ASA Active/Standby

Answered Question
Jul 14th, 2009

Couple questions. About to implement this scenario with two ASA5520s. I plan to have these two connected to two 4506s running as core switches. My question is do the ASAs need a dedicated link to each other for their communication or can they communicate active/standby info with each other through their links to the dual 4506s? The 4506s will be running EIGRP with default routes to the ASAs. The 4 devices will be connected with a /29 subnet. Please see the attachment. The ASAs do not have sub interfaces. They are connected to the 4506s on the same vlan, vlan 2. Will i need a direct link between the two ASAs? Thanks. I just want to make sure i understand this right.

Attachment: 
I have this problem too.
0 votes
Correct Answer by Kureli Sankar about 7 years 4 months ago

This not secondary address but, standby address.

The rolls are primary and secondary but the states are active and standby.

Which ever unit is active it will assume the active mac in layer 2 and the active IP for layer 3. This active mac and active IP is always the primary unit's except the failover interface. These will continue to use their own IP and mac.

When we failover we always send gratuitous arp so, the adjacent devices can update the arp and mac-address table.

So, even for the outside interface you should have a standby IP otherwise monitoring interfaces will not be possible. Failover will still work.

Correct Answer by Todd Pula about 7 years 4 months ago

Your existing IP config will need to be updated to include standby IP addresses for the pair. In an active/standby scenario, the active ASA will manage the primary interface IPs and will use the failover link for replication and keepalives. In a failure scenario, the secondary ASA will take over control of the primary interface IPs. This will allow you to point your default route to the same IP irrespective of what ASA is active at that time. Below is a sample failover config.

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 11.11.11.11 255.255.255.0 standby 11.11.11.12

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.10.10.11 255.255.255.0 standby 10.10.10.12

!

interface GigabitEthernet0/2

description LAN/STATE Failover Interface

failover

failover lan unit primary

failover lan interface Failover GigabitEthernet0/2

failover key *****

failover link Failover GigabitEthernet0/2

failover interface ip Failover 10.1.1.1 255.255.255.252 standby 10.1.1.2

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Todd Pula Tue, 07/14/2009 - 10:41

You will need to dedicate an interface on each ASA for failover. These interfaces can either connect back to your core switches on an isolated VLAN or can be connected directly with a crossover cable. Please refer to the following doc for failover requirements and configuration on the ASA platform.

cowetacoit Tue, 07/14/2009 - 10:59

so i would keep my current IP config but add 1 more interface per ASA and connect them to a layer 2 vlan on the dual cores? Also i have a question about my default routes on the dual 4506s. As i mentioned i'm running EIGRP on the 4506s. Since i'll have two 4506s and 2 ASAs what will my default route point to?

Correct Answer
Todd Pula Tue, 07/14/2009 - 12:03

Your existing IP config will need to be updated to include standby IP addresses for the pair. In an active/standby scenario, the active ASA will manage the primary interface IPs and will use the failover link for replication and keepalives. In a failure scenario, the secondary ASA will take over control of the primary interface IPs. This will allow you to point your default route to the same IP irrespective of what ASA is active at that time. Below is a sample failover config.

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 11.11.11.11 255.255.255.0 standby 11.11.11.12

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.10.10.11 255.255.255.0 standby 10.10.10.12

!

interface GigabitEthernet0/2

description LAN/STATE Failover Interface

failover

failover lan unit primary

failover lan interface Failover GigabitEthernet0/2

failover key *****

failover link Failover GigabitEthernet0/2

failover interface ip Failover 10.1.1.1 255.255.255.252 standby 10.1.1.2

cowetacoit Tue, 07/14/2009 - 12:08

Nice, you answered my question. Any issues running this on a production ASA or should i wait until a maintenance window?

cowetacoit Tue, 07/14/2009 - 12:52

One last question....I see you have a Standby IP on the OUTSIDE interface...is this needed? I have a public IP on my ASAs OUTSIDE interface, would i need a second public IP for the second ASA OUTSIDE int?

Todd Pula Tue, 07/14/2009 - 13:27

You will want both the inside and outside interfaces configured with a secondary address. This address must be from the same subnet as the active IP address.

cowetacoit Tue, 07/14/2009 - 15:47

I've read through some documentation and see where Cisco recommends adding the secondary IP address for all data interfaces. I am trying to understand how certain things like S2S and remote access VPNs will work now. We have several remote ASAs that use the primary public IP for S2S and clients that are configured to use the primary public IP. Could you explain this a little more? Thank you so much for your help

Correct Answer
Kureli Sankar Tue, 07/14/2009 - 16:47

This not secondary address but, standby address.

The rolls are primary and secondary but the states are active and standby.

Which ever unit is active it will assume the active mac in layer 2 and the active IP for layer 3. This active mac and active IP is always the primary unit's except the failover interface. These will continue to use their own IP and mac.

When we failover we always send gratuitous arp so, the adjacent devices can update the arp and mac-address table.

So, even for the outside interface you should have a standby IP otherwise monitoring interfaces will not be possible. Failover will still work.

cowetacoit Tue, 07/14/2009 - 18:34

Ok. So which ever device is active will assume the role of the active MAC and IP address (All interfaces except failover). So if the active ASA failed, the standby ASA would take over using the active Mac and IP of the Active ASA?

cowetacoit Wed, 08/12/2009 - 05:17

i need to bring this topic back up. Since each ASA will be connected to 2 4506s on the LAN side, i assume i will have an SVI on each 4506 for int vlan 2? Then i'll just include vlan 2 in the trunk between the two 4506s? Thanks!

4506_1

vlan 2

name 4506_ASA

!

interface vlan 2

ip address 10.10.2.2 255.255.255.0

!

4506_2

vlan 2

name 4506_ASA

!

interface vlan 2

ip address 10.10.2.3 255.255.255.0

Then trunk vlan 2 between the 4506s

Todd Pula Wed, 08/12/2009 - 06:07

You got it. VLAN 2 will be defined on both switches. You may also look into using HSRP on the core 4506s in order to provide for further resiliency. As for the dedicated failover link, you can either configure it in a similar fashion as above using a dedicated VLAN or you can use an xover connection between the two chassis.

cowetacoit Wed, 08/12/2009 - 06:13

for failover, i'm using a dedicated layer 2 vlan. I am already running HSRP on a few DC vlans, everything else is P2P links with EIGRP. I wouldn't run HSRP on the vlan 2 SVIs would i? Seems like it would conflict with my ASA failover on the LAN side.

Actions

This Discussion