Redundant/Backup Connectivity

Kenny McLean · ‎11-21-2014

Hi there,

I'm looking for some guidance when setting up failover on our network. I've attached a diagram which hopefully explains how my network is set up for internet access.
Basically I have 2x ASA configured in an Active/Standby pair, each is connected to our service provider's MPLS routers (Running HSRP) with a single connection between our ASA-FW01 and their MPLS-RTR01, & another single connection between our ASA-FW02 and their MPLS-RTR02

My question is, how does outgoing traffic react to a failure on the outside interface on the primary MPLS-RTR01?

As the interface connected between the ASA-FW01 and MPLS-RTR01 does not fail - the ASA's will not failover - so how does traffic re-route to the HSRP address, which is now active via MPLS-RTR02, if there is no physical connection between ASA-FW01 & MPLS-RTR02?

The two MPLS Routers belong to our service provider so I have no input to configuration of them. All I have been told is that I should configure my firewalls to control internet access.

I did request secondary links between our firewalls and their routers (FW01->MPLS-RTR02 & FW02->MPLS-RTR01), but was told that this would add no resiliance.

Any guidance/help/pointers on this would be greatly appreciated.

Cheers

Jorge Lozano · ‎11-21-2014

Hi,

Doesnt seem to be the usual setup where the ASA directly would have 2 different interfaces connected to 2 different routers

You can use IP SLA to track a public address, if the connection get lost, erase the route from your routing table.

sla monitor 1

type echo protocol ipIcmpEcho 8.8.8.8 interface outside

num-packets

timeout

frequency

sla monitor schedule 1 life forever start-time now

You will also need a configuration related to the command "track"

track 1 rtr 1 reachability

route outside 0.0.0.0 0.0.0.0 192.168.1.1 track 1