We have a few servers colocated at a hosting facility, behind a pair of ASA 5510s. The facility has advised us that we will be moved from a switched to a routed port, and we need to install our own switches between their new routers and our ASAs. The switches are to allow HSRP broadcasts between their redundant routers.
Our ASAs are active/standby pair. We're worried that by adding the new switches we'll introduce more points of failure than we'll remove. What's the optimal configuration in this setup? We have nothing fancy behind the ASAs, only a pair of switches and a few servers, all on a single subnet.
Just to clarify - when you say you are going to a routed connection i assume you mean on the outside interfaces of the routers ? I'm assuming this because you mention HSRP running between the firewall facing interfaces on the routers. So in effect the internal interfaces of the routers and the outside interfaces of the firewalls share a common vlan/subnet.
If the above assumption is correct then a further assumption is that the new switches are interconnected via a L2 link, either a trunk or more likely an access port config with the ports in the shared vlan.
If all the above is true then the standard setup is to connect firewall1 to switch1 and firewall2 to switch2. This will not introduce a single point of failure because -
1) if switch1 dies then firewall1 (active) will failover to firewall2 and firewall2 has a path via switch2 to the routers.
2) if switchport that connects to firewall1 dies then firewall1 should failover to firewall2
3) if firewall1 dies then firewall2 becomes active
4) if outside interface on firewall1 dies then again firewall2 becomes active
note that 1, 2 & 4 assume you are monitoring the outside interface on your firewalls for failure.
Edit - obviously the default-route on the ASA firewalls will point to the HSRP VIP on the routers. And the routers should use the VIP for the outside interface on the ASAs
Edit2 - sorry, been away from CSC a while so i'm getting a bit rusty Obviously the internal interfaces of the routers will also be routed connections which is fine. What i said still stands ie. they are running HSRP between themselves and they share a common vlan with the outside interfaces of the firewalls.
Your assumptions are in line with my understanding. One thing that concerns me is that the failover detection schemes (HSRP & ASA) are not aware of one another. If the interconnect between the two switches fails, couldn't we end up with router2 and firewall1 active but invisible to each other?
Is there a way to have test for this scenario, without throwing more hardware in?
We're looking at putting a pair of WS-C2950G-12-EI in for the new switches. I'll set up an access port config with EtherChannel connecting the two, unless you think there's a better option.
I'm working on a similar setup.. Does anyone have a diagram of this? Trying to better understand the relationship of how two L3 switches would behave behind an ASA Active/Standby pair.
Yes this can happen. Alternatives -
1) As Steve says, run object tracking/IP SLA on both routers and ASAs
2) use 2 interfaces per router/connect to both switches and bridge between the interfaces on each router so you have 2 interfaces with same IP.
Basically any 2 switches running HSRP that lose their interconnect can cause problems ie. paths lost/both switches go active. Obviously using etherchannel helps against this. So i would recommend etherchannel. It is unlikely, but not impossible, that all the ports in the etherchannel could go down without the switch going down but i have yet to see this happen compared to device failure or single switchport failure.
In the end you have to decide exactly how much money you want to throw at this to cover a very unlikely scenario.
Thanks guys. I found SLA tracking in the ASA manual but I could only find a way to connect it to the 'route' command, not any of the failover commands.
If that's the case I think we're still OK as long as we can do object tracking from the routers, where it can be configured to change the hot standby priority.
Only remaining concern is how 'track ip route reachability' applies when the tracking routers & ASA are already on the same subnet. Can the command be pointed to the specific VIP (not subnet) of the firewall? Or do we point it to the 'useable IP space' subnet allotted to us by the hosting facility? And does anything need to be opened up on the ASA to respond to such monitoring?
I hoping to get some more info from this thread.
I am working on this exact setup currently as jon described, but I am running into a few issues.
I can get the HSRP members to failover correctly when a link to the ASA is broken, but when the HSRP member comes back online and is configured to preempt the ASA's will not flip back over. So without each ASA connected to each HSRP member this becomes and issue when the HSRP primary comes back online.
Also even though a HSRP member is in Stanby, I can still ping its SVI, so this creates a problem as well for the ASA IP SLA configuration.
Well just get rid of preempt on the HSRP members and that solves the problem of the ASA's not flipping back when the HSRP member comes back online.