- Gold, 750 points or more
Ok, I've searched through tens of documents and examples and googled for any possible clues, but for the life of me I can't see how "asr-group" command is actually needed in active/active failover. All examples say that return traffic could come back to the other active unit of the second context on the second ASA... but why? Why would it come back to the second context? When originally my traffic exits active unit on the first context on the first ASA, it gets natted to that context's outside IP address. The routers on the outside have an ARP entry for that unique IP and active unit's 1st context mac address. Even if the return traffic returns through the second ISP why would it try to go to a different mac address and a different IP address on the active unit of the second context on the second ASA?
I'm using shared outside interface with "mac-address auto"
For every possible NAT scenario, I can't see how traffic can be asynchronous.
1. Outside PAT to Global. Traffic exits PATed to 192.168.0.1. Return traffic would always come back to 192.168.0.1. How could it come back to 192.168.0.4?
2. Static NATs. Each context would have a set of unique static NATs with global IPs from the 192.168.0.0/24 range or some other range. The "other" range would be routed on RTR1 and RTR2 to the specific context IP: either 192.168.0.1 for first context A range, or 192.168.0.4 for second context B range. Again, I don't see how traffic can be asynchronous.
3. No NAT. Again, routing should direct return traffic to the correct IP: 192.168.0.1 or 192.168.0.4
Can someone please clarify how asymmetric routing is possible here?
I have a problem with the very first sentence in the documentation: http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/failover.html#wp1102712
"When running in Active/Active failover, a unit may receive a return packet for a connection that originated through its peer unit." My question is how is that possible?
Please kindly look at the example in that particular documentation that you have pointed out. Please check out "Figure 15-9 shows the ASR support working as follows:" section for the flow.
The only scenario is when you have 2 ISP configured upstream. There is times where outbound connection goes through first ASA then first ISP, however, for whatever reason (route failure, etc), the return connection comes back through second ISP. Hence, the traffic is being routed through second ASA, but since the traffic is not supposed to be routed through second ASA, without the asr-group command, second ASA will drop the packet automatically. With the asr-group command, second ASA will check with first ASA, and route the packet back towards first ASA to be routed correctly via first ASA.
This feature is really just to overcome company who has 2 ISP connections for load balancing and who doesn't run BGP, hence the 2 ISP routers are not communicating to each other, and if traffic supposed to be destined for ISP-1 is somehow routed through ISP-2.
Hope that answers your question.