Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
477
Views
0
Helpful
2
Replies

ASA issue with multihomed ISPs

shillings
Level 4
Level 4

‎02-06-2012 09:21 AM - edited ‎03-11-2019 03:24 PM

Hi,

Outbound load balancing works fine via eBGP and Provider Independant IPs. All good.

But my plan to load balance inbound traffic is not working out. I was relying on the outside interface of the Standby ASA to go down when the firewall was in standby mode. This would prevent the directly connected WAN switch from injecting the ASA subnet into OSPF, but the interface stays up/up.

Even without standby IPs on the outside interface, it stays up/up on the stanby ASA. This means both my WAN switches are advertising the same IP range to each WAN router, but nly one firewall is ever going to pass the traffic.

Thought about OSPF filtering to make it work, but that's seems like a dead end too.

Maybe I could scrap OSPF and use IP SLA to ping a unique IP on the active ASA, such as the failover link. If the ping fails, then remove the best static route to the active ASA and fall back to a second static router to the other ASA.

Any ideas/pointers?

PS NAT is done on the firewalls, so I've currently splilt the /24 PI IPs in half. Half for the outside infrastructure and half for the NATing on the ASA outside interface.

PPS There are two WAN routers, two WAN switches and obviously the two firewalls.

Labels:
0 Helpful
2 Replies 2

shillings
Level 4
Level 4

‎02-06-2012 10:06 AM

I've added a strap between WAN switches and flattened out the connectivity with the ASAs, plus running HSRP to provide a single next hop for the ASA default route.

Not perfect traffic flow now, if the Active ASA fails, but at least it load balances.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni

‎02-06-2012 10:09 AM

Hello,

You are right, the only way to make this work will be using SLA monitoring so you can monitor via ICMP messages the ISP state.

Regards,

Do rate all helpful posts!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card