Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Web server to be redundant

Hi All,

I have a scenario where I need to make the web server highly available if 1 internet link is down. The traffic should be diverted to the 2nd internet link. I have already spoken to my ISP to add one more public to the already available host entry. I have attached a jpg for basic understanding. Is there a way this thing can be accomplished.

Regards

Faiz

7 REPLIES

Web server to be redundant

Hello Mohammed,

What you could do is to use SLA monitoring whether having an Active / Standby cluster of just one box (with 2 ISP link interfaces).

Here is the configuration link for SLA:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

This is what you need to follow to make it happen.

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Web server to be redundant

Hi Julio,

Thanks for the reply man, I thought about that solution what you mentioned, but can it be done as asked by me initially by keeping 2 asa's seperately.

Regards

Faiz

Hall of Fame Super Blue

Web server to be redundant

Faiz

Does the second ASA even have a connection to the server subnet ie it is not shown in your diagram.

Are the ISP connections to two different ISPs ? 

If so the issue is inbound trafic. If you use two different public IPs for the same server you would have to publish those IPs into DNS. DNS would then round robin between them which is not what you want. Even if you did accept that, if the link to ISP1 fails then DNS has no way of knowing that address is no longer available and so continues to use it as well as the other one.

What you really need is to be able to advertise the same public IP to both ISPs but the ISP who does not own this block might not want to do that. But that still doesn't solve your problem because even if they did both links are then used which is not what you want.

If you peered with the ISP using BGP you could influence which route to take and make the primary connection preferred unless it went down but looking at your diagram i don't think you are using BGP.

So i'm not sure the issue is so much with the ASAs as the addressing and ISPs together with the route you want traffic to take ie. primary if it is up and secondary if it is not.

So can you clarify -

1) are they two different ISPs

2) are you using BGP to peer with them

3) will the second ISP agree to advetising the first ISPs addresses.

I am assuming that your addressing is not provider independant.

Jon

Web server to be redundant

Hi Jon,

The second ASA does not have the server subnet yet, I thought of that and have in my plan to add.

The ISP's are different and are connected to seperate ASA's

1) Yes, 2 diff ISP's

2) No BGP

3) Yes, I have already spoken to the Admin of ISP-2

Please let me know if you need to more anything else.

Regards

Faiz

Hall of Fame Super Blue

Re: Web server to be redundant

Faiz

If you are using two different IPs then you have the DNS issue i outlined in my previous post. It's not clear what ISP2 has agreed to ie. are the two addresses from the same ISP ie. ISP1 or are you saying that the orginal IP (10.10.10.1) will be advertised out of ISP2.

ISPs generally don't advertise host routes. Apologies for more questions but just to clarify -

1) which ISP owns 10.10.10.x addressing

2) which ISP owns 20.20.20.x addressing

3) what exactly has ISP2 agreed to

If ISP2 has agreed to advertise the 10.10.10.x addressing then because your ASAs are separate you could actually just use the 10.10.10.x address and have NAT statements on both ASAs for the same translation as they don't see each other. But the links would still both be used unless you can use BGP to prefer the primary link for that IP.

Additionally the web server would only have one default gateway so with the second ASA you would have to NAT all incoming source IPs to another IP (or subnet) and then have a route on the web server to send the traffic back to the second ASA.

But can you answer the above questions first.

Jon

Web server to be redundant

Hi Jon,

1) ISP-1 owns 10.10.10.x

2) ISP-2 owns 20.20.20.x

3) ISP-2 has agreed to add in their dns entry the public IP of the server which is 10.10.10.10

i was really thinking hard to whether this scenario is really sensible, or is it really achivable.

Regards

Faiz

Hall of Fame Super Blue

Re: Web server to be redundant

Faiz

ISP2 would have to advertise out the 10.10.10.x addressing for this to work and even then it wouldn't do as you wanted.

You want only use ISP2 address if the ISP1 link fails, The problems with this just to clarify are -

1) two DNS entries means that each link would be used at the same time. If one of the links fails DNS has no way of knowing this so it still hands out the failed address to DNS queries from internet clients. So half the connections would fail.

2) If you could get ISP2 to advertise your 10.10.10.x addressing you could use the same IP on both ASA devices and only have one DNS entry for the web server. Even then both links could be used.

The only way to make this work as you want really is to have ISP2 agree to advertise out ISP1s address range. You would also need ISP1 to advertise that specific subnet rather than include it in a summarised range which is what ISP do when they advertise further upstream. You then use BGP to advertise 10.10.10.x to both ISPs but you modify the attributes of the route advertised to ISP2 so that ISP1 is preferred unless the ISP1 link fails and then the route via ISP2 will be used. 

Note, if ISP2 did advertise out the 10.10.10.x range but ISP1 only advertised a summary address which included that range then all all traffic would only use the ISP2 link which is definitely not what you want.

And that is quite a lot of extra configuration etc. even if you could get the ISPs to agree to it and if you could setup BGP.

So i don't think this is pratically possible for you.

I will have a reread of this and see if there is another approach and perhaps others on this forum can suggest other ways of doing this.

Jon

215
Views
0
Helpful
7
Replies
CreatePlease to create content