Solved: Re: ASA - Active/standby topology

troysipple · ‎12-25-2020

I am trying to set up a basic active/standby topology in GNS3. In all the setups that I'm seeing, there is a L2 switch on each side of the ASAs.

I have a core switch and a gateway router between my ASAs. My core switch is L3 and doing routing between my vlans. This topology worked with just one ASA. The problem that I'm running into is if I assign an IP address on the core's uplinks, there would be an IP address overlap to keep them in the primary / secondary IP addresses on the ASAs. The same thing applies to the router. How do I set something like this up?

Georg Pauwen · ‎12-27-2020

Hello,

I labbed this up, and ended up using a bridge group for the router. Here are the working configs (IP addressing an interfaces used are obviously arbitrary, make sure they match what you actually have configured):

ASA1

interface GigabitEthernet0/0
description LAN/STATE Failover Interface
!
interface GigabitEthernet0/1
description Link to GigabitEthernet0/0 Novi_Core_10
nameif inside
security-level 100
ip address 192.168.20.2 255.255.255.255.0 standby 192.168.20.254
!
interface GigabitEthernet0/2
Uplink to GigabitEthernet0/0 R1
nameif outside
security-level 0
ip address 192.168.30.1 255.255.255.0 standby 192.168.30.254
!
failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet0/0
failover key asa123
failover interface ip FAILOVER 10.67.14.65 255.255.255.252 standby 10.67.14.66

ASA2

failover
failover lan unit secondary
failover lan interface FAILOVER GigabitEthernet0/0
failover lan key asa123
failover link FAILOVER GigabitEthernet0/0
failover interface ip FAILOVER 10.67.14.65 255.255.255.252 standby 10.67.14.66

R1

hostname R1
!
no ip domain lookup
ip cef
no ipv6 cef
!
bridge irb
!
interface GigabitEthernet0/0
description Downlink to GigabitEthernet0/2 ASA1
no ip address
duplex auto
speed auto
media-type rj45
bridge-group 1
!
interface GigabitEthernet0/1
description Downlink to GigabitEthernet0/2 ASA2
no ip address
duplex auto
speed auto
media-type rj45
bridge-group 1
!
interface BVI1
ip address 192.168.30.2 255.255.255.0
!
bridge 1 protocol ieee
bridge 1 route ip

Novi_Core_10

interface GigabitEthernet0/0
description Uplink to GigabitEthernet0/1 ASA1
switchport mode access
switchport access vlan 20
spanning-tree portfast
!
interface GigabitEthernet0/1
description Uplink to GigabitEthernet0/1 ASA2
switchport mode access
switchport access vlan 20
spanning-tree portfast
!
interface Vlan 20
ip address 10.67.20.1 255.255.255.0

View solution in original post

Georg Pauwen · ‎12-26-2020

Hello,

the typical active/standby failover setup indeed involves logical L2 connectivity, which you don't have (as far as I can tell from your description). So you have to get creative, and you could use sla monitoring and EEM scripts to trigger the failover.

What criteria do you want the failover to be triggered by ? If you want it to be triggered by let's say by the failure of the uplink to the router (R1), the IP address of that interface is what you monitor, and when it it not reachable, an EEM script will execute.

Let's say the IP address of the uplink interface on the ASA1 that is connected to R1 is 192.168.1.1/30. On the ASA1, you would configure this (one script for when the interface is down, one script for when it is up):

track 1 rtr 1 reachability

!

sla monitor 1

type echo protocol ipIcmpEcho 192.168.1.1 interface outside

num-packets 3

frequency 10

!

event manager applet ASA1_R1_DOWN

event track 1 state down

action 1.0 cli command "conf t"

action 2.0 cli command "interface GigabitEthernet0/0"

action 3.0 cli command "shut"

action 4.0 cli command "end"

!

event manager applet ASA1_R1_UP

event track 1 state up

action 1.0 cli command "conf t"

action 2.0 cli command "interface GigabitEthernet0/0"

action 3.0 cli command "no shut"

action 4.0 cli command "end"

This is just the very basic config, since we don't know what (if any) routing is in place in your network.

paul driver · ‎12-26-2020

Hello

FYI - I am not sure any EEM scripting can be used to accomplish ASA HA clustering as suggested by @Georg Pauwen

Regards ASA clustering although its recommended to use L2 interconnected interfaces for the for the Failover and Statefull HA cluster links in your lab setup it isn't necessarily required however it looks like anyway you can use them with the topology you have posted

See attached for ASA HA example:

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎12-26-2020

@paul driver

What part of my suggestion did not work when you tested this ? I tried to recreate pretty much the exact setup OP posted. Curious to know where you got stuck...

paul driver · ‎12-26-2020

Hello @Georg Pauwen
I didn't test anything, I was simply stating an HA paring with the topology shown in this post was still applicable and the example you provided using EEM wont produce any kind of high availability for the two fws for which the OP suggested it would do is basic monitoring of link failure.

In fact because no clustering will be created so no synchronization of the fws would be achieved thus all configuration, routing, state tables, tcp connections etc. Would need to be managed separately, you would still have two separate fws using EEM.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MHM Cisco World · ‎12-26-2020

you need inside and outside ASA failover connect to SW then connect to other router.
here only the inside the outside it connect to router directly.

i.e. the router and the two outside to two ASA must share the same subnet

troysipple · ‎12-26-2020

I agree with what you're saying. In the real world, would you use a small 8 port switch to connect it to the ASA1, ASA2 and R1? Is there anyway to eliminate the switch, and make both of the R1 interfaces (to ASA1 and ASA2) on the same subnet.

MHM Cisco World · ‎12-26-2020

Use one SW and two different VLAN,
VLAN for inside
VLAN for outside

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ha_overview.html

see above link for different design

troysipple · ‎12-26-2020

Could someone show me a real world example with Active/standby or clustering? I am imaging an outside 24 port switch with 3 connections in it. That would be a waste of 21 ports.

MHM Cisco World · ‎12-26-2020

friend as I mention before no need SW
use inside SW and config two VLAN
VLAN 1 for inside
VLAN 2 for outside

troysipple · ‎12-26-2020

What part of the link that you provided shows how to do this? Can you provide me with a picture or a video?

MHM Cisco World · ‎12-26-2020

troysipple · ‎12-26-2020

How do you incorporate this picture with my design above? The Core switch needs to be on the same network as both of the ASAs. You can do that with an SVI. How do you do it with a router? I can't connect two links from the router to the ASAs and keep them on the same subnet. There will be an overlap.

Georg Pauwen · ‎12-27-2020

Hello,

I labbed this up, and ended up using a bridge group for the router. Here are the working configs (IP addressing an interfaces used are obviously arbitrary, make sure they match what you actually have configured):

ASA1

interface GigabitEthernet0/0
description LAN/STATE Failover Interface
!
interface GigabitEthernet0/1
description Link to GigabitEthernet0/0 Novi_Core_10
nameif inside
security-level 100
ip address 192.168.20.2 255.255.255.255.0 standby 192.168.20.254
!
interface GigabitEthernet0/2
Uplink to GigabitEthernet0/0 R1
nameif outside
security-level 0
ip address 192.168.30.1 255.255.255.0 standby 192.168.30.254
!
failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet0/0
failover key asa123
failover interface ip FAILOVER 10.67.14.65 255.255.255.252 standby 10.67.14.66

ASA2

failover
failover lan unit secondary
failover lan interface FAILOVER GigabitEthernet0/0
failover lan key asa123
failover link FAILOVER GigabitEthernet0/0
failover interface ip FAILOVER 10.67.14.65 255.255.255.252 standby 10.67.14.66

R1

hostname R1
!
no ip domain lookup
ip cef
no ipv6 cef
!
bridge irb
!
interface GigabitEthernet0/0
description Downlink to GigabitEthernet0/2 ASA1
no ip address
duplex auto
speed auto
media-type rj45
bridge-group 1
!
interface GigabitEthernet0/1
description Downlink to GigabitEthernet0/2 ASA2
no ip address
duplex auto
speed auto
media-type rj45
bridge-group 1
!
interface BVI1
ip address 192.168.30.2 255.255.255.0
!
bridge 1 protocol ieee
bridge 1 route ip

Novi_Core_10

interface GigabitEthernet0/0
description Uplink to GigabitEthernet0/1 ASA1
switchport mode access
switchport access vlan 20
spanning-tree portfast
!
interface GigabitEthernet0/1
description Uplink to GigabitEthernet0/1 ASA2
switchport mode access
switchport access vlan 20
spanning-tree portfast
!
interface Vlan 20
ip address 10.67.20.1 255.255.255.0

troysipple · ‎12-27-2020

Thanks! Last night, I just learned you could create a BVI on a router. I only knew you could do it on an ASA.