Dual Internet (Active/Standby same ISP) - Cisco ASA HA

or77 · ‎06-20-2023

Hi,
We have 2 sites (primary and DR) with a Active/Standby Internet connection. If primary service fails the DR service kicks in, public IP will be the same so no need to have different NATs, default routes, ecc...
We also have a p2p LAN connection between the 2 sites - in case of failover all traffic from primary site can be routed to the DR site.

All pcs and servers have the primary ASA as gateway (let's say .88)

At the moment I have 2 identical ASA5506 at each site with same configuration a part from the inside IP - In case of the primary service fault I have to manually change the inside IP of the DR ASA (to be .88) [and either change the primary ASA to a different inside IP or shut it down].

I would like to be able to setup HA for the 2 ASAs. Is that possible?

I found this link which sounds almost perfect for my scenario
https://ciscoskills.net/2019/03/12/dual-isp-cisco-asa-ha-active/standby/

Any help/suggestions really appreciated.

Thanks
Omar

Marvin Rhoads · ‎06-20-2023

Yes - if you setup HA according to the guide you linked it should work. Then you won't ever have to change the inside address since the Active unit in the HA pair will always have the same address.

MHM Cisco World · ‎06-20-2023

I think he interconnect two site' each site have it FW HA pair

Is that correct @or77

or77 · ‎06-21-2023

The 2 sites are connected through a p2p layer 2 ethernet. Both sites are basically part of the same private LAN. In normal condition users at the secondary site go out to internet via the p2p to the primary site where I have the primary FW -> Primary Internet Active.

If the primary internet service fails, users (and servers) at the primary site will go out to internet through the p2p to the secondary site where I have the secondary FW -> Secondary Internet (now Active).

So:

ASA-HA-1(config)# failover
ASA-HA-1(config)# failover lan unit primary

ASA-HA-2(config)# failover
ASA-HA-2(config)# failover lan unit secondary

Now do I really need to use 2 interfaces on each ASA? If so is this correct:

ASA-HA-1(config)# failover lan interface FAILOVER GigabitEthernet0/3
ASA-HA-1(config)# failover key password
ASA-HA-1(config)# failover link STATELINK GigabitEthernet0/4
ASA-HA-1(config)# failover interface ip FAILOVER 169.254.255.1 255.255.255.252 standby 169.254.255.2

ASA-HA-2(config)# failover lan interface FAILOVER GigabitEthernet0/3
ASA-HA-2(config)# failover key password
ASA-HA-2(config)# failover link STATELINK GigabitEthernet0/4
*** ASA-HA-2(config)# failover interface ip FAILOVER 169.254.255.1 255.255.255.252 standby 169.254.255.2 ***
*** Not sure about this for the secondary ASA shall I swap the ip? standby?***

ASA-HA-1(config)# sla monitor 10
ASA-HA-1(config)# type echo protocol ipIcmpEcho 8.8.8.8 interface OUTSIDE
ASA-HA-1(config)# num-packets 5
ASA-HA-1(config)# frequency 10
ASA-HA-1(config)# sla monitor schedule 10 life forever start-time now
ASA-HA-1(config)# track 1 rtr 10 reachability

Noting to do on the secondary ASA or the sla, track, ecc.. right?

Thanks guys

Sheraz.Salim · ‎06-21-2023

as you have mentioned 2 sites are connected through a p2p layer 2 ethernet and the presentation of Firewall would be logical same (mean in as HA pair) yes your configuration is fine. But bear in mind once you make the HA pair. the Primary active firewall will push its configuration to secondary standby firewall.

please do not forget to rate.

or77 · ‎06-21-2023

Can you help me o this:

ASA-HA-2(config)# failover lan interface FAILOVER GigabitEthernet0/3
ASA-HA-2(config)# failover key password
ASA-HA-2(config)# failover link STATELINK GigabitEthernet0/4
*** ASA-HA-2(config)# failover interface ip FAILOVER 169.254.255.1 255.255.255.252 standby 169.254.255.2 ***
*** Not sure about this for the secondary ASA shall I swap the ip? standby?***

Thanks

Sheraz.Salim · ‎06-21-2023

No IP addresses for the failover units will be same on both Firewalls.

so on primary

failover interface ip FAILOVER 169.254.255.1 255.255.255.252 standby 169.254.255.2

and on secondary

failover interface ip FAILOVER 169.254.255.1 255.255.255.252 standby 169.254.255.2

once you paste the configurations it will formed the HA Pair.

please do not forget to rate.

MHM Cisco World · ‎06-21-2023

Friend' how many FW you have two or four ?

or77 · ‎06-21-2023

2, one at each site. I am not really looking at a HA FW setup... is more like a Virtual FW made of 2 physical FW in Active/Standby mode (based on the active Internet connection)

MHM Cisco World · ‎06-21-2023

One virtual FW'

I think cluster is good option here not HA'

Let check if it can config with your requirements or not.

MHM Cisco World · ‎06-21-2023

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/clustering/asa-cluster-solution.html

As I mention you can use cluster FW' check link above.

or77 · ‎06-21-2023

I think is not suported on ASA 5506-X

Sheraz.Salim · ‎06-21-2023

so in multi-context firewall. with one internet line goes to context-x and other internet line goes to context-z.

if this is something you looking I shall highly recommend you to this in lab environment test it first before going/taking this plan in production. as long as HA pair do what you wanted no need for change of design. anyways it up to you but lab it first test everything and have a change control for downtime and if things not working revert the change.

please do not forget to rate.

Aref Alsouqi · ‎06-21-2023

Using two interfaces for the failover is not mandatory, however it is best practice, but if you are short with the interfaces you can use just one for both the failover control traffic as well as the stateful traffic. One command you don't want to miss would be the "failover lan unit ...". With this command you define the primary unit, for example, on the ASA in the prod site you would need to issue the command "failover lan unit primary" and on the ASA in the DR site you would need the command "failover lan unit secondary".

Another config I would highly recommend to apply although it is not mandatory would be to assign the standby IP addresses to all the data interfaces, that will make connectivity verification and troubleshooting much easier. Also, if you are not using a dedicated management interface on the DR ASA, those standby IP addresses assigned to the data interfaces would allow you to jump on that ASA directly, assuming the required configs are in place.

Also, one thing I would keep in mind with this design is that if you configure the two ASAs in Active/Passive HA, it would mean the ASA in the DR site won't be processing any data traffic until a failover happens. Depending on your requirements, this could be an acceptable solution, however, if there is any data sync that would need to happen between the prod site and the DR site such as a backup replication which is quite common then using Active/Passive HA design wouldn't be a good option.

or77 · ‎06-21-2023

the ASA at the DR site shouldn't really process anything until failover (it is used purely for internet backup). The only useful thing can be they sync of configurations like firewall rules, NAT, ecc... but it will be done via the failover link?

Thanks