WSA T1 (L4TM) with firewall cluster

Unanswered Question
Dec 5th, 2013
User Badges:
  • Bronze, 100 points or more

Hi,


I have a cluster of ASA firewalls connected to 2 different switches but only 1 WSA that I want to deploy.

The switches are 2960G, IOS 15.0(1)


ASA1 (active) and WSA -- SW1 -- trunk -- SW2 -- ASA2 (standby)


I was looking at SPAN/RSPAN feature and I have implemented it before but what I wanted to do in this scenario is SPAN ASA1 to WSA T1 and RSPAN ASA2 through the trunk to WSA T1, so in case of failover the traffic is still monitored by WSA without manual intervention.


Then I saw the following restriction in the config guide:

Destination Port: It can participate in only one SPAN session at a time (a destination port in one SPAN session cannot be a destination port for a second SPAN session).


So my config wouldn't work.

Then I thought of using T2 on SW2 but it seems that it is used differently (1 for tx traffic, 1 for rx traffic) and this wouldn't work either.


Any ideas how I can do this?


What my config would look like (had it been supported):

SW1(config)#

monitor session 1 source interface gigabitethernet0/1

monitor session 1 destination interface gigabitethernet0/2 ingress untagged vlan 33

vlan 901

remote-span

monitor session 2 source remote vlan 901

monitor session 2 destination interface gigabitethernet0/2 ingress untagged vlan 33

!

SW2(config)#

vlan 901

remote-span

monitor session 2 source interface gigabitethernet0/1

monitor session 2 destination remote vlan 901


Thanks,

Patrick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ken Stieers Thu, 12/05/2013 - 15:57
User Badges:
  • Gold, 750 points or more

Typcially this is "solved" with a second WSA... as its the way it has to work for some other web security products that use a span port instead of WCCP to get a look at the data.


I'm not aware of any other clean options...

Actions

This Discussion