Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA Failover based on IP SLA

Hello.

 

I have a scenario that 2 Distribution Switches (DS1 and DS2), then 2 Filtering Devices in transparent mode and then 2 ASA Firewalls in active-standby mode connected in the following way.

DS1--> FD1 -->ASA1 

DS2--> FD2 -->ASA2

How can we configure to perform failover if the connectivity between DS1 and FD1 is down (still ASA1 to Filtering Device 1 status is up). Is it possible with IP SLA?

 

Regards

Rahul

Everyone's tags (1)
15 REPLIES
VIP Green

If you want to perform a

If you want to perform a hardware failover when there is no connectivity between DS1 and FD1 then this is not possible.  The interface on ASA1 or the link between ASA1 and FD1 would need to fail for a failover to occur.

If ASA1 had a connection to FD2 then you could use SLA to initiate a route failover (though I have had varied success with this on the ASA).

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

Hello, I am not looking for

Hello,

 

I am not looking for any route failover with IP SLA. Is there any solution available ,If the monitored interface (LAN) of the active firewall is logically down(not physically) then the failover will happen from standby to active.

VIP Green

If the interface is logically

If the interface is logically down then the ASA will perform a series of connectivity tests to determine if the link really is down.  If the ASA determines that the link is down then a failover will occur.

Interface Monitoring

You can monitor up to 250 interfaces divided between all contexts. You should monitor important interfaces, for example, you might configure one context to monitor a shared interface (because the interface is shared, all contexts benefit from the monitoring).

When a unit does not receive hello messages on a monitored interface for half of the configured hold time, it runs the following tests:

1. Link Up/Down test—A test of the interface status. If the Link Up/Down test indicates that the interface is operational, then the security appliance performs network tests. The purpose of these tests is to generate network traffic to determine which (if either) unit has failed. At the start of each test, each unit clears its received packet count for its interfaces. At the conclusion of each test, each unit looks to see if it has received any traffic. If it has, the interface is considered operational. If one unit receives traffic for a test and the other unit does not, the unit that received no traffic is considered failed. If neither unit has received traffic, then the next test is used.

2. Network Activity test—A received network activity test. The unit counts all received packets for up to 5 seconds. If any packets are received at any time during this interval, the interface is considered operational and testing stops. If no traffic is received, the ARP test begins.

3. ARP test—A reading of the unit ARP cache for the 2 most recently acquired entries. One at a time, the unit sends ARP requests to these machines, attempting to stimulate network traffic. After each request, the unit counts all received traffic for up to 5 seconds. If traffic is received, the interface is considered operational. If no traffic is received, an ARP request is sent to the next machine. If at the end of the list no traffic has been received, the ping test begins.

4. Broadcast Ping test—A ping test that consists of sending out a broadcast ping request. The unit then counts all received packets for up to 5 seconds. If any packets are received at any time during this interval, the interface is considered operational and testing stops.

If all network tests fail for an interface, but this interface on the other unit continues to successfully pass traffic, then the interface is considered to be failed. If the threshold for failed interfaces is met, then a failover occurs. If the other unit interface also fails all the network tests, then both interfaces go into the "Unknown" state and do not count towards the failover limit.

An interface becomes operational again if it receives any traffic. A failed security appliance returns to standby mode if the interface failure threshold is no longer met.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/failover.html#wp1042489

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

But how would this re-route

But how would this re-route the internal traffic to use firewall 2? That is what you are looking for isn't Rahul?

VIP Green

If the interface link is down

If the interface link is down it would initiate a failover to the standby ASA (if all the conditions are met).  As I mentioned earlier if there is a failure between DS1 and FD1 then it is not possible to initiate a failover to ASA2.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

Hello cweatherford1 , you are

Hello cweatherford1 , you are right ..So no way to perform failover if the interface between DS1 and FD1 down !!(:)

 

 


 

VIP Green

Isn't that what I mention in

Isn't that what I mention in my initial post? indecision

--

Please remember to rate and select a correct answer

Couldn't you setup OSPF and

Couldn't you setup OSPF and make sure it is setup to use the preferred route if both are up and then if that path goes down it would just send the traffic the other way?

 

Mike

New Member

Do you think OSPF will

Do you think OSPF will initiate failover if the neighbor is down (still the physical interface is up)?

 

Rahul
 

New Member

Hi Rahul,Do you have two

Hi Rahul,

Do you have two different ISP's connected to each firewall?

Chad

New Member

Hello, We were talking about

Hello,

 

We were talking about the inside interface connectivity with respect to device failover, not outside links

 

Regards

Rahul

 

Hi Rahul, I am not sure, but

Hi Rahul,

 

I am not sure, but you can try this option and see if that works for you.

 

int redundant 1

member-interface gig 0/1

member-interface gig 0/2

ip address <primary IP address> <mask> <secondary IP address>

nameif inside

!

One link from FD1 and one link from FD2 to be connected....

 

same way on the other firewall....

 

But am not sure if this works.....

 

Regards

Karthik

 

 

 

 

 

New Member

HI karthik, With  this

HI karthik,

 

With  this scenario, we cant go ahead with the redundant interface configuration as there will be 2 FD devices connected to both ASAs.

 

Regards

Rahul

 

Hi Rahul, If so you can go

Hi Rahul,

 

If so you can go with 2 interfaces in asa 1 and 2 interfaces in asa2, each will have 2 connections from FD1&2 respectively..... in this case you may not achieve the failover... but even connection from FD1 fails also... it will take the ASA1 to exit out...... but for this you need to do a proper routing in place to get this done.....

Because in the member interface always 1 interface will be active.... 1 interface will be on standby.... so some of your requirement will work....

 

Regards

Karthik

New Member

Hi karthik FD device will

Hi karthik

 

FD device will have one inside interface and one outside interface smiley. The above solution is not suitable in this case

 

Regards

Rahul

602
Views
10
Helpful
15
Replies
CreatePlease login to create content