Cisco ASA Failover mechanism (Data Center)

Answered Question
Aug 22nd, 2008
User Badges:

Hi,


The scenario is:


Data Center Router, routes the traffic to the customer network. The edge device in the customer network is the Cisco ASA in failover mode. I would like to know that in the event the primary unit fails, how would the data center router, route the traffic to the new primary unit. Or how does the traffic switch to the new ASA unit.


The outside of the Cisco ASA are defined with public IP's.


Thanks.

Correct Answer by Frederick Reimer about 8 years 10 months ago

No, the standby needs to be in the same subnet. However, there's no reason either the active or standby address needs to be a public address. The public IP space doesn't actually need to be on a physical Ethernet segment, it just needs to get routed through the ASA. If you have VPN technology in the ASA also, and say a pair of external routers doing BGP to two separate ISP's, there's no reason you can't do a NAT on the router for the VPN endpoint, to the ASA non-public outside interface address, and route the rest of the public IP's to the ASA for other static translations.


The standby takes over the primary's mac also when becoming active. The data center router's arp table will not change. this is by design. the goal is complete transparency.

the layer 2 mac address cam table will change (i.e. if the data center's switch fabric will take a different link to the mac formerly used by the now failed primary)


you may need a layer 2 switch (or two linked together) in front of your asa's between them and your data center's uplinks...


you wont if they are just putting your two asa outside interfaces in one vlan in their network.


Most of the time we get 2 uplinks in a cage to the isp for this reason. if they are putting both of those links in a dedicated vlan on a 6509/foundry switch then we can just connect the asa's to the data center links.


Some will want their own switches in their cage to touch the asa's to make sure failover is not effected by the data center provider's switch fabric.


-Joe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.

if the primary unit fails (assuming you are doing active/standby mode) the data center router will learn the ip address of the ASA is no available on the standby firewall.


Remember, that during a failover situation, where the secondary becomes the active firewall, it answers arp for the primary (failed) firewalls ip.


this will be nearly instantaneous to the data. center router. What is required is the data center router has a layer 2 path to the outside interface of BOTH firewalls. This way its assured to always be able to layer 2 resolve via arp / frame forwarding the active firewall...


I would also look into stateful failover using a lan interface for connection redundancy.


Thanks,


Joe

cisco_realm Fri, 08/22/2008 - 12:38
User Badges:


So would the router ARP table look something like this


IP: (Primary/Failed ASA Outside IP), MAC: (Standby/New Active ASA Outside MAC).


Thanks.

Correct Answer

The standby takes over the primary's mac also when becoming active. The data center router's arp table will not change. this is by design. the goal is complete transparency.

the layer 2 mac address cam table will change (i.e. if the data center's switch fabric will take a different link to the mac formerly used by the now failed primary)


you may need a layer 2 switch (or two linked together) in front of your asa's between them and your data center's uplinks...


you wont if they are just putting your two asa outside interfaces in one vlan in their network.


Most of the time we get 2 uplinks in a cage to the isp for this reason. if they are putting both of those links in a dedicated vlan on a 6509/foundry switch then we can just connect the asa's to the data center links.


Some will want their own switches in their cage to touch the asa's to make sure failover is not effected by the data center provider's switch fabric.


-Joe

cisco_realm Fri, 08/22/2008 - 13:20
User Badges:


On the same note Joe, is it possible to use a private IP for 'standby' on the outside interface of the ASA (knowing that the active is configured with a public IP).


Just to save the public IP for another use.

Correct Answer
Frederick Reimer Fri, 08/22/2008 - 13:30
User Badges:

No, the standby needs to be in the same subnet. However, there's no reason either the active or standby address needs to be a public address. The public IP space doesn't actually need to be on a physical Ethernet segment, it just needs to get routed through the ASA. If you have VPN technology in the ASA also, and say a pair of external routers doing BGP to two separate ISP's, there's no reason you can't do a NAT on the router for the VPN endpoint, to the ASA non-public outside interface address, and route the rest of the public IP's to the ASA for other static translations.


Actions

This Discussion