09-25-2007 02:33 AM - edited 03-11-2019 04:16 AM
Hi all !
My system include:
- 02 ASA 5540 devices
- 02 Switch 6504E
- 02 Router connect to 02 ISPs (with BGP Routing)
- 02 F5 (loadBalancing) devices
Connecion between devices as following:
02 ISP <-- 02 Router Internet <--- 02 F5 Devices <--- 02 ASA Firewal <--- 02 Switch <--- LAN .(All connections is full mesh)
I configure Active/Active Failover on ASA5540, GLBP on Switch. The system is working normally.
When an ASA is fail (power down), the standby context in other ASA become Active.
However, Routing have problem when traffic initiate from Admin Context, and return to Ctx1 Context. Ctx1 will drop the packet. Cisco have a solution to solve this problem by using Asymmetric Routing (asr-group).
However, I try using Asymmetric Routing on Ouside Interface but it doesn't work.
I confuse about the mechanism of Asymmetric Routing on ASA Devices.
My question are:
- Can Asymmetric Routing work on one ASA devices with two Active context ? (Because I saw in document that Asymmetric Routing work by check asr-group id. Stateful Failover replicated the session information from ASA-01 to ASA 02). Does it mean that at least two ASA must be work ???
The following is my configuration:
System:
interface Management0/0
description LAN/STATE Failover Interface
!
failover
failover lan unit primary
failover lan interface folink Management0/0
failover key *****
failover replication http
failover link folink Management0/0
failover interface ip folink 10.32.254.1 255.255.255.0 standby 10.32.254.2
failover group 1
preempt
failover group 2
<--- More --->
secondary
preempt
asdm image disk0:/asdm-522.bin
admin-context admin
Admin Context:
hostname HAN-ASA5520-03
domain-name default.domain.invalid
enable password 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface GigabitEthernet0/0
description **** Connect to Outside ****
nameif outside
security-level 0
ip address xxx standby xxx
asr-group 1
!
interface GigabitEthernet0/2
description **** Connect to Inside - C6504E-G3/1 ****
nameif inside
security-level 100
ip address xxx standby xxx
!
interface GigabitEthernet1/0
description *** Connect to Ext. App. Ser ****
nameif ExtServer
security-level 80
ip address xxx standby xxx
!
interface GigabitEthernet1/2
description **** Connect to DMZ Area ****
nameif DMZ
security-level 50
ip address xxx standby xxx
!
Ctx1 Context:
show run
: Saved
:
ASA Version 7.2(2) <context>
!
hostname ct1
domain-name default.domain.invalid
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/1
description **** Connect to Outside R2811 G0/0 ****
nameif outside
security-level 0
ip address xxx standby xxx
asr-group 1
!
interface GigabitEthernet0/3
description **** Connect to Inside - C6504-G3/1 ****
nameif inside
security-level 100
ip address xxx standby xxx
!
interface GigabitEthernet1/1
description **** Connect to Ext. App. Server ****
nameif ExtServer
security-level 80
ip address xxxx standby xxxx
!
interface GigabitEthernet1/3
description **** Connect to DMZ Area ****
nameif DMZ
security-level 50
ip address xxxx standby xxxx
Thanks
Chidd
10-01-2007 08:23 AM
The asr-group command causes incoming packets to be re-classified with the interface of the same Asymmetric Routing Group (asr-group), if a flow with the incoming interface cannot be found. If re-classification finds a flow with another interface, and the associated context is in standby state, the packet is forwarded to the active unit for processing.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: