Solved: Cisco ASA Active/Standby with ISP router design

raza555 · ‎12-15-2013

Hi,

In attached ASA design traffic is operational. BUT When I type the “show failover”, I can see that status is Normal from inside to inside interfaces of both ASA, but status appears as Waiting in outside to outside interface of both ASA.

I can ping from inside interface of one ASA to other ASA inside interface, but unable to ping from outside interface of one ASA to other ASA outside interface.

I think that reason is that both ASA inside interfaces are connected via Layer-3 switch (HSRP) enabled, but both ASA outside interfaces are connected via routers, Although we have connected the both routers(standby –Active) to create the layer-2 connectivity for ASA failover, but that doesn’t seems working.

Both routers are running BGP & traffic is preferred from one router, in case of its failure, traffic will be diverted to another.

Please advise that why I am unable to ping from 1 ASA outside interface to another ASA outside interface, also advise the BEST SOLUTION in this case.

Thanks

Jouni Forss · ‎12-15-2013

Hi,

Seems to me that the "inside" has L2 connectivity between the ASAs but the "outside" still doesnt have the L2 connectivity between the ASAs as there a completely different network between the routers according to the attached picture.

You wont be able to PING the Standby device because there is no L2 connectivity between the ASA "outside" interfaces and naturally the ASA sees the destination IP address as part of a directly connected network therefore it tries to ARP for the destination address which does not succeed because there is no actual L2 connection between the units on the "outside" for the ARP to work.

We have usually used L3 switch stacks or Routers with Switch modules etc to both handle the BGP Routing and providing the ASA Failover the required L2 link on the "outside".

- Jouni

View solution in original post

Jouni Forss · ‎12-15-2013

Hi,

Seems to me that the "inside" has L2 connectivity between the ASAs but the "outside" still doesnt have the L2 connectivity between the ASAs as there a completely different network between the routers according to the attached picture.

You wont be able to PING the Standby device because there is no L2 connectivity between the ASA "outside" interfaces and naturally the ASA sees the destination IP address as part of a directly connected network therefore it tries to ARP for the destination address which does not succeed because there is no actual L2 connection between the units on the "outside" for the ARP to work.

We have usually used L3 switch stacks or Routers with Switch modules etc to both handle the BGP Routing and providing the ASA Failover the required L2 link on the "outside".

- Jouni

raza555 · ‎12-19-2013

To resolve this issue , instead of introducing new hardwares of ROUTER with SWITCH MODULE or L2 switch between outside interfaces, please advise that can the below solution will be helpful;

IRB Bridging and using this on routers interfaces connecting to each other and as well as routers interfaces connecting to the firewall, as well as a BVI, to create both a logical Layer 2 path between firewalls and routers (Bridge Group) as well as an escape path from 192.168.1.0/28 towards other Layer 3 Domains (BVI Interface)

However,I have few queries from Breakfix perspective as below

1) Does the IRB/BVI combo forward whatever Layer 2 Packets the ASAs use to speak to each other

a. i.e. just because the IRB forwards HSRP, doesn’t mean it forwards

2) If it works, do we need/bother with the 10.10.20.1/30 Routed Link, or leave it configured without an IP address and just a member of the IRB (i.e. it just becomes a “Layer 2 forwarding” interface?

3) Is there a better way of doing this/is using a “Bridged HSRP Address”