Solved: Re: What protocol does HA in cisco ASA uses???

Pravin Raj Kanagaraj · ‎11-24-2018

Hi

What protocol does HA in cisco ASA uses???

Thank you

Regards,
Pravin Raj K
Network Engineer

Abheesh Kumar · ‎11-24-2018

Hi,

ASA uses ip-proto-105 & ip-proto-8 protocol for HA. Failure is detected by sending hello messages each other at regular intervals. Hello messages are sent to all interfaces configured for failover to check the health status of interfaces.

The concept of ASA failover is rather simple: Two devices are connected to the network as they normally would be, and they are connected to each other to communicate failover information. When the ASA detects a device or interface failure, a failover occurs. What exactly happens when a failover occurs depends on the mode of failover being used.

There are two different failover modes that are supported on the ASA platform: active/passive and active/active.

Configuring failover requires two identical ASAs connected to each other through a dedicated failover link and, optionally, a state link. The health of the active units and interfaces is monitored to determine if specific failover conditions are met. If those conditions are met, failover occurs.

Cisco recommends that the bandwidth of the stateful failover link should at least match the bandwidth of the data interfaces.

HTH

Abheesh

View solution in original post

Abheesh Kumar · ‎11-24-2018

Hi,

ASA uses ip-proto-105 & ip-proto-8 protocol for HA. Failure is detected by sending hello messages each other at regular intervals. Hello messages are sent to all interfaces configured for failover to check the health status of interfaces.

The concept of ASA failover is rather simple: Two devices are connected to the network as they normally would be, and they are connected to each other to communicate failover information. When the ASA detects a device or interface failure, a failover occurs. What exactly happens when a failover occurs depends on the mode of failover being used.

There are two different failover modes that are supported on the ASA platform: active/passive and active/active.

Configuring failover requires two identical ASAs connected to each other through a dedicated failover link and, optionally, a state link. The health of the active units and interfaces is monitored to determine if specific failover conditions are met. If those conditions are met, failover occurs.

Cisco recommends that the bandwidth of the stateful failover link should at least match the bandwidth of the data interfaces.

HTH

Abheesh

Pravin Raj Kanagaraj · ‎11-26-2018

Thanks

Regards,
Pravin Raj K
Network Engineer

mkazam001 · ‎11-24-2018

In Active/Standby Failover, both appliances send hello messages to monitor the status of each other.

They use a dedicated link called the failover control link to do this.

There is also an optional stateful failover link to replicate the stateful information from the Primary ASA.

Regards, mk

Please rate if helpful or solved :)

Steven Williams · ‎11-24-2018

I don't think it is recommended to use a dedicated cable from ASA to ASA for LAN failover. You should run this through a downstream layer 2/3 switch.

Marvin Rhoads · ‎11-26-2018

>98% of the ASA HA pairs I have installed and seen (several hundred) use a dedicated cable and not an intermediary switch.

Typically a 6" Cat 5e or better cable that's never touched will be more reliable than an active device.

Steven Williams · ‎11-26-2018

I see dedicated for the stateful failover, but LAN failover I never use dedicated because its not actually recommended. I actually think in the past I have been able to gain more flexibility with using a switch for things like IP SLA.

Shared with the Failover Link

Sharing a failover link is the best way to conserve interfaces. However, you must consider a dedicated interface for the state link and failover link, if you have a large configuration and a high traffic network.

Dedicated Interface

You can use a dedicated data interface (physical, redundant, or EtherChannel) for the state link. For an EtherChannel used as the state link, to prevent out-of-order packets, only one interface in the EtherChannel is used. If that interface fails, then the next interface in the EtherChannel is used.

Connect a dedicated state link in one of the following two ways:

Using a switch, with no other device on the same network segment (broadcast domain or VLAN) as the failover interfaces of the ASAdevice.
Using an Ethernet cable to connect the appliances directly, without the need for an external switch.

If you do not use a switch between the units, if the interface fails, the link is brought down on both peers. This condition may hamper troubleshooting efforts because you cannot easily determine which unit has the failed interface and caused the link to come down.

The ASA supports Auto-MDI/MDIX on its copper Ethernet ports, so you can either use a crossover cable or a straight-through cable. If you use a straight-through cable, the interface automatically detects the cable and swaps one of the transmit/receive pairs to MDIX.

For optimum performance when using long distance failover, the latency for the state link should be less than 10 milliseconds and no more than 250 milliseconds. If latency is more than 10 milliseconds, some performance degradation occurs due to retransmission of failover messages.

Avoiding Interrupted Failover and Data Links

We recommend that failover links and data interfaces travel through different paths to decrease the chance that all interfaces fail at the same time. If the failover link is down, the ASA can use the data interfaces to determine if a failover is required. Subsequently, the failover operation is suspended until the health of the failover link is restored.

See the following connection scenarios to design a resilient failover network.

Scenario 1—Not Recommended

If a single switch or a set of switches are used to connect both failover and data interfaces between two ASAs, then when a switch or inter-switch-link is down, both ASAs become active. Therefore, the following two connection methods shown in the following figures are NOT recommended.

Figure 1. Connecting with a Single Switch—Not Recommended

Figure 2. Connecting with a Double-Switch—Not Recommended

Scenario 2—Recommended

We recommend that failover links NOT use the same switch as the data interfaces. Instead, use a different switch or use a direct cable to connect the failover link, as shown in the following figures.

Figure 3. Connecting with a Different Switch

Pravin Raj Kanagaraj · ‎11-28-2018

Hey Steven, thanks for the great insights to the HA concepts.

Also can you tell me what protocol HA uses ? ping uses icmp, what does HA uses?

Regards,
Pravin Raj K
Network Engineer

Pravin Raj Kanagaraj · ‎11-26-2018

Hey, you lost the question, my question is the protocol its uses,

for eg, ping uses icmp protocol....

Likewise what protocol HA uses in failover concepts

Regards,
Pravin Raj K
Network Engineer

Cezar Fistik · ‎11-24-2018

You can run a traffic capture on your HA ports if you want to look inside the actual packets.

Pravin Raj Kanagaraj · ‎11-26-2018

Thanks for the notes

Regards,
Pravin Raj K
Network Engineer