Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1130
Views
0
Helpful
4
Replies

Local ASA active/active and multiple DC active/active

Ian Terry
Level 2
Level 2

‎12-12-2012 02:07 PM - edited ‎03-11-2019 05:36 PM


Hi

Trying to work through a tricky issue - customer has 2x DCs in geographically diverse locations. Each DC is resilient in terms of networking on all fronts. If a data centre fails, traffic is routed through the other DC - nothing unusual. We have multi-Gigabit links between DCs. Core backbone is N7k

In terms of security each DC is provided with a pair of active/active ASAs.

Ideally we need to get an active/active between DCs so that in the event of a full (or partial) DC failure, the other DC will be aware of the sessions traversing across the "failing" DC. Response time between DCs is well within guidelines, this is not the issue.

Any thoughts on how this could be achieved?

Many thanks in advance.




Sent from Cisco Technical Support iPad App

Labels:
0 Helpful
4 Replies 4

david.tran
Level 8
Level 8

‎12-12-2012 06:09 PM

before I can offer my opinion, can you elaborate on the followings:

- Active/Active for ASA at each data for internet facing applications?

- Any firewalls between the multi-Gigabit links between the DCs?

- can you provide a specific example for "full" or "partial" DC failure?

0 Helpful

Ian Terry
Level 2
Level 2
In response to david.tran

‎12-13-2012 12:46 AM


Hi

Firstly, thanks for taking an interest

In answer to your questions

1. The active/active ASAs in each DC are for traffic to an from the Internet
2. The DCs are connected without FWs as the links are non-public
3. The full/partial is relatively straightforward - within a DC if an ASA fails, not an issue the other takes over. If both ASAs fail, traffic needs to be routed to the other DC and ideally this needs to maintain previously initiated traffic flows hence the requirement to have active/active between the DCs.

Does this help?
Sent from Cisco Technical Support iPad App

0 Helpful

david.tran
Level 8
Level 8
In response to Ian Terry

‎12-13-2012 02:18 AM

1- For inbound traffic from the Internet, that will be possible if you use F5 GTM (I am a Cisco person when it comes to routers and switches but anti-cisco when it comes to Firewall, load balancers and other things, I just things there are better vendors out there than cisco); however, you will NOT be able to maintain previously traffic flows.  New traffics will be re-directed to the new DC by the GTM but existing traffic flows will not be maintained.  If you think about it, that makes perfect sense.

2- for outbound traffcs, assuming that you have your routing design properly, this will work as well.  If both ASAs in DC1 fail, the server will know how to use multi-gigabit link between the DC and go out of ASA on DC2; however, since the ASA is "stateful" firewall, any previously initiated traffics will be lost, only new connections will work;  if you want to maintain previously traffic flows, it will be possible with routers (without firewall) because routers can handle asymetric routing (or maybe ASA can handle as well with tcp-bypass feature)  but I don't think it will work either because in this design, the destination servers is expecting you're coming from the same IP address (NAT'ed I assume) in both DCs.  when DC1 is down and you're using DC2, you will be using a different NAT'ed, thus breaking previous traffics flow.  Is it possible, yes?  Difficult to achieve, hell yes.

0 Helpful

Ian Terry
Level 2
Level 2
In response to david.tran

‎12-13-2012 04:05 AM

Thanks for this - Cisco throughout I'm afraid.

Yes it is difficult and appreciate the support.



Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card