Solved: Thanks Karsten, you helped - Page 2

Sugam Rangan · ‎08-16-2016

Hi All,

I have a setup as shown below. Its a already running setup, having two ISP links terminating on 2 switches. From both switches, two links further coming out and terminating on each firewall. Both Firewalls are running in HA Mode Active and Standby. When i check the config of both of the firewalls with command sh run, i can see 2 Interfaces/firewall for ISP1 and ISP2 on both ASAs. However, the IP configured on ASA 1 for ISP 1 is same which is configure on ASA 2 for ISP 1. Same is the case with ISP 2 config. Please confirm me if this setup is correct?

Regards

Karsten Iwen · ‎08-17-2016

Yes, here the ASA can determine which ASA is better connected to the network both through interface state and also (because you have IPs on both units) by analyzing traffic on the active and standby ASA.

Sugam Rangan · ‎08-17-2016

One last question,

For an example as of now on Active firewall on which i have 2 ISP links. I have put two default routes as below:

route outside-ISP1 0.0.0.0 0.0.0.0 m.m.m.q.1 1 track 1
route outside-ISP2 0.0.0.0 0.0.0.0 n.n.n.1 11

If i ping 4.2.2.2 its pingable fine from primary route.

but when i ping or trace 4.2.2.2 with the help of below command via second ISP its not pinging.

traceroute 4.2.2.2 source outside-ISP2

ping outside-ISP2 216.58.212.14

Does that mean there is issue with the ISP? I have also tried pinging the nexthop. Nexthop is pinging fine.

Karsten Iwen · ‎08-17-2016

No problem with your ISP here. With that command you tell your traceroute to use the source-address of ISP2, but the outgoing packet will still follow the routing table which points to ISP1.

If your ISP1 is doing a good job, they should discard this packet because from their viewpoint it's obviously a spoofed packet. Still if they don't, the return-packets will be sent to the ISP2-interface of your ASA where they get discarded because they arrive on the wrong interface.

Sugam Rangan · ‎08-17-2016

Do you think any reason of, why i am not able to ping my CE WAN IP of ISP 2 configured on firewall from Open Internet, however ISP 1 WAN CE IP is pinging from open internet.

Karsten Iwen · ‎08-17-2016

This is normal behavior on the ASA but only limits these kind of tests. It does not limit your ability to allow incoming connections at the same time through both providers.

Sugam Rangan · ‎08-17-2016

In case if i manually Disconnect the cable of ISP1 on FW 1 coming from switch, that means now FW 1 have primary WAN fail and Secondary is still available. However, Secondary firewall is still UP with both ISPs. Will failover happen in this scenario?

Karsten Iwen · ‎08-17-2016

This will cause a failover as FW2 has more connected interfaces then FW1. I assume here that the default monitoring of the interfaces is still in place and you have not manually disabled it.

Sugam Rangan · ‎08-17-2016

Nops, Its showing that Interface as (Not-Monitored) while giving command sh failover because standby IP is still not configured for WAN ISPs.

Karsten Iwen · ‎08-17-2016

Do a

sh run monitor-interface

I assume that you are just missing a

monitor-interface outside-1

Having no standby IP doesn't mean that there has to be no monitoring at all. It's just limited.

Sugam Rangan · ‎08-17-2016

ok, In my case its showing

no monitor-interface outside-1

no monitor-interface outside-2

for the output of Sh run monitor-int

Sugam Rangan · ‎08-17-2016

So in case i don't have Monitoring for outside interface, fail-over will not happen because of below command?

no monitor-interface outside-1

Karsten Iwen · ‎08-17-2016

right, the "no monitor-interface" is meant for unimportant interfaces that are not worth it to trigger failover. This is typically not what you want for your outside interfaces.

Sugam Rangan · ‎08-18-2016

Thanks Karsten, you helped alot.

Cisco ASA HA - WAN Mesh