05-05-2011 11:42 AM - edited 03-11-2019 01:29 PM
Hi everyone,
I'm planning a failover ASA deployment and I'm going by this guide: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml
In the diagram for "LAN-Based Active/Stanby Failover Configuration" they depict a router ahead of the two ASAs and then the "outside" interfaces of the ASAs having local addresses and physically connecting into the head-end router.
So my question is this; is there a way to do this without using a head-end router? My idea is to use a switch instead of a router - plug the internet connection into the switch, configure the "outside" interface on the Active ASA with the public IP from the ISP and then a bogus "1.1.1.1" address on the failover ASA. As I understand it, when the Active ASA goes offline/becomes unavailable the failover ASA configures itself with the Active ASA's configuration. So in theory it should delete it's own bogus "1.1.1.1" ip and configure itself with the Active ASA's public IP and MAC address.
Would that work?
If the head-end router is absolutely required, how do I terminate L2L and Remote Access VPN connections on the ASA rather than the head-end router?
Thanks!
05-05-2011 11:47 AM
Hi,
Not recommended, but yes. Remember that the bogus IP needs to be on the same range as the outside of the primary Unit, in order to for the hello packets to be exchanged between the interfaces and in case the interface fails, it can do failover.
Hope it makes sense.
Mike
05-05-2011 12:09 PM
Thank you for your reply.
Out of curiosity, why is having the head-end router recomended? I thought the ASA was designed to be an edge/border device?
05-05-2011 12:17 PM
Also, I was just thinking about it some more and I don't really understand why the outside interface on the failover ASA needs to be on the same subnet as the Active ASA? You said it was for failover but I thought there were two ports on each ASA (or a single physical port and a virtual interface) dedicated to failover and state information? Why would the two "outside" ports need to communicate on a common subnet?
Thanks!
05-05-2011 12:26 PM
Hi,
The edge router is simulating the service provider Router, the one that provides internet. Each secondary IP that you put on the ASA firewall has a purpose. Hello packets are being sent from the Active Unit to the standby Unit thru those IP addresses. If the outside interface has a bogus IP that is not on the same subnet as the Active Unit outside, failover will be bouncing around because hello packets are not heard.
If you have questions feel free to ask.
Mike
05-05-2011 12:59 PM
Well, I'm going to have to use a head-end router since my ISP can't expand my current public subnet and so I'd have to get all new IPs which isn't really an option at this time.
Bummer!
05-05-2011 01:50 PM
Hello,
Actually, the ASAs would physically connect to the switch that represents the outside segment; the router in the diagram depicts your ISP. Since it is not mandatory to assign a standby IP on a particular interface unless you want to take advantage of interface monitoring, your proposed topology should work just fine. The only requirement for the ASA failover peers is to have their respective interfaces on the same Layer 2 segments.
Andrew
05-15-2011 05:31 PM
I implemented the standby ASA this weekend according to the plan I outlined in my first post and everything worked. The failover isn't as seamless as I had hoped even with the state information being sync'd between the ASAs. Maybe I just need to tweak the failover criteria?
Anyways, thanks for the help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide