cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
829
Views
10
Helpful
7
Replies

ASA 1140 fail over scenario involving 9300s

Hi All

 

 

I have 2 x Cisco 1140 Fws running in ASA mode. Active/Standby

 

2 x 9300s with a trunk between ten 

Cisco have depreciated the Redundant interface on the 1140s

 

I have configured sub interfaces on one of the ports of FWs with 2 x vlans going from primary switch to active FW and 

the same 2 x vlans on the standby FW going into the secondary switch so should one of the FWs or switches going down ( in this instance lets say one of the primary devices). Monitor interface on the FW will detect and failover.

 

with a port-channel scenario it will still be the same detection.

 

I want to have failover independent on the switches without having to rely on the monitor interface of the FWs and for them not to be the masters in this scenario..

 

is there a way for the switches to detect or do some failover. 

 

I appreciate that there is no VSS or stack wise virtual on the 9300 

 

 

Thanks in advance 

 

7 Replies 7

Jon Marshall
Hall of Fame
Hall of Fame

 

Not sure I follow. 

 

The firewalls have failover because they monitor the state of their interfaces and the switches have failover presumably because you are running HSRP or something like that ? 

 

Are you asking if the switches can somehow detect if a firewall fails and use the standby firewall ? 

 

If so why would you need this when the firewalls can detect this themselves and move the firewall VIP to the standby firewall ? 

 

Jon

can you more elaborate?

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello @JamesSimpson34554 ,

>> I want to have failover independent on the switches without having to rely on the monitor interface of the FWs and for them not to be the masters in this scenario..

 

This is conceptually wrong the two Catalyst C9300 cannot be the decision makers they just provide  per VLAN connectivity to both FP1140 units on (one or more LAN ports) that are working in Active/Standby failover.

 

The standby ASA listens for heartbeats from the master unit and receives information about the state of the sessions NAT and s on. 

You should use dedicated links for  failover and STATE and connect the ASA directly between themselves if this is not possible you should use dedicated VLANs that are carried= allowed over the inter switch L2 trunk.

 

If you want to be on the safe side you should consider to use a dedicated port-channel on the two switches to propagate the failover and STATE VLANs so that you can provide a fault tolerant path with dedicated resources separated from VLANs carring user traffic and without competition between the two types of communications control plane and data plane of ASA.

 

The decision about who is the master can be taken only the ASA units themselves.

 

Hope to help

Giuseppe

 

I understand your topology but what I don't understand why you not want monitor the IN and Out of FW?

anyway 
the failover link is detect the alive of other Peer, if the ASA not receive the hello message the ASA start failover process which in first step send message in all data interface between the two FW.

 

when you not monitor the IN/Out data interface in FW there is a big chance of split brain, where for any reason the active failed to send periodic hello message to standby, and you disable monitor then the standby will assume the active FW is failed and start failover process. 
the monitor of data interface ensure that the active FW is failed not failover link is failed.

how SW know the the ASA failover between active and standby??
the FW standby will USE ALL IP ADDRESS OF PREVIOUS ACTVIE FW
this how failover, for user there is no traffic drop except the time the new active FW adjutancy with SW<<-
here the new active FW will inform SW that IP can reach now from different port  (port connect old standby new active to SW2).

 

 

 

When a switch breaks I want the alternative switch to take over without triggering failover in the FW 

 

But isn't the active firewall connected to one of the 9300 switches and the standby connected to the other 9300 switch ? 

 

In which case a failure of the switch connecting the active firewall means you failover to the standby firewall anyway. 

 

Jon

One suggestion 

Two sw config as stackwise,

Each fw connect via port channel to both SW this make if one sw is down the fw will not effect.

Review Cisco Networking for a $25 gift card