ASA Failover Design Issue

Hello group,

I need help with this one. I have a customer asking me to connect two pairs
of ASAs directly, without any switch in the middle. I never saw something
like this and after a few hours playing with this setup, I'm almost giving
up.

Please check here the diagram:

http://www.ccie18473.net/failover.jpg

I'm running OSPF between the two pairs of ASAs in order to get maximum
redundancy. Suppose that initially FW-1 and FW-3 are active. The first
problem I see is that only one OSPF adjacency is up, between the active
ASAs. I understand that this happens because OSPF is inactive on the standby
ASAs. Ok, the setup is broken because is FW-1 goes down, I would need to
wait for the new OSPF adjacency between FW-2 and FW-3. Another issue I see
is that if I play a little with "failover active" and "no failover active",
this becomes completely broken: the ASAs start moving from active to standby
without any pattern. I think this is because the ASAs in each pair don't see
each other. Ok, this seems to be completely against the basic ASA Failover
design. Each firewall must see its peer on the data interfaces.

Can somebody tell me if this is possible to achieve ? The customer keeps
telling me that there are other vendors that do this without any issues...

Thanks.

Regards,

Antonio Soares, CCIE #18473 (R&S/SP)
amsoares_at_netcabo.pt
http://www.ccie18473.net

Blogs and organic groups at http://www.ccie.net
Received on Thu Jan 12 2012 - 23:52:35 ART