Cisco ASA HA & OSPF setup query

marioderosa2008 · ‎01-26-2015

Hi all,

we want to implement two Cisco ASA 5515x's in a HA setup.

Inside interface of both ASA's will be in the same VLAN spanned accross two geographically dispersed DC's using 10gig ethernet link.

Now...

The two core switches that the Cisco ASA will connect to are autonomous switches... no etherchannel, vPC, VSS etc...

So, for OSPF on the inside between the ASA's and the Core's, will each ASA appliance have its own OSPF neighbor to its directly attached core switch?

Or, will only the Active Appliance have an OSPF neighborship?

Because our core's are not running etherchannel, vPC or VSS, I cannot see how the Core's can maintain an OSPF neighborship during a failover.

Does anyone have experience with this kind of setup? We do not want static routes on our network for every VPN that we set up. We would like ASA to advertise new VPN routes in to the Core as and when a new VPN is configured.

Is this possible?

Thanks

Mario

marioderosa2008 · ‎01-27-2015

Hi all, further to this, I have come accross the term "Redundant Interfaces" in the user guide of the ASA.

It advises that you can configure two physical interfaces as a single logical interface as an active standby interface and that a failure in the active interface brings up the standby interface with the same MAC as the active interface.

My question is, is this only on a single appliance, or can members of a redundant interface be on two separate appliances?

If the latter is correct, then that may answer my OSPF neighbor query above as the core switches will just see the same MAC learned somewhere else and OSPF should stay up.

Any advice on this is gratefully appreciated.

Mario