cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
609
Views
2
Helpful
10
Replies

stateful ASA FWs failover

mickpro77
Level 1
Level 1

Hi,

With stateful ASA FW pairs you configure interfaces with primary and standby IPs.

Must standby IPs necessarily be within the same LAN as primaries?

If so, must they be within the same VLAN? Or can routing be used to interconnect them instead?

For MGT especially, can we simply not configure a standby IP to MGT interfaces so there is no IP swap for thoses and so FWs always have the same MGT IP regardless of failover status?

If even possible, how would that work from a replication perspective though?

 

Also, different/second subject: the interfaces' IPs swap across FWs happening during failover, is it all done via the failover-dedicated interfaces and VLAN or is it rather on a per-interface's VLAN basis?

Example:

Inside = VLAN2 = 10.0.0.1/24 standby 10.0.0.2

Outside = VLAN3 = 11.0.0.1/24 standby 11.0.0.2

MGT = VLAN4 = 172.16.0.1/24 standby 172.16.0.2

Failover = VLAN5

Is the interfaces' IPs swap when failover happens all accommodated by VLAN5 or is it rather accommodated per interface/VLAN, as in each interface will do it via its respective VLAN?

 

I hope I'm clear, if not let me know.

KR

10 Replies 10

Must standby IPs necessarily be within the same LAN as primaries? Yes

IP of primary will swap to be used by secondary

Ip of inside and outside will swap from primary to secondary. 

For mgmt I am not sure but I don't think so IP of dedicate mgmt interfaces will swap. 

MHM

Hi,

Thanks for the prompt feedback 

No yeah I know they will, and MGT will too by the way, Im rather trying to get an understanding of how it happens at backend level.

Like, OK they need to be within the same subnet, but do they need to be within the same VLAN? or can they be routed instead?

Also, can we simply not configure a standby IP to MGT interfaces so there is no IP swap for thoses and so FWs always have the same MGT IP regardless of failover status?

Like, OK they need to be within the same subnet, but do they need to be within the same VLAN? or can they be routed instead?

if you use subinterface then both interface in both FW need to in same VLAN 
you can use also instead of subinterface routed port

how it happened?
when standby dont receive any hello from active via monitored interface the standby start use active IP (if you config FW HA before you know that we add both active and standby IP under interface in both device, so standby know the active ip), here the standby start send GARP declare that this I own this IP now, this GARP make all other device like SW change the port from port direct to old active FW to standby (new active FW). 

Also, can we simply not configure a standby IP to MGT interfaces so there is no IP swap for thoses and so FWs always have the same MGT IP regardless of failover status? can you more elaborate 

MHM

 

OK, let me try to explain what we're trying to achieve, perhaps it will make more sense.

At the moment we have 2 FWs in a stateful pair, they physically are in different locations through, 1 is in DC-A and the other one in DC-B.

They are interconnected via VLANs that run through backbone switches, core routers and then "stretched" across locations/DCs via xconnects.

Which creates broadcast domains covering 2 different and distant locations.

Like so:

FW-A ----- SW-A ----- CORE-A ----- CORE-B ----- SW-B ----- FW-B

And that for all interfaces:
Inside
Outside
MGT
Failover

Where each interface uses a different VLAN:
Inside - VLAN2
Outside - VLAN3
MGT - VLAN4
Failover - VLAN5

A total of 4 VLANs stretched therefore.

From a L3 perspective it looks like this:
Inside - 10.0.0.1/24 (DC-A) standby 10.0.0.2 (DC-B)
Outside - 11.0.0.1/24 (DC-A) standby 11.0.0.2 (DC-B)
MGT - 172.16.0.1/24 (DC-A) standby 172.16.0.2 (DC-B)
Failover - none (failover works with L2 only AFAIK)

And it's working fine.

 

Now, we want to migrate the MGT interfaces to a new MGT VLAN.
VLAN6 for example.
Problem is, VLAN6 is NOT stretched across DCs, and we don't want it to be.
It exists in both locations but it's secluded per-DC.

And it's associated to a different IP subnet per-DC.

DC-A VLAN6 = 172.17.0.0/24
DC-B VLAN6 = 172.18.0.0/24

It's important to say that we do not want to change anything else, only MGT!


How can we achieve this?

Can we not simply disable failover on MGT (only) so each FW has a fixed and dedicated MGT IP instead of inter-changing ones?

If even possible, how would that work with replication though?

Failover - none (failover works with L2 only AFAIK) <<- so it standalone not HA 

MHM

I think what you can try to do in this case is to configure each ASA management interface on its own without using the "standby" keyword on the IP address configuration line. Example:

Primary ASA:

interface management 0/0

  ip address 172.17.0.1 255.255.255.0

 

Secondary ASA:

interface management 0/0

  ip address 172.18.0.1 255.255.255.0

 

I think that way the management IP addresses will not be overwritten but please test that and let us know if that works as I don't have any ASA at handy at the moment to test it out.

mickpro77
Level 1
Level 1

Hi,

Found a way to have fixed/dedicated IPs per FW, see my message in:

https://community.cisco.com/t5/network-security/how-to-fix-mgmt-interface-ip-in-asa-failover-from-switching/td-p/3699643

thanks for your help.

You dont answer me 

Why HA if there is no failover link?

What you get from this design?

MHM

It is a HA pair, it's working as we speak, and we even failed over back and forth successfully yesterday (without making any change to it since my first post/msg here in this thread).

There is a failover link, I never said there wasn't one, as a matter of fact I actually said there was one, however because "run int Gi0/7 (= failover)" don't show IPs in the cmd output I thought it was done via L2 (I had never configured stateful failover in Cisco ASA FWs before playing with a pair in a GNS3 lab I made for this matter) but if you run "sh int ip brief" there are IPs against Gi0/7 ints, and if you run "sh run | i failover" you will see the failover int's config with both primary and stanby IPs.

So I was wrong, there are IPs (primary + standby) configured on failover ints, apologies.

I didn't reply because I simply couldn't until today, I was getting a error message about "text containing unauthorized HTML" everytime I tried to post, here and in other threads, I even raised a complaint via "Community feedback".

And I didn't get back to you on that point today because, in my eyes, it's irrelevant.

As in, I know it is a working HA pair (I'm working on/with it everyday) and I'm therefore not after confirming whether it is or not.

But in all fairness to you, it was obviously impossible for you to know that for sure and you therefore were right to bring that point/concern up.

Thanks again for trying to help by the way, it's appreciated.

As said in my previous message, I've found a way to achieve what I was after, i.e have fixed/dedicated MGT IPs per FW, details can be found in my message in the following thread for those that may be interested:

https://community.cisco.com/t5/network-security/how-to-fix-mgmt-interface-ip-in-asa-failover-from-switching/td-p/3699643

And so this thread can be closed.

I already know how you can use two separate mgmt vlan in each FW' but I prefer wait to get full idea about issue before suggest something.

Anyway' failover interface without IP? Can you confirm?

MHM

Review Cisco Networking for a $25 gift card