Re: Problem with asymmetric routing (ASA Active/Active failover)

chidd · ‎09-25-2007

Hi all !

My system include:

- 02 ASA 5540 devices

- 02 Switch 6504E

- 02 Router connect to 02 ISPs (with BGP Routing)

- 02 F5 (loadBalancing) devices

Connecion between devices as following:

02 ISP <-- 02 Router Internet <--- 02 F5 Devices <--- 02 ASA Firewal <--- 02 Switch <--- LAN .(All connections is full mesh)

I configure Active/Active Failover on ASA5540, GLBP on Switch. The system is working normally.

When an ASA is fail (power down), the standby context in other ASA become Active.

However, Routing have problem when traffic initiate from Admin Context, and return to Ctx1 Context. Ctx1 will drop the packet. Cisco have a solution to solve this problem by using Asymmetric Routing (asr-group).

However, I try using Asymmetric Routing on Ouside Interface but it doesn't work.

I confuse about the mechanism of Asymmetric Routing on ASA Devices.

My question are:

- Can Asymmetric Routing work on one ASA devices with two Active context ? (Because I saw in document that Asymmetric Routing work by check asr-group id. Stateful Failover replicated the session information from ASA-01 to ASA 02). Does it mean that at least two ASA must be work ???

The following is my configuration:

System:

interface Management0/0

description LAN/STATE Failover Interface

!

failover

failover lan unit primary

failover lan interface folink Management0/0

failover key *****

failover replication http

failover link folink Management0/0

failover interface ip folink 10.32.254.1 255.255.255.0 standby 10.32.254.2

failover group 1

preempt

failover group 2

<--- More --->

secondary

preempt

asdm image disk0:/asdm-522.bin

admin-context admin

Admin Context:

hostname HAN-ASA5520-03

domain-name default.domain.invalid

enable password 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface GigabitEthernet0/0

description **** Connect to Outside ****

nameif outside

security-level 0

ip address xxx standby xxx

asr-group 1

!

interface GigabitEthernet0/2

description **** Connect to Inside - C6504E-G3/1 ****

nameif inside

security-level 100

ip address xxx standby xxx

!

interface GigabitEthernet1/0

description *** Connect to Ext. App. Ser ****

nameif ExtServer

security-level 80

ip address xxx standby xxx

!

interface GigabitEthernet1/2

description **** Connect to DMZ Area ****

nameif DMZ

security-level 50

ip address xxx standby xxx

!

Ctx1 Context:

show run

: Saved

:

ASA Version 7.2(2) <context>

!

hostname ct1

domain-name default.domain.invalid

enable password 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/1

description **** Connect to Outside R2811 G0/0 ****

nameif outside

security-level 0

ip address xxx standby xxx

asr-group 1

!

interface GigabitEthernet0/3

description **** Connect to Inside - C6504-G3/1 ****

nameif inside

security-level 100

ip address xxx standby xxx

!

interface GigabitEthernet1/1

description **** Connect to Ext. App. Server ****

nameif ExtServer

security-level 80

ip address xxxx standby xxxx

!

interface GigabitEthernet1/3

description **** Connect to DMZ Area ****

nameif DMZ

security-level 50

ip address xxxx standby xxxx

Thanks

Chidd

didyap · ‎10-01-2007

The asr-group command causes incoming packets to be re-classified with the interface of the same Asymmetric Routing Group (asr-group), if a flow with the incoming interface cannot be found. If re-classification finds a flow with another interface, and the associated context is in standby state, the packet is forwarded to the active unit for processing.