Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1524
Views
0
Helpful
6
Replies

Need design guide for ASA/DMZ switch configs

jbankstonfla
Level 1
Level 1

‎06-23-2016 01:43 PM - edited ‎03-12-2019 12:56 AM

I'm not new to ASA firewalls at all, also know L2/L3 very well, but I'm having a terrible time getting an ASA 5500 config pulled together.

I have a lab where I'm testing an ASA 5520 active/standby failover pair prior to rolling this out, and need to have one dmz switch that can connect to both ASA firewalls. The intent is upon failover event, the devices connected to this one switch will continue to function. The 5520 is just what I have available for the lab testing, production use is on a 5525-X.

The issue I'm seeing is that, with the ASA-PRI on switch port gi0/1, and ASA-SEC on switch port gi0/2, everything is vlan1 no trunking, the switch is only accessible when the ASA-PRI is the active master unit. As soon as it transitions to standby with ASA-SEC becoming the active unit, the switch is inaccessible.

As soon as ASA-PRI becomes the active unit, viola all is well. I'm using Cat 3560 switches for the DMZ.

Thanks, Jeff

Labels:
0 Helpful
6 Replies 6

Philip D'Ath
VIP Alumni
VIP Alumni

‎06-23-2016 02:56 PM

If you swap the ports over on the switch does the same behaviour happen, or does the exact opposite behaviour happen?

0 Helpful

jbankstonfla
Level 1
Level 1
In response to Philip D'Ath

‎06-23-2016 03:04 PM

exact opposite behavior - it follows the designated primary firewall. If I change the failover config so that ASA-PRI (forget the name for a moment) acts as failover standby, the issue follows.

Its almost like no matter what, the default gateway never follows the failed ASA. And yes, I know this is an ASA5520 running 9.1.6 code, this behavior might have changed in the 5525-X, but I'd rather see it work in the lab before I open my mouth.

Thanks, Jeff

0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to jbankstonfla

‎06-24-2016 01:50 AM

Could you please post your failover configuration? It sounds like something is wrong there.

Also how does the output of "show failover" looks before the failover on the primary and after the failover on the new-primary?

0 Helpful

jbankstonfla
Level 1
Level 1
In response to patoberli

‎06-24-2016 02:04 PM

failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/2
failover polltime unit 2 holdtime 6
failover polltime interface 2 holdtime 10
failover replication http
failover link stateful GigabitEthernet0/3
failover interface ip failover 10.0.0.1 255.255.255.252 standby 10.0.0.2
failover interface ip stateful 10.0.0.5 255.255.255.252 standby 10.0.0.6
!

I removed the dmz interface out when, upon ticking the box to set it as being monitored, failover status failed on the dmz interface. Oddly enough, in a CLI session, when I ticked the box in ASDM failover config to start monitoring the dmz interface, testing of the dmz interface succeeded but I got error messages for the vpn-primary no longer in failover. Removing the dmz interface from being monitored caused failover to return to proper status.

-Jeff

0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to jbankstonfla

‎07-01-2016 01:51 AM

Where is the GigE0/2 connected for both firewalls? Also on the same switch? Also same VLAN 1? (which wouldn't be allowed if my memory serves me right)

Also please, a show failover would be really useful here.

0 Helpful

Richard Bradfield
Level 6
Level 6

‎06-24-2016 01:04 AM

I assume that the dmz interface of the ASAs are monitored, and there is a standby address configured something like

nameif DMZ
 security-level 20
 ip address 172.16.168.1 255.255.255.0 standby 172.16.168.2

and the switch ip address is on the correct Vlan,as are both ports connected to the ASAs

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card