I have a client that is requesting redundant internet connections using 2 7204 routers to 2 asa 5520 in an active standby configuration. There is no load balancing requirement this is strictly for failover. The issue that I am having is that I have to have 1 of there public IP addresses on the Lan side of the 7204 for the ASA connectivity. Because of this both routers advertise out their public subnet to the respective providers, but the issue is that when the wan link on the primary router fails and traffic traverses the secondary wan the return traffic comes back in the secondary wan and stops because it sees the link to the asa as being up even though the asa is in standby. No matter what route manipulations I do a directly connected route is alway going to be better. Can anyone help with a scenerio on how I can get this to work. Below is a rough sketch:
Verizon------Router A (Primary)-----ASA A (Active)--------------Nexus1
| | |
| IBGP | Keepalive | VPC Link
| | |
AT&T---------Router B (Backup)-----ASA B (Standby)------------Nexus2
Do you have switching fabric between the ASA pair and the Internet routers? How is the ASA failover protocol propagating?
The ASA is a good firewall but a lousy router. If you aren’t already using 'transparent mode' on the ASA's consider it so they aren’t involved in a routing decision. If your switch supports routing turn up an IGP between the switch and the internet routers. In this configuration if an internet uplink failed on router A; router B should see a LAN route from router A via an IGP.
The ASA's are connected via fiber converter. We are redistributing the default route from BGP into eigrp which the asa's are participating in. The asa's then redistribute the default route into the internal network.
If you execute a 'show fail' on ASA A does it state that ASA A is 'Primary Active' and ASA B 'Standby Ready'? Also, is your outside interface in a normal state on both ASA's. I'm not sure the ASA failover will work properly if both outside interfaces are not in the same broadcast domain.
If you execute a 'show ip eigrp nei' on Router B, does it currently have an EIGRP adjacency with ASA B? Does router B forward to ASA B based on a static route or an EIGRP route?
The ASA's and routers should be connected via a switch and be on the same VLAN on the outside interface of the ASA (inside for the routers),
the ASA's have a virtual IP (Active IP) that is swapped between them, when the primary goes down, the secondary takes over...and it should be transparent for the router upstream to forward because it sees only one active IP address on its inside interface.
I think there are some constraints that need to be discussed with the customer, namely, the ASAs each obviously cannot have unique IPs on the outside interfaces and your design would have to incorporate a schema whereas the routers inside and ASA outside are on the same subnet and that subnet may have to be a RFC 1918.
I have a simple answer which as per me should work in this scenario:
There are couple of points that we need to consider before the solution:
- ASA are running in failover mode, so config on both the ASA will sync up and from layer 3 perspective, there would be only one Active Ip address both on the inside as well as outside
- Both Edge Routers inside interfaces & firewalls outside interfaces have to be on the same subnet through a switch in between
Now, to make it work, use HSRP on the edge routers with IP SLA tracking (for the ISP interface or we can even track an ip in ISP's cloud to keep a check on the Internet connectivity). I admit that it will not have the same kind of convergence as a routing protocol but it's simple and will work.
LAN is going to use the Active ASA ip address as the gateway, both the ASA will be using HSRP virtual ip as its gateway in default route and then Active router will send the traffic out to internet.
Now for the return traffic, it will come back through the same router which sent it out and no matter whether its primary or secondary, it will simply send the return traffic to the Active ASA's outside ip.
This does not involve any neighborship confusion, the only thing which I can point out is the Single point of failure because of the L2 switch connecting these 4 devices. Even that can be taken care of by using dual switches, provided customer/you are ready to shell out more bucks
Hope it helps
Actually i am newbie to this multihoming , i want to setup a lab where i can set two ISP connection , one as primary second as a standby but i want to configure it on one router or layer 3 switch , Can you please guide me , what command should i have to use to set these setting , Please mail me on firstname.lastname@example.org