Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3597
Views
0
Helpful
4
Replies

Dual ASA Dual ISP failover configuration

Phill Hodges
Level 1
Level 1

‎05-09-2014 07:54 AM - edited ‎03-11-2019 09:10 PM

Hello,

I inherited a network with two Cisco ASA 5540's, one connected to the primary ISP and the other connected to the backup ISP. Each ASA has a connection to three switches on the three remaining interfaces. See the diagram below for more details.

As I found out yesterday when our primary circuit went down, the manual failover procedure that the previous admin implemented does not work. I believe he set it up using OSPF, but I am not that familiar with it and I was not able to get it to work properly. I am looking to resolve this and implement failover in a simpler matter, but I'm not quite a network expert and I don't know where to start. Do I want Active/Active, Active/Standby, or is there another method to set this up?

Our ISPs don't support BGP, which is fine IMO. In the event of a failover, I don't mind having to change DNS records for in-bound stuff. I just want a way to be able to easily failover to the backup ISP. Anyone have any suggestions of where to start with this? Thanks

1 person had this problem
Labels:
0 Helpful
4 Replies 4

stayl335
Level 1
Level 1

‎05-09-2014 08:21 AM

Can you describe the way the manual failover should work?

Is there any failover currently configured between the firewalls?

Is the OSPF on the firewalls?

0 Helpful

Phill Hodges
Level 1
Level 1
In response to stayl335

‎05-09-2014 10:40 AM

The manual procedure works by shutting down the outside interface on the production firewall. There is then a route set to point to the secondary firewall (10.255.255.27)

Perimeter# sh route | inc 0.0.0.0

Gateway of last resort is 10.255.255.27 to network 0.0.0.0

O*E2 0.0.0.0 0.0.0.0 [110/20] via 10.255.255.27, 0:00:27, internal

I see OSPF on the firewalls:

Primary

router ospf 1

 router-id 10.1.0.1

 network 10.255.255.8 255.255.255.248 area 1

 network 10.255.255.16 255.255.255.248 area 3

 network 10.255.255.24 255.255.255.248 area 0

 log-adj-changes

 redistribute connected subnets

 default-information originate

Secondary

router ospf 1

 router-id 10.1.0.94

 network 10.255.255.8 255.255.255.248 area 1

 network 10.255.255.16 255.255.255.248 area 3

 network 10.255.255.24 255.255.255.248 area 0

 network 10.255.255.92 255.255.255.252 area 2

 log-adj-changes

 redistribute connected subnets

 default-information originate metric 20

and on my switches:

Server switch

router ospf 1

 router-id 10.1.0.53

 log-adjacency-changes

 redistribute connected subnets

 network 10.255.255.8 0.0.0.3 area 1

 network 10.255.255.40 0.0.0.3 area 1

internal switch

 

router ospf 1

 router-id 10.1.0.17

 log-adjacency-changes

 redistribute static subnets

 network 10.255.255.24 0.0.0.7 area 0

 

I'm just not really sure what any of this means...

0 Helpful

stayl335
Level 1
Level 1
In response to Phill Hodges

‎05-09-2014 11:45 AM

i don't know that the ospf configs mean anything for failover, but the idea of ospf is that if you lose a router (or firewall if it is running ospf), you have a good route to any needed destination using the remaining routers.

Failover is designed to make sure you have a good path outside in case you lose a firewall.

If your firewalls are configured such that each traffic moving interface across both firewalls is on the same subnet, you can use active-standby failover.  In my experience, this requires a router to be placed between your firewalls and the ISP router, which would allow your outside interfaces to be placed on the same subnet.

I haven't had a chance to run active-active, but the idea there is more load balancing.

The link below will help with setting up failover.

link

 

The link below will help explain how OSPF works.

link

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-09-2014 08:29 AM

The way this is most commonly done is by having the two ASAs (assuming single context) in an Active-Standby HA pair. Each ASA has two outside interfaces (they could be subinterfaces on a trunk if your physical interfaces are otherwise spoken for). One of the outside interfaces goes to ISP A and one to ISP B. It is usually best to make those connections via a switch as most ISPs only give you a single physical interface.

You then set a static default route (with tracking option) to ISP A. You set a second static default route (with a higher admin distance) to ISP B. You use them in conjunction with an IP sla operation that tests reachability of some upstream resource (a remote site, public DNS etc.). If the isp sla fails, the tracking option in the first default route causes it to be removed and the ASAs start sending all outbound traffic via the second ISP.

Cisco has an old (but still relevant) configuration guide showing this in detail. Link

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card