cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1444
Views
0
Helpful
5
Replies

Failover Scenario Question

Ninjabean
Level 1
Level 1

We recently put in a secondary internet connection across the state.  I have the primary connection coming into our main office. Both connections come in to ASA's that are set up in a failover pair.  

 

Topology Between Connections

 

Primary ISP > 4500x > ASA Via VRF > Back to 4500x > | Layer 2 ISP link to second site  | > 2960x > Secondary ASA > Secondary ISP

 

Secondary ISP uses a different set of external IP addresses. Failover is connected via port 4 on each ASA across the network on VLAN 2. The ASAs see each other and are passing configurations between each other.  Here is what I am missing - Primary ISP comes in on g0/0 on primary ASA.  Secondary ISP comes in on g0/5 on the secondary ASA. I have an SLA and tracking on the primary static route, but when the primary ISP link goes down, I cannot get traffic to flow to the secondary ISP.  My thought process was when the main link on the primary ASA goes down, it would go into failover, making the standby active. Because the backup ISP is the only link that is up on that ASA, it would take over, but that is obviously not the case.

 

I can post configs if necessary, but I am really just looking for the theory behind what I am missing! As always thank you to everyone out there!

5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

There are several things in your post that are not clear to me. Am I correct in understanding that you have a pair of ASA configured for traditional active/standby failover pair? Are the ASAs operating in single context mode or in multi context mode? In this case to get traffic to flow to the standby ASA (to be sent to ISP2) there needs to be a failover event on the primary ASA.

 

I am also not clear about SLA and tracking on the primary static route. What is SLA monitoring? If SLA detects a failure does anything else happen other than withdrawal of the primary static route? 

 

HTH

 

Rick

HTH

Rick

Yes, they are in a tradition A/S setup.  I believe single context but I am not sure. I never explicitly set up multi so I have to assume (I am not familiar with this honestly).  I reached out to TAC and they are claiming that it is not possible because the standby is considered failed as it does not have an "UP" interface for ISP1.  They said it has to be exactly the same, including and additional interfaces.  This means I am going to have to rethink this - thank you for the help though.

Thanks for the update. I have been thinking about how it could work to have traditional active/standby pair but have different addresses for the outside. I am glad to know that TAC believes that this would not work. Let us know as your thinking about this progresses. It seems to me that one option would be to use the 2 ASA not as a failover pair but as 2 stand alone firewalls. Each ASA would connect to an ISP and you could use some routing protocol to direct traffic to one or to the other ASA.

 

HTH

 

Rick

HTH

Rick

The routing protocol is my backup plan.. just need to work out how to have it done automatically, if thats possible.
I am actually tinkering right now and have it to where the Active/Standby is showing as up. I basically created a fake interface on each side for the other sides' ISP link. This way has at least made it to where the standby and active devices both see each other as the exact same. I cant test until after hours today, and I realize that it probably will not work, just figured i'd try!

The configuration you describe would not be supported. As noted by Rick and TAC, the configurations must be the same on both ASAs.

You could possibly hack together a way to make it work by something like a "dummy" SVI on an upstream switch at each site - put in a fake duplicate of the ISP2 address at site 1 and vice versa at site 2. Combine that with an ip sla tracking so that you look for an Internet based resource and thus never actually use the fake path on either side. that would be ugly though and I definitely would NOT recommend it for production use.

Review Cisco Networking for a $25 gift card