I inherited a network with two Cisco ASA 5540's, one connected to the primary ISP and the other connected to the backup ISP. Each ASA has a connection to three switches on the three remaining interfaces. See the diagram below for more details.
As I found out yesterday when our primary circuit went down, the manual failover procedure that the previous admin implemented does not work. I believe he set it up using OSPF, but I am not that familiar with it and I was not able to get it to work properly. I am looking to resolve this and implement failover in a simpler matter, but I'm not quite a network expert and I don't know where to start. Do I want Active/Active, Active/Standby, or is there another method to set this up?
Our ISPs don't support BGP, which is fine IMO. In the event of a failover, I don't mind having to change DNS records for in-bound stuff. I just want a way to be able to easily failover to the backup ISP. Anyone have any suggestions of where to start with this? Thanks
i don't know that the ospf configs mean anything for failover, but the idea of ospf is that if you lose a router (or firewall if it is running ospf), you have a good route to any needed destination using the remaining routers.
Failover is designed to make sure you have a good path outside in case you lose a firewall.
If your firewalls are configured such that each traffic moving interface across both firewalls is on the same subnet, you can use active-standby failover. In my experience, this requires a router to be placed between your firewalls and the ISP router, which would allow your outside interfaces to be placed on the same subnet.
I haven't had a chance to run active-active, but the idea there is more load balancing.
The link below will help with setting up failover.
The way this is most commonly done is by having the two ASAs (assuming single context) in an Active-Standby HA pair. Each ASA has two outside interfaces (they could be subinterfaces on a trunk if your physical interfaces are otherwise spoken for). One of the outside interfaces goes to ISP A and one to ISP B. It is usually best to make those connections via a switch as most ISPs only give you a single physical interface.
You then set a static default route (with tracking option) to ISP A. You set a second static default route (with a higher admin distance) to ISP B. You use them in conjunction with an IP sla operation that tests reachability of some upstream resource (a remote site, public DNS etc.). If the isp sla fails, the tracking option in the first default route causes it to be removed and the ASAs start sending all outbound traffic via the second ISP.
Cisco has an old (but still relevant) configuration guide showing this in detail. Link
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...