Solved: Two ASA 5510 (Active / Standby) connecting to two stack switches

dapo dimeji · ‎11-16-2015

Hello All,

I have a change in design with my ASA (Active / standby) connecting two stand alone switches. I previously had the active ASA connected to Switch 1 and the standby connected to switch 2. The two switches were trunked via a physical cable.

Switch 1 had three interfaces connected to the Active ASA and Switch 2 had three interfaces connected to the standby ASA:

i.e Switch 1 Config

interface Vlan15
ip address 12.170.15.2 255.255.255.0
standby 25 ip 12.170.15.1
standby 25 priority 120
standby 25 preempt

interface Vlan17
ip address 19.175.18.7 255.255.255.0
standby 17 ip 25.175.18.1
standby 17 priority 120
standby 17 preempt

i.e Switch 2 Config

interface Vlan15
ip address 12.170.15.3 255.255.255.0
standby 25 ip 12.170.15.1

interface Vlan17
ip address 19.175.18.8 255.255.255.0
standby 17 ip 25.175.18.1

I have replaced the two switches with a 3750-x stack switch (two), as it is a stack switch I can only configure an IP Address per Vlan interface, so Vlan 15 & 17 config of switch 1 remains on the stack switch. Now because my Primary ASA has two interface and the failover connected to Switch 1 of the stack switch and the Secondary ASA also has two interface and the failover connected to Switch 2 of the stack switch , I now have two different cross stack ports (i.e : Gig 1/0/1 & Gig2/0/1 and also Gig1/0/2 & Gig2/0/2) interfaces on the switch flapping.

Also the secondary ASA has assumed Active state although i have power cycled it, it still comes back up as Active.

I would like to get some help if there is a better way of having both ASA ( Active / Standby) connected to the stack switch.

I appreciate your response.

Regards

Rolando Valenzuela · ‎11-17-2015

If you need multiples IPs on the same VLAN you can uses the secondary keyword (but using secondary IPs is not a best practice)

ie

interface Loopback99
ip address 10.10.10.1 255.255.255.255
ip address 10.10.10.2 255.255.255.255 secondary

Now, I dont understand why having just one IP is a problem, you need to send the the traffic to an specific IP, why it cannot be the same?

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Regarding the failover, have you tried to force it? On the active firewall you can do the following:

CiscoASA# no failover active

On the standby firewall you can do the following:

CiscoASA# failover active

Rolando Valenzuela.

View solution in original post

Boris Uskov · ‎11-18-2015

Hello,

I think, you'd better avoid cross stack connections in your case. Please, see the attach.

With cross stack (left schema), if one of the switches fails, both ASAs will lose one interface.

Without cross stack (right schema), if one of the switches in the stack fails, only one ASA will loose all of its connections. The second ASA will have all interface in UP state and will assume the Active role (if it was Standby).

View solution in original post

Rolando Valenzuela · ‎11-17-2015

If you need multiples IPs on the same VLAN you can uses the secondary keyword (but using secondary IPs is not a best practice)

ie

interface Loopback99
ip address 10.10.10.1 255.255.255.255
ip address 10.10.10.2 255.255.255.255 secondary

Now, I dont understand why having just one IP is a problem, you need to send the the traffic to an specific IP, why it cannot be the same?

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Regarding the failover, have you tried to force it? On the active firewall you can do the following:

CiscoASA# no failover active

On the standby firewall you can do the following:

CiscoASA# failover active

Rolando Valenzuela.

Boris Uskov · ‎11-18-2015

Hello,

I think, you'd better avoid cross stack connections in your case. Please, see the attach.

With cross stack (left schema), if one of the switches fails, both ASAs will lose one interface.

Without cross stack (right schema), if one of the switches in the stack fails, only one ASA will loose all of its connections. The second ASA will have all interface in UP state and will assume the Active role (if it was Standby).

Rolando Valenzuela · ‎11-18-2015

Good point Boris!
When I read this thread, I imagined something like your right schema, but I never point it out!

Thanks for sharing!

Rolando Valenzuela.

dapo dimeji · ‎11-19-2015

Thanks Guys your replies have been really helpful, I restarted both ASA's (Active / Standby) and made sure I powered up the Primary ASA first before the secondary. The primary is now running as Active and the secondary as Standby. I guess the seconday ASA might have gotten confused when i moved some cables around while connecting to the new installed stacked switch ( the order of operation might have be faulty).

Boris# I will look into changing the ASA connection to the switch from cross Stack to non-Cross stack, as it is a better design if one of the stack switch fails.

Many thanks guys.