ASA Active/Standby Failover

Unanswered Question
Apr 1st, 2008

I have two ASA 5520's setup in an active standby configuration. Each pix is configured with a inside and outside interface. I am also using the other two interfaces for the failover, and stateful pair. These firewall's are directly plugged into each other (no switches in between, I don't have any cross over cables so right now they are connected using straight through cables)


I am sourcing a ping from my laptop to a website, and then I force a fail on the active firewall by unplugging one of the monitored interfaces. The failover works but it seems to take too long to failover. I timed it and found that I am able to recover my ping close to a minute later after the failover has happened. Is this normal behavior or is there something wrong in my setup.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Tue, 04/01/2008 - 07:58

That's definitely not normal, even with default timeouts.


You can use the same interface for failover and stateful failover, btw.


Can you ping the failover (standby) IP addresses from the active ASA? I mean, the IP address that is directly connected with the straight through cable.


Can you post your failover config?

"sh run failover"

also, did you configure standby addresses on your interfaces?

amohabir1 Tue, 04/01/2008 - 08:26

Yes I can ping from primary to secondary fine.

I also configured standby addresses everywhere.


This is the config from the active..


failover

failover lan unit primary

failover lan interface failover GigabitEthernet0/2

failover polltime unit msec 200 holdtime msec 800

failover polltime interface msec 500 holdtime 5

failover link stateful GigabitEthernet0/3

failover interface ip failover 192.168.20.9 255.255.255.252 standby 192.168.20.1

0

failover interface ip stateful 192.168.20.13 255.255.255.252 standby 192.168.20.

14

amohabir1 Tue, 04/01/2008 - 19:29

Okay so I figured out what was causing the issue. I have an ospf procces running. The setup included 2 layers of asa firewalls. The first set of firewalls connects to the internet on the outside interface and an internet dmz on the inside interface running failover. I generate a default route of 0.0.0.0 0.0.0.0 and advertise that to the second set of firewalls...these firewalls sit on the same dmz segment as the internet firewalls as well as protect the real inside network. The default route is then propogated to the core and beyond.


When the firewall failover happens the ospf process has to start up again on the firewall which essentially shuts it down and causes the default route to be advertised once its learned again. It uses the default ospf timers to send the hello's to establish the adjacency. Once it is re-learned by the ASA traffic starts to flow again.


My question is what is the best way to handle this situation. should I just statically assign default routes on the 2 layers of firewalls as well as default routes for all of the routers participating in the inside network?

Actions

This Discussion