Dual ASA5510 Active/Passive to dual core switches

Matthew Ratliff · ‎12-17-2012

I have two ASA5510 firewalls configured in a active/passive failover. There are also two core switches. Firewall 1 is directly connected to core 1 and firewall 2 is directly connected to core 2. Each network closet is dual homed to the core switches and I'm doing a routed access design using EIGRP stub routing. What is the best approach for connecting the firewalls to the network? EIGRP, HSRP, GLBP, VSS? Any other thoughts on this?

Marwan ALshawi · ‎12-17-2012

well ASA dose not need HSRP/GLBP as it uses its own failover mechanism so you need to keep the ASAs connected as you described but for traffic going to core2 need to be firewalled it will go over the interswitch link between the core switches and up to the active ASA1

this is something you can improve it if you can use VSS in the core and multi home the firewalls to both of the VSS peers

to improve traffic path and load over the inter switch link

using routing in the in the firewall might be helpful if the you need the firewall to advertise and participate in routing with another routing domain, or you have too many routes and hard to be summarized using static routes

hope this help

Matthew Ratliff · ‎12-18-2012

Thank you

shillings · ‎12-18-2012

Just to add to marwanshawi's helpful comments above - If you decide to run an IGP on the firewalls then you might like the standby unit to be fed the dynamically learned routes from the active ASA. This feature helps to minimise disruption following a failover. However, it's only available in version 8.4 software onwards.

What's linking your two core switches, by the way? Is it a WAN link or are they just different comms rooms within your campus?

Matthew Ratliff · ‎12-18-2012

Yeah, I'm running an 8.4 version of the code and the dynamically learned routes are being pushed from the active to the standby perfectly.

I have a routed interface between the two cores. My issue is just getting my network to realize that the active ASA is on the 2nd core and visa versa. It's as if the core that connects to the standby unit thinks that the primary ASA is still active so it provides that dynamic route to the rest of the network. What I need is for my dynamic updates to show that the active ASA is actually on the other core. How do i acheive that? Should I use an SLA on the switches? Should I take a whole other approach?

shillings · ‎12-18-2012

Can you provide a diagram with IP addressing. I'm struggling to interpret the issue in my mind. I presume you have a different subnet configured on the standby, whilst it's in standby mode of course. Is the active ASA advertising a default route? If so, I don't understand how the standby could be seen as the gateway. We need more information really - at least I do

Reference alternatives, a simple approach is to have a single broadcast domain connecting both ASA inside interfaces and both core switches. The ASA pair can then point to a single next hop IP address in order to reach the LAN (i.e. a HSRP virtual IP). Maybe static routing will then be sufficient and you can further simplify the design by removing your IGP from the ASAs. But of course you need a VLAN between the two core switches for this topology to work.

Marwan ALshawi · ‎12-18-2012

Because the ASAs need a shared layer 2 Vlan between them spanning the two cores to get the failover and VIP working
VSS can help fix this easily

Hope this help

Sent from Cisco Technical Support iPhone App