ASA (Active Standby) Site to Site VPN Question

Answered Question
Aug 20th, 2010

Hi,


I got the item as below

Site A - 1 unit of Netscreen VPN firewall

Site B - 2 units of ASA VPN firewall

NetworkDiag.JPG

I'm trying to configure a Site to Site VPN but facing some problem with active standby configuration.

At first i tried Site A 1 unit Netscreen and Site B 1 unit ASA site to site vpn. there is no problem.

but if add in another ASA at site B and configure it as Active/Standby then i having some question that i need some help from here

Things that confused me.

1) do i need to use 2 Public IP on the ASA? ( one Public IP for Active and another one Public IP for Standby IP. it seem like a waste of the public IP.)

2) Failover link and Stateful Failover can be configure on the same interface?


Please help on this case, how to configure Site to Site VPN with Active/Standby configuration.

Correct Answer by praprama about 6 years 6 months ago

Hi,


So as Richard said, to your first question, if you configure only an active IP address for the outside interface without a standby IP, then depending on which ASA is active at the moment, that ASA will take up that IP address while the standby ASA will show it's outside IP as 0.0.0.0.


With regards to your second question, if you would like to configure your outside interface in the following format:


ip address 1.1.1.1 255.255.255.0 standby 2.2.2.1


assuming 1.1.1.1 and 2.2.2.1 are the 2 IP addresses you have gotten from your 2 ISPs, this will not be possible because they both lie in differnet subnets and the ASA will pop up an error with the subnet being different for both the IP addresses (one is 1.1.1.0/24 and other is 2.2.2.0/24).

If you would like to monitor the outside interface, only way to go about with it will be to get a 2nd IP address from the ISP in the same subnet that you already have and add that as the sandby IP address to the outside interface. Let me know if there is anything that is unclear or if i have uderstood wrong.


Regards,

Prapanch

Correct Answer by Richard Burts about 6 years 6 months ago

Your original question was in terms of active/standby so I will answer in terms of active/standby.

1) Yes you would configure the same IP address from the ISP on both ASA outside interfaces. You seem to not quite realize that when you configure a pair of ASA in active/standby that they share the same configuration. In configuring interfaces in active/standby you configure an "active" IP address and (usually) a "standby" IP address (but the standby address is not required as discussed in previous posts). The ASA that is active will have the active address and the ASA that is standby will have the standby address (if one is configured). For example let us think about a situation in which there are 2 ASAs (A and B) and addresses are configured as 1.1.1.1 and 1.1.1.2. In the beginning let us assume that A is active and B is standby. So A will have address 1.1.1.1 and B will have 1.1.1.2. Then assume that there is some fail over event. Now B is active and A is standby (or perhaps out of service depending on what type of fail over event it was). So now B has address 1.1.1.1 and A would have 1.1.1.2.

2) I am not clear how to interpret the second part of your question. If you have 2 ISP (connected to 2 different interfaces) then you should be able to configure addresses from each ISP on each interface and active/standby would work. How to use those addresses will depend on how you have configured the ASA. If your question is asking if you can configure an address from one ISP on ASA A and configure an address from the other ISP on ASA B then that does not work with active/standby. You should be able to do this with active/active but tht gets into a significantly different type of failover configuration and operation.


HTH


Rick

Correct Answer by Jitendriya Athavale about 6 years 6 months ago

just to add on to this,


just be careful when you dedicate an interface for stateful failover, make sure that it is of the highest capacity or atleast the same capacity as th eother interface


so if you are using gig interface for passing traffic use a gig port for stateful failover, many times we have seen poeple using management interface for steful when they have gig ports and they run into issues wherein the stateful function is not working as expected


you can read more here


https://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1051759

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
praprama Fri, 08/20/2010 - 07:58

Hi,


> 1) do i need to use 2 Public IP on the ASA? ( one Public IP for Active  and another one Public IP for Standby IP. it seem like a waste of the  public IP.


It is not necessary that you need a standby Public IP on the ASA. The point is that, when the ASA's are in failover, they exchange something calledhello packets on every interface for "interface health monitoring" and on the failover interface for "unit health monitoring". So if you do not have a Standby IP for the outside interface, the active ASA will not be able ot exchange these hello packets on the outside interface with the standby ASA.


So, in the output of "show failover" your outside interface on the Active ASA will show the state as "primary IP (waiting)" and the standby ASA will show as "0.0.0.0 (waiting)". Waiting due to the face that no hello packets are being exchanged. Hence, you will not be able to monitor the outside interface for failover in this case and neither will you be able to connect to the Standby ASA at any point using the outside interface's IP address if yoiu need to SSH/Telnet to it, etc.


So to ensure the ASAs stop monitoring the outside interface in such a case, you can use the command


no monitor-interface outside


i have used outside in my description aboive assuming that outside is the name if you internet facing interface. Please substitue it with whatever you have in your configuration.


> 2) Failover link and Stateful Failover can be configure on the same  interface?


Yes you can use the same interface for failover interface and link but it is recommended to have dedicated interfaces in case you have heavy load on the ASAs.


The Site to site VPN on the ASA is going to be the same. There are not going to be any differences. Hope this helps.


Let me know if you have any doubts.


Thanks and Regards,

Prapanch

Correct Answer
Jitendriya Athavale Fri, 08/20/2010 - 08:09

just to add on to this,


just be careful when you dedicate an interface for stateful failover, make sure that it is of the highest capacity or atleast the same capacity as th eother interface


so if you are using gig interface for passing traffic use a gig port for stateful failover, many times we have seen poeple using management interface for steful when they have gig ports and they run into issues wherein the stateful function is not working as expected


you can read more here


https://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1051759

yepweizhi84 Sun, 08/22/2010 - 19:08

Thanks Praprama and Jathaval for the reply.


i Will disable monitor on the OUTSIDE interface.

Just to check for active/standby ASA firewall,

1) if i have only one ISP.can i assign the same public IP on both ASA outside interface?

2)if i have two ISP. can i assign two different IP on both ASA outside interface for loadbalance.(active/active or active standby).

Correct Answer
Richard Burts Sun, 08/22/2010 - 20:36

Your original question was in terms of active/standby so I will answer in terms of active/standby.

1) Yes you would configure the same IP address from the ISP on both ASA outside interfaces. You seem to not quite realize that when you configure a pair of ASA in active/standby that they share the same configuration. In configuring interfaces in active/standby you configure an "active" IP address and (usually) a "standby" IP address (but the standby address is not required as discussed in previous posts). The ASA that is active will have the active address and the ASA that is standby will have the standby address (if one is configured). For example let us think about a situation in which there are 2 ASAs (A and B) and addresses are configured as 1.1.1.1 and 1.1.1.2. In the beginning let us assume that A is active and B is standby. So A will have address 1.1.1.1 and B will have 1.1.1.2. Then assume that there is some fail over event. Now B is active and A is standby (or perhaps out of service depending on what type of fail over event it was). So now B has address 1.1.1.1 and A would have 1.1.1.2.

2) I am not clear how to interpret the second part of your question. If you have 2 ISP (connected to 2 different interfaces) then you should be able to configure addresses from each ISP on each interface and active/standby would work. How to use those addresses will depend on how you have configured the ASA. If your question is asking if you can configure an address from one ISP on ASA A and configure an address from the other ISP on ASA B then that does not work with active/standby. You should be able to do this with active/active but tht gets into a significantly different type of failover configuration and operation.


HTH


Rick

Correct Answer
praprama Sun, 08/22/2010 - 22:17

Hi,


So as Richard said, to your first question, if you configure only an active IP address for the outside interface without a standby IP, then depending on which ASA is active at the moment, that ASA will take up that IP address while the standby ASA will show it's outside IP as 0.0.0.0.


With regards to your second question, if you would like to configure your outside interface in the following format:


ip address 1.1.1.1 255.255.255.0 standby 2.2.2.1


assuming 1.1.1.1 and 2.2.2.1 are the 2 IP addresses you have gotten from your 2 ISPs, this will not be possible because they both lie in differnet subnets and the ASA will pop up an error with the subnet being different for both the IP addresses (one is 1.1.1.0/24 and other is 2.2.2.0/24).

If you would like to monitor the outside interface, only way to go about with it will be to get a 2nd IP address from the ISP in the same subnet that you already have and add that as the sandby IP address to the outside interface. Let me know if there is anything that is unclear or if i have uderstood wrong.


Regards,

Prapanch

Actions

This Discussion