cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4308
Views
10
Helpful
16
Replies

ASA Failover based on IP SLA

Rahul Babu
Level 1
Level 1

Hello.

 

I have a scenario that 2 Distribution Switches (DS1 and DS2), then 2 Filtering Devices in transparent mode and then 2 ASA Firewalls in active-standby mode connected in the following way.

DS1--> FD1 -->ASA1 

DS2--> FD2 -->ASA2

How can we configure to perform failover if the connectivity between DS1 and FD1 is down (still ASA1 to Filtering Device 1 status is up). Is it possible with IP SLA?

 

Regards

Rahul

16 Replies 16

If you want to perform a hardware failover when there is no connectivity between DS1 and FD1 then this is not possible.  The interface on ASA1 or the link between ASA1 and FD1 would need to fail for a failover to occur.

If ASA1 had a connection to FD2 then you could use SLA to initiate a route failover (though I have had varied success with this on the ASA).

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Hello,

 

I am not looking for any route failover with IP SLA. Is there any solution available ,If the monitored interface (LAN) of the active firewall is logically down(not physically) then the failover will happen from standby to active.

If the interface is logically down then the ASA will perform a series of connectivity tests to determine if the link really is down.  If the ASA determines that the link is down then a failover will occur.

Interface Monitoring

You can monitor up to 250 interfaces divided between all contexts. You should monitor important interfaces, for example, you might configure one context to monitor a shared interface (because the interface is shared, all contexts benefit from the monitoring).

When a unit does not receive hello messages on a monitored interface for half of the configured hold time, it runs the following tests:

1. Link Up/Down test—A test of the interface status. If the Link Up/Down test indicates that the interface is operational, then the security appliance performs network tests. The purpose of these tests is to generate network traffic to determine which (if either) unit has failed. At the start of each test, each unit clears its received packet count for its interfaces. At the conclusion of each test, each unit looks to see if it has received any traffic. If it has, the interface is considered operational. If one unit receives traffic for a test and the other unit does not, the unit that received no traffic is considered failed. If neither unit has received traffic, then the next test is used.

2. Network Activity test—A received network activity test. The unit counts all received packets for up to 5 seconds. If any packets are received at any time during this interval, the interface is considered operational and testing stops. If no traffic is received, the ARP test begins.

3. ARP test—A reading of the unit ARP cache for the 2 most recently acquired entries. One at a time, the unit sends ARP requests to these machines, attempting to stimulate network traffic. After each request, the unit counts all received traffic for up to 5 seconds. If traffic is received, the interface is considered operational. If no traffic is received, an ARP request is sent to the next machine. If at the end of the list no traffic has been received, the ping test begins.

4. Broadcast Ping test—A ping test that consists of sending out a broadcast ping request. The unit then counts all received packets for up to 5 seconds. If any packets are received at any time during this interval, the interface is considered operational and testing stops.

If all network tests fail for an interface, but this interface on the other unit continues to successfully pass traffic, then the interface is considered to be failed. If the threshold for failed interfaces is met, then a failover occurs. If the other unit interface also fails all the network tests, then both interfaces go into the "Unknown" state and do not count towards the failover limit.

An interface becomes operational again if it receives any traffic. A failed security appliance returns to standby mode if the interface failure threshold is no longer met.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/failover.html#wp1042489

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

But how would this re-route the internal traffic to use firewall 2? That is what you are looking for isn't Rahul?

If the interface link is down it would initiate a failover to the standby ASA (if all the conditions are met).  As I mentioned earlier if there is a failure between DS1 and FD1 then it is not possible to initiate a failover to ASA2.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Hello cweatherford1 , you are right ..So no way to perform failover if the interface between DS1 and FD1 down !!(:)

 

 


 

Isn't that what I mention in my initial post? indecision

--
Please remember to select a correct answer and rate helpful posts

Couldn't you setup OSPF and make sure it is setup to use the preferred route if both are up and then if that path goes down it would just send the traffic the other way?

 

Mike

Do you think OSPF will initiate failover if the neighbor is down (still the physical interface is up)?

 

Rahul
 

Chad W
Level 1
Level 1

Hi Rahul,

Do you have two different ISP's connected to each firewall?

Chad

Hello,

 

We were talking about the inside interface connectivity with respect to device failover, not outside links

 

Regards

Rahul

 

nkarthikeyan
Level 7
Level 7

Hi Rahul,

 

I am not sure, but you can try this option and see if that works for you.

 

int redundant 1

member-interface gig 0/1

member-interface gig 0/2

ip address <primary IP address> <mask> <secondary IP address>

nameif inside

!

One link from FD1 and one link from FD2 to be connected....

 

same way on the other firewall....

 

But am not sure if this works.....

 

Regards

Karthik

 

 

 

 

 

HI karthik,

 

With  this scenario, we cant go ahead with the redundant interface configuration as there will be 2 FD devices connected to both ASAs.

 

Regards

Rahul

 

Hi Rahul,

 

If so you can go with 2 interfaces in asa 1 and 2 interfaces in asa2, each will have 2 connections from FD1&2 respectively..... in this case you may not achieve the failover... but even connection from FD1 fails also... it will take the ASA1 to exit out...... but for this you need to do a proper routing in place to get this done.....

Because in the member interface always 1 interface will be active.... 1 interface will be on standby.... so some of your requirement will work....

 

Regards

Karthik

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: