cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1105
Views
2
Helpful
7
Replies

ASA 5515-X Failover setup by using different subnet standby ip

Ozy
Level 1
Level 1

Hello community! I hope everything is well in your life.

I have 2x ASA 5515-X and I was using Active/Standby before and it was working great.

We moved in a new datacenter and in this datacennter they have 2x gateway switch.

They gave me 1 uplink cable from each gateway. 

My current diagram is below:
Current_status.png

My problem is they gave me 1 ip for each uplink cable and these ip's are only working on their cable because these ip's are two different /30 subnets.

ASA5515 Active/Standby failover configuration do not accept 2 different subnet as primary and standby ip. They have to be in the same subnet. 

 

Because of this issue I have to change my configuration!

I think there is only 2 different solution to solve this issue and in my mind I'm sure both of these solution will work but I'm trying to find a proved solution for this kind of case. Let me tell you my ideas first.

Solution 1: I will request 2 more uplink cable and cross connect. So each ipsec will be able to reach both gateway. But I have to use Active/Active because I have to configure two different interface as OUTSIDE and I have to use the 4 ip total (primary + secondary) Then I will have something like this:

PRIMARY ASA5515 device: 
Outside-int1 = x.x.x.1/30
Outside-int2 = y.y.y.1/30

SECONDARY ASA5515 device: 
Outside-int1 = x.x.x.2/30
Outside-int2 = y.y.y.2/30

With this setup, Failover must be able to work in my theory. What do you think?

New diagram will be like this:

Active-Active-setuıp.png

 

 

 

Solution 2: In the case that they can't give me 2 more uplink cable, then I can not use solution 1. In this case I have to configure an internal BGP setting I guess and redirect all the traffic on that internal BGP ip. 
I have 2x VPC enabled main switches (backbone) and I'm really not sure but I guess I have to create this bgp on the backbone and redirect all the traffic (inside<->out) I think this solution will work too but I don't know how to configure this setup.

What should I do ?

7 Replies 7

M02@rt37
VIP
VIP

Hello @Ozy,

Preference for solution 2. This solution involves implementing iBGP to manage routing and traffic redirection within your internal network. BGP can be a powerful tool for managing traffic flows and can be effective in scenarios like this.

Solution 1, using Active/Active can sometimes introduce complexity.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

I agree with you but I want to continuew with Active/Active setup because it is easier for me because I know this area but I'm not sure what to do with others. 

I'm researching the solution 2 also because I only have 1 link for each gateway and 2 link total. To setup active active, I have to request 2 more link and its really hard to get new links and it take times. I was thinking solution 2 as a backup plan. But if you tell me the reasons and prove this will be better. Then I'm open to do this and learn new stuff. I only have 1 week to setup this so I'm rushing with the time also

Can we please discuss the all possible solutions in an order? 

1- What should I do to achive Active/Active ?  Do we need BGP at gateway side?

2- If I keep 2 links I have now. Can I setup Active/Backup setup with multi mod by using x.x.x.x/30 and y.y.y.y/30 on different  interface? After failover, x.x.x.x/30 will fail on secondary device but it will continue with y.y.y.y/30. So 1 link is always failed with this solution. And I think I will need an internal failover ip as a default gateway and use this internally but redirect this to active gateway ip above ASA. Thats the part I don't know how to do

3- Not using any failover. We have to use BGP at gateway side. What we have to do at ASA layer and Backbone layer? I guess HSRP or something like this.

Lets discuss all of these by the order (logical+easy) to (logical+hard) in seperate answers. 

Thank you so much for your help. You always save me my friend. You are my hero   M02@rt37 

You're so welcome @Ozy. Thanks for your kind words.

First, setting up A/A with BGP involves configuring BGP on your ASA and at the gateway side.

Configure BGP on the gateway side to handle the routing between your network and the upstream providers. Ensure BGP is set up to advertise the correct routes to both ASAs and that it can handle failover in case one ASA goes down.

BGP will handle the failover and routing between the ASAs and the gateway. BGP will automatically update routing tables based on link availability.

Setting up Active/Backup with Multi-Mode involves configuring your ASAs to use both links but prefer one over the other. You should assign a higher metric or cost to the less preferred interface to make it the backup link. Also, configure the gateway to route traffic to the ASA using both IP addresses (x.x.x.x/30 and y.y.y.y/30), and to prefer the x.x.x.x/30 link and use y.y.y.y/30 only if x.x.x.x/30 is down.

One link is prefered (Active), and traffic primarily flows through it. If that link fails, traffic is automatically redirected through the backup link (Passive).

Last scenario, BGP is used for routing without ASA failover. I think this is the least complex of the three "setups" but may not provide the same level of redundancy.

Configure BGP on the gateway to handle routing between your network and upstream providers. Advertise your network's IP ranges to the upstream providers through BGP.

This setup doesn't involve ASA failover; instead, the gateway handles routing decisions. While simpler, it may not provide the same level of failover redundancy as the previous methods.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Canceled

I couldn't get 2 more link. Solution 1 failover setup now of the table. 

I started to implement the solution 2:

  1. I destroyed both ipsec by (write erase)
  2. I configured both ipsec from scratch
  3. I didn't setup Failover this time
  4. When I setup OUTSIDE interface by using 1 layer up gateway ip's I started to receive ping from outside
  5. I setup 2x AWS ipsec tunnel on the first ASA device. I had to setup static GW at AWS side order to skip BGP routing at my side. It worked
  6. I set setup second ASA with the same configuration ant it worked aswell. 

Now instead of seting static GW at AWS side, I have to deal with BGP setup on my both ASA devices. 

You should know that, I never configured BGP before. I know the concept but it is not enough. 

Also the BGP setup is actually 1 layer above from my ASA devices. The BGP created at Gateway1 and Gateway2 routers. 

I only setup the OUTSIDE ip's as
ASA-1:(x.x.x.1) ---> GW1-router:(x.x.x.2/30)
ASA-2:(y.y.y.1) ---> GW2-router:(y.y.y.2/30)

BGP config above GW1 and GW2 and it is (z.z.z.z/28) and it includes usable 14 WAN ip's. 

So currently I don't have any control over BGP network and I don't know what should I do at this point.

I started to do some research about eBGP (extarnal BGP) setup but the guides usually about creating the setup on ASA. 

I have to learn how to use an outside BGP network inside the ASA.

Currently when I send a network package by using ASA-1:(x.x.x.1) or ASA-2:(y.y.y.1) one layer above, the GW's changes the package source to any of these 14 ip's from (z.z.z.z/28) network. 

When the receiver tries to get back to me, it sends the answer to (z.z.z.z/28) network ofc. 

But the BGP layer can not route back to the back ASA-1:(x.x.x.1) or ASA-2:(y.y.y.1) because it does not know. 

So the question is, as you see as an engineer, I know the concept but at this point I don't know what should I do ?  :)))))

 

 

Hello @Ozy 

Could please share a draw focus on that BGP ?

But the BGP layer can not route back to the back ASA-1:(x.x.x.1) or ASA-2:(y.y.y.1) because it does not know. 

It seems that ASA don't communicate subnets to BGP Gw. I'm a bit lost without a draw.

Do you check on ASAs BGP state? It should be 'Established'. 

Check if ASA announce/advertise networks through BGP peer.

Some commands: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118050-config-bgp-00.html

Thanks a lot.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Finally I understand the concept and created the eBGP setup from asa-1 <-> gw1 && asa-2 <-> gw2

The current configuration is below: 

Ozy_1-1697144349838.png

 

ASA1(config)# sh bgp summary     
BGP router identifier GW1, local AS number 64717
BGP table version is 4, main routing table version 4
2 network entries using 400 bytes of memory
2 path entries using 160 bytes of memory
2/2 BGP path/bestpath attribute entries using 416 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1000 total bytes of memory
BGP activity 2/0 prefixes, 2/0 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
GW1             4        65535 12      11             4    0    0 00:08:01  1       

 

ASA2(config)# sh bgp summary 
BGP router identifier GW2, local AS number 64717
BGP table version is 4, main routing table version 4
2 network entries using 400 bytes of memory
2 path entries using 160 bytes of memory
2/2 BGP path/bestpath attribute entries using 416 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1000 total bytes of memory
BGP activity 2/0 prefixes, 2/0 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
GW2  4        65535 13      12             4    0    0 00:07:49  1  


Now I have to research the route-map, filter list and prefix-list setup. 

Review Cisco Networking for a $25 gift card