Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA HA over GRE?

I am building a simple network topology which basically is a couple of racks in two different data center, connected by one fiber cable.

Each site has one ISR2821 with one eBGP transit each, announcing the same /20 network. The idea is to have both routers active, communicating with each others and the (active) Cisco ASA using OSPF.

Simple ring topology achieved using a GRE tunnel on the routers (establishing it from each sides respective ISP provided link net address)

My question is as follows: how to let the ASAs be able to (L2) communicate over the GRE tunnel, to avoid having both being active in case the fiber connecting the data centres is down? (some form of proxy arp? how could it be configured so it only takes that path in case the fiber trunk connecting the data centers is down?)

Vlan 10: outside

Vlan 20: ha net

Vlan 30: inside

Public network: 100.0.0.0/20

Outside network: 100.0.0.0/28

Left routers loopback: 100.0.0.1

Right routers loopback: 100.0.0.2

Left ASA outside: 100.0.0.3

Right ASA outside: 100.0.0.4

Linknet at "left site": 1.1.1.2/32

Linknet at "right site": 2.2.2.2/32


simplified.png


Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions

Cisco ASA HA over GRE?

You do have a valid question but I have a counter question on your requirement:

why do you want to keep the Firewalls in sync when the internal fiber link is down, I mean lets consider that Site A ASA was acting as Active & if the fiber link goes down then how would SiteB servers reach siteA ASA even if you somehow are able to get the firewalls in Sync through GRE tunnel.

I would say that you need to go for a better design with either:

- a redundant Fiber interconnection between these datacenters or

- using both the ASA's as standalone devices and configure multiple gateways in your servers so that if one ASA fails, then second one can take over

Another doubt that I have in this topology is: How have you achieved Failover between these ASA's as I am not able to forsee a way to keep both ASA's outside interface in same subnet as they are connected to two different routers & not on a switch to have a single segment

I might be missing the point of Ring network which you mentioned but I am little confused in understanding the working of this topology even when the Fiber interconnection is Up and working

Neeraj

3 REPLIES

Cisco ASA HA over GRE?

You do have a valid question but I have a counter question on your requirement:

why do you want to keep the Firewalls in sync when the internal fiber link is down, I mean lets consider that Site A ASA was acting as Active & if the fiber link goes down then how would SiteB servers reach siteA ASA even if you somehow are able to get the firewalls in Sync through GRE tunnel.

I would say that you need to go for a better design with either:

- a redundant Fiber interconnection between these datacenters or

- using both the ASA's as standalone devices and configure multiple gateways in your servers so that if one ASA fails, then second one can take over

Another doubt that I have in this topology is: How have you achieved Failover between these ASA's as I am not able to forsee a way to keep both ASA's outside interface in same subnet as they are connected to two different routers & not on a switch to have a single segment

I might be missing the point of Ring network which you mentioned but I am little confused in understanding the working of this topology even when the Fiber interconnection is Up and working

Neeraj

New Member

Re: Cisco ASA HA over GRE?

Hi Neeraj,

My intention is to tunnel all my VLANs over this l2tp GRE link as well, so that ASA B can communicate with all servers on site A, although over a much more limited bandwidth than if communicating directly over the fiber connection.

To clarify:

The L2tp over GRE tunnel will be a second trunk connection between the switches on site A and site B, and within one of the trunked VLANs the ASAs will do their health checking.

Assuming this is possible and a good solution, I will rely on STP (PVST) to keep the trunk over the l2tp/GRE tunnel closed, as long as there's link on the fiber SFPs.

It is my understanding that with this topology, I could loose either of switch, firewall and router. Note that the fiber will be divided into multiple wavelengths so that a couple of channels goes between one switch pair, and another couple of channels into a second switch.

Adding a second fiber between the data centers is to my knowledge pointless, as they are laid in 96 pairs and all pretty much next to eachother. If there's an accident there, then the secondary fiber would be cut off as well.

I will check the possibility of a secondary fiber going a different route. Aswell.

New Member

Cisco ASA HA over GRE?

My response to your suggestion "

- using both the ASA's as standalone devices and configure multiple gateways in your servers so that if one ASA fails, then second one can take over" is:

Got well over 80  /30 networks with customers. Adding a second ASA would require me to relocate those 80 customers to /29 networks. Could be done, but preferebly not for obvious reasons :-).

513
Views
0
Helpful
3
Replies
CreatePlease login to create content