we recently tried to implement an architecture with ASA Redundant Interface, but we experienced some issues and had to rollback. This is the scenario:
- 2 Active/Standby ASA 5580 (rel 8.2.1) firewalls
- 2 routers connected on the frontend of ASAs
- each ASA is connected through a double physical link to the 2 routers: one link to each router and the 2 links belonging to a same Redundant Interface
- the 2 routers are frontend next hop for ASA and they also give L2 for ASA thanks to a channel interconnecting them
RTR1 == == RTR2
| \ / |
| \ / |
a| / \ |a
| b / \ b |
The normal condition is: having HSRP Active on RTR1, ASA2 Primary Active and link 'a' on ASA2 Active.
Now, both the links on Primary Active ASA were 'up' but ping from ASA2 to HSRP didn't work at all, as soon as link 'a' was forced down, link 'b' went active and ping between ASA2 and RTR1 began working.
Do you have any idea why the connectivity between ASA2 and RTR1 (HSRP active) through active link 'a' and trunk RTR1-RTR2 didn't work?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...