Dual Internet (Active/Standby same ISP) - Cisco ASA HA - Page 2

or77 · ‎06-20-2023

Hi,
We have 2 sites (primary and DR) with a Active/Standby Internet connection. If primary service fails the DR service kicks in, public IP will be the same so no need to have different NATs, default routes, ecc...
We also have a p2p LAN connection between the 2 sites - in case of failover all traffic from primary site can be routed to the DR site.

All pcs and servers have the primary ASA as gateway (let's say .88)

At the moment I have 2 identical ASA5506 at each site with same configuration a part from the inside IP - In case of the primary service fault I have to manually change the inside IP of the DR ASA (to be .88) [and either change the primary ASA to a different inside IP or shut it down].

I would like to be able to setup HA for the 2 ASAs. Is that possible?

I found this link which sounds almost perfect for my scenario
https://ciscoskills.net/2019/03/12/dual-isp-cisco-asa-ha-active/standby/

Any help/suggestions really appreciated.

Thanks
Omar

Sheraz.Salim · ‎06-21-2023

yes, your understand is correct. once the HA is formed any change make on the Active unit will replicate to Standby Unit. This include NAT,Firewall rule, everything.

please do not forget to rate.

Aref Alsouqi · ‎06-21-2023

That is correct, the secondary firewall will sync with the primary in terms of configs, however, it won't copy the images from the flash of the primary to the secondary, that will be something you need to do manually. For example, if you upload AnyConnect image to the primary firewall, that image won't be automatically transferred to the secondary firewall.

MHM Cisco World · ‎06-21-2023

any other solution will lead to
both site use only one FW to forward traffic
you can not assing different GW in both site, you can do via DHCP, but that will lead to asymmetrical traffic and unpredictable behave.
MHM

or77 · ‎06-21-2023

Any downtime during the configurations? Will they both need to be restarted at some point?

Thanks

Sheraz.Salim · ‎06-21-2023

Making/configuration as the HA pair. there will be no downtime no any of the firewall. just bear in mind the Primary active will repliacte the configuration on the secondary standby firewall.

Just work out which site of ASA you want primary and which site you want secondary.

please do not forget to rate.

or77 · ‎06-21-2023

Nice!

What happens (once if HA mode) when I try to connect to the units? At the moment I have 2 different addresses so I can connect to any of them separately - Just thinking on how I will manage the units after the set up...

Thanks

Sheraz.Salim · ‎06-21-2023

just make sure your ASA interfaces have standby IP addresses configured. also please check and decide which interface you want to monitor for failover purpose. also note if you have sub-interface on your ASA by default ASA sub-interface are not monitor you have to setup them to monitor in your asa configuration.

once you have standby IP address configured and SSH is enable on these Interface you can jump primary and secondary firwall. but would be better if you have mgmt configured.

please do not forget to rate.

Aref Alsouqi · ‎06-21-2023

In my opinion you wouldn't need to monitor the subinterfaces if you monitor the physical interface as the subinterfaces would less likely to fail if the physical interface is healthy.

Sheraz.Salim · ‎06-21-2023

You got a point here. I think it more relevant if you have 300+ vlan subinterface configured and you might need to monitor them in case to trigger the failover. I have seen customer with 300+ sub-interface on the firewall.

please do not forget to rate.

or77 · ‎06-21-2023

(I am using Cisco ASDM-IDM Launcher at the moment)

Aref Alsouqi · ‎06-21-2023

As far as I remember there will be some downtime when you enable the failover, that will be for a few seconds though, but still will cause some downtime. The IP and MAC addresses of the data interfaces will move when the failover happens, and they will move back when the primary unite is alive again. Because of that, you will be connecting to the secondary unit when failover happens with the same IP addresses. For example, if SSH is enabled on the outside interface and failover happens, you will be using the same IP but this time you will be redirected to the secondary device which will be the active unit.

Sheraz.Salim · ‎06-21-2023

@Aref Alsouqi No. I have done few HA configuration recently in DC migration (ASA and FTDs) while making the HA pair did not cause any downtime. as long you keep running/service the Primary Unit up (Mean if this unit is in service in regards to data-traffic) there will be no downtime what so ever.

please do not forget to rate.

Aref Alsouqi · ‎06-21-2023

Out of interest, what version was running on the FTDs? I'm pretty sure I saw downtimes with the FTDs, but can't remember the exact version tbh. I would do that in a maintenance window anyway.

Sheraz.Salim · ‎06-21-2023

Hey @Aref Alsouqi FTD version 6.7 managed FMC version 7.0. These ASA/s and FTD/s were in Cisco ACI.

Last year did similar ASA HA pair no downtime nothing but on core switch I did noticed mac address/es moved.

I agree any work to be carried out have to be approved as Change Window.

please do not forget to rate.

Aref Alsouqi · ‎06-21-2023

Thanks for sharing that Sheraz. It is really interesting because like I said from what I remember when you issue the "failover" command which will effectively enable the failover feature you would see some drops, but thanks again for sharing those insights.