP to one firewall and a second ISP to the other firewall. You would need a connection from each ISP to each firewall the same as you do with your inside connection. Your ISP failover user IP SLA will remain the same.
Hope that was clear and helps with your deployment.
Regards,
Mike
03-21-2014 06:33 AM
I was afraid of that, but just wanted to clarify there wasn't some way to accomplish the connecting of different ISP's to the different ASA's. The only way I could think to do that was clustering (which does rely on the Equal Cost Load Balancing) or the Active/Active setup, which does rely on the separate security contexts. Neither of those were ideal for this setup, really...
Thanks for clearing that up though, I had been poking around online and could never find an article that married the redundant ASA and IP SLA configs together, they were always separate.
Thanks again!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide