Currently I am doing migration for a customer, I am deploying/modifying two ASAs in parallel (for simplicity: two ASAa have same vlans for inside and outside interfecs, respectively). The inside interfaces are connected to two core switches 6513 (configured EIGRP). The outside interfaces link to edge route ASR1002.
Question: in most situations, two ASAs are doing active/standby failover. Now because my customer network has a block of public addresses /16. I am going to use EIGRP routing for both ASAs, in this case loading balancing (equal cost). Is there any possiblity of packet droping for return traffic? Say: return traffic will be dropped on one ASA because outgoing traffic is leaving through another ASA: stateful connection table is not properly built (built on asa not on the other?).
Yes and this actually happens all the time;
the best way to prevent against it is as follows
-Configure the ASA for active/standby failover
-The active ASA will OWN the connection in the state table and always receive all return traffic (in your case from the ASR)
-make sure the second ASA is doing nothing if the ACTIVE is working
Otherwise if you run both firewalls independantly and expect EIGRP to sort it out, you will have issues such as "ack set, not part of existing connection" etc.
Thanks for the quick reply!
I had some concerns about this "dynamic failover" deployment, so I rent a security rack (Internetworkexpert security rack) to simulate my situation. I verified my deployment by ping from insdie to outside network, there was no packet loss!
In principle, if the two ASAs (inside interface in the same subnet, outside interface in the same subnet), both interfaces will have the same eigrp config. The connected core switches will also have two equal cost routes to the ASAs.
In this case, any traffic from inside to the outside will be passing through both ASAs (two equal routes), then stateful connection table will be built on both ASAs.
If this is correct, then there should be no retuin traffic drop. Is this reasonable?
"I verified my deployment by ping from insdie to outside network, there was no packet loss! "
Depends how you did this. If you used ICMP inspection then okay but if you simply used an acl on the outside interface allowing ICMP traffic back in then it's not a valid test because you are not checking against the state table.
"In this case, any traffic from inside to the outside will be passing through both ASAs (two equal routes), then stateful connection table will be built on both ASAs. "
You will need to do per destination equal cost load-balancing and then the traffic will not pass through both ASA's. Equal cost load-balancing means one path is selected and then the next time the other path is selected so you will not build the state table on both ASA's. If you use per packet load-balancing that is even worse at even on the inside interface the ASA's will only see part of the communication.
If you are Natting all source IP's to the outside interface of your ASA then you could run them independently because the traffic would always be returned to the same ASA that it went out on.
If your'e not Natting in that way you only have the solution that Joe referenced.
Out of interest is there any reason you want to deploy them individually rather than in active/standby mode ?
So, even if I use "per destination equal cost load-balance", and Nat-control (no nat translation) is diabled, this will not work either?
I know Active/standy is widely deployed and verified. Just want to verify if both ASAs can be active if they are deployed in parallel.
Think of it like this -
You can have
1) active/standby - fairly obvious how this works
2) active/active - both firewalls are active but not for the same context. So per context even active/active is actually active/standby
3) 2 ASA firewall not doing any sort of failover between them ie. the 2 firewalls do not communicate their state between each other
I am assuming you are asking about 3 ? As i say this could be done if
1) you used per-destination load-balancing
2) You natted all source IP addresses going through the ASA(s) to the outside interface of the ASA. Because the traffic is now seen as coming from a particular ASA on the outside the return traffic will always go back to the correct ASA.
But note with option 3 if a firewall is lost all existing connections going through are lost as well. With active/standby if you are running stateful failover then the connections should not be lost.
Pretty clear answer!
Just want to clarify exactly how this works for two independant ASAs in parallel:
1) Two ASAs inside interfaces in the same subnet, both are connected to core switches;
2) Outside interfaces in the same subnet, both link to the ASR edge router.
3)EIGRP configured on core switches, ASAs,and ASR;
4) Two ASAs are independant (single context, routed firewall).
How do you enable per detination equal cost load-balance while the return traffic is not dropped?
Any real deployment case you even seen before?
"Any real deployment case you even seen before?"
Not really because in your situation most people would run active/standby between the 2 firewalls. You will need to test this setup because in theory it should work but you may find some applications you want to run just don't work. In theory this is how you would do it
EIGRP on the inside. By default CEF will use per-destination load-balancing so you should just need 2 equal cost paths to the same destination.
outside interface = 126.96.36.199
outside interface = 188.8.131.52
inside interface = 184.108.40.206
On each ASA -
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
the above will NAT all source addresses on the inside to the outside address of the relevant ASA.
So a client connecting to the Internet and routed via ASA1 will appear to have a source address of 220.127.116.11 to the ASR. So when the return traffic comes back the destination address is now the outside address of ASA1 and the traffic will be sent to ASA1.
Same logic for ASA2.
Note that there will not necessarily be even distribution of the links ie. all google traffic would go via the same ASA.
As i say i have never done this and i wouldn't like to guarantee it will work without testing. HTTP connections can involve multiple different connections within them so you may see some unexpected results.
If you are getting problems you could either
1) Use PBR on the inside switches and the ASR - this wouldn't necessarily need NAT if the internal addressing is routable on the internet. You would need to split your internal network into 2 summarisable ranges.
2) Go with proven active/standby solution.
It's like a class presentation!
I guess it will work and I will test it, one exception:
If the ASA inside IP addresses are public, and there is no NAT translation (PAT) on ASAs, then probably the ASR Edge router will send the return traffic to a wrong ASA, and possibly some return traffic will be dropped.
"If the ASA inside IP addresses are public, and there is no NAT translation (PAT) on ASAs, then probably the ASR Edge router will send the return traffic to a wrong ASA, and possibly some return traffic will be dropped."
Yes if you are not Natting to the outside interface then return traffic could go to either ASA.
If you don't want to NAT and you don't want to use active/standby your best bet is PBR (Policy Based Routing).
You would need to split the internal addresses into 2 separate ranges and send one range to the first ASA and the second range to the second ASA. You would also need PBR on ASR for the return traffic.
Edit - actually you wouldn't necessarily need PBR on the ASR, you could just static routes pointing the first range to ASA1 and the second range to ASA2.
Great discussion and advice!
I know PBR on core switches and Static on ASR edge router (may also need static on ASA) would work, and I hate to configure a list of static routes/PBR, and do redistribution. Also this may add complications of next-step network deployment. Another ASR1002 will be added as edge router and each ASR will be EBGP peering with a ISP.
The reason "I came up with this dynamic failover" was that customer has some curiosity that if both ASA (actually two FWSM) can be active. So I came up with this proposal and want to verify it.
To deploy/migrate in production network, cautiousness is always a good thing, and sometimes an odd idea may not work but it improves understanding, although I know that active/standby failover is a cisco proven solution, and the throughput of FWSM or ASA is enough for internet traffic (bottle neck of the internet link).
Thanks again for the discussion and advice.
I'm currently working on a step up to leverage both firewalls, active/active. Basically we have two external routers to the provider, two ASA behind them and finally a 6500 connected to both ASA devices. We created two contexts, admin1 and admin2. Admin1 is active on primary fw and admin2 active on secondary fw. This step causes asymmetrical routing for sure, to overcome the issue we used asr-group feature on the firewalls. This allows the firewalls to exchange initial packets rather then dropping them.
In active/standby I don't see the issue of traffic going to the wrong firewall, but in active/active sharing the same outside interface you might face the problem and asr-group is your friend.
If you need additional information, feel free to ask on/off line.