Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
740
Views
0
Helpful
4
Replies

HA firewall to single ASA

Reece Boucher
Level 1
Level 1

‎05-21-2014 07:49 PM - edited ‎03-11-2019 09:13 PM

Greetings,

I have a client who is replacing a single firewall with dual HA firewalls (in different locations) connected by fibre.

The current connection is a single copper connection, using static routes.

 

Q:  Is there a way to utilise the single ASA5510 we have and connect to both these firewalls and maintain connectivity in the event of a failure of their primary firewall ?

 

A picture is worth a 1,000 words.  Apologies for not including sooner.

Labels:
Preview file
74 KB
0 Helpful
4 Replies 4

SANTHOSHKUMAR SARAVANAN
Level 4
Level 4

‎05-21-2014 09:01 PM

Hi  Boucher ,

     Yes it possible to run HA between two ASA with help of fiber link , the main criteria is you need to have two separate fiber link (one of fail over interface & another for Data monitoring interface)  , similarly the network latency to reach other end via your fiber must be very least .

 Failover link can be connected back to back directly /via switch to your asa failover interface , but for data interface you will have inside and outside interface which will be monitored for fail over status , for this connectivity you need have layer 2 switch at both end  , passing both your inside & outside vlan of your firewall . The fiber link between this layer 2 swtich , should be used a trunk link .

Fiber link 1 - failover link

Fiber Link 2 - Data link for outside & inside interface of firewall , must be configured as trunk  

You have to tweak failover polltime to standby device using below commands

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/77809-pixfailover.html#prereq

Failover Polltime

In order to specify the failover unit poll and hold times, use the failover polltime command in global configuration mode.

The failover polltime unit msec [time] represents the time interval in order to check the standby unit's existence by polling hello messages.

Similarly, the failover holdtime unit msec [time] represents the setting a time period during which a unit must receive a hello message on the failover link, after which the peer unit is declared failed.

In order to specify the data interface poll and hold times in an Active/Standby failover configuration, use the failover polltime interface command in global configuration mode. In order to restore the default poll and hold times, use the no form of this command.

failover polltime interface [msec] time [holdtime time]

Use the failover polltime interface command in order to change the frequency at which hello packets are sent out on data interfaces. This command is available for Active/Standby failover only. For Active/Active failover, use the polltime interfacecommand in the failover group configuration mode instead of the failover polltime interface command.

You cannot enter a holdtime value that is less than 5 times the interface poll time. With a faster poll time, the security appliance can detect failure and trigger failover faster. However, faster detection can cause unnecessary switchovers when the network is temporarily congested. Interface testing begins when a hello packet is not heard on the interface for over half the hold time.

 

HTH


Sandy

0 Helpful

jpl861
Level 4
Level 4

‎05-21-2014 10:44 PM

Not sure if I understood your question but from what I understood, both locations will have dual ASA FWs but there is only one link in between which is fiber. If that is the case then you will need to terminate your WAN link to an L2 switch in each location then your firewalls to that L2 switch as well so all firewalls have connectivity to the WAN.
0 Helpful

Reece Boucher
Level 1
Level 1
In response to jpl861

‎05-22-2014 07:13 PM

John,

 

The correct topology is a single ASA 5510 (our f/w) to dual f/w's (unknown make) at the other end.  I am not sure there is a L2 switch at their end.  That would make life so much easier.

 

0 Helpful

jpl861
Level 4
Level 4
In response to Reece Boucher

‎05-22-2014 09:38 PM

Actually that is nto a big iasue if they have two firewalls. It would work on their end but there will be no redundancy if their secondary firewall does not have connectivity to the WAN. We had that problem before as the ISP gave us a /30 WAN IP so we can only use one. I assigned the IP to the active firewall with no standby IP (this is for ASA anyway) but I terminated the link to an L2 switch into its own VLAN. So whenever I switch active roles between primary/secondary, the second firewall can communicate to the WAN. So not a big issue if you just have one on your side.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card