Re: ASA Failover Design Issue from Carlos G Mendioroz on 2012-01-13 (Ccielab archives 01/2012)

From: Carlos G Mendioroz <tron_at_huapi.ba.ar>
Date: Fri, 13 Jan 2012 08:58:18 -0300

I may be way off, but I don't think so.
The whole thing about redundancy in the ASA design is Active/Passive.
And they babysit a virtual MAC, so they take for granted that identical
interfaces ARE connected to the same broadcast domain.

I would not try to go down the road of trying to make this work using
quirks (like making the inter pair links aggregated channels ?) bacause
only bad things can happen when you break the basic design basis.

(I know that ASAs do Active/Active, but that is a marketing illusion:
each context is only active in one chassis at a time).

-Carlos

Antonio Soares @ 12/01/2012 20:52 -0300 dixit:
> Hello group,
>
> I need help with this one. I have a customer asking me to connect two pairs
> of ASAs directly, without any switch in the middle. I never saw something
> like this and after a few hours playing with this setup, I'm almost giving
> up.
>
> Please check here the diagram:
>
> http://www.ccie18473.net/failover.jpg
>
> I'm running OSPF between the two pairs of ASAs in order to get maximum
> redundancy. Suppose that initially FW-1 and FW-3 are active. The first
> problem I see is that only one OSPF adjacency is up, between the active
> ASAs. I understand that this happens because OSPF is inactive on the standby
> ASAs. Ok, the setup is broken because is FW-1 goes down, I would need to
> wait for the new OSPF adjacency between FW-2 and FW-3. Another issue I see
> is that if I play a little with "failover active" and "no failover active",
> this becomes completely broken: the ASAs start moving from active to standby
> without any pattern. I think this is because the ASAs in each pair don't see
> each other. Ok, this seems to be completely against the basic ASA Failover
> design. Each firewall must see its peer on the data interfaces.
>
> Can somebody tell me if this is possible to achieve ? The customer keeps
> telling me that there are other vendors that do this without any issues...
>
> Thanks.
>
> Regards,
>
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares_at_netcabo.pt
> http://www.ccie18473.net
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>

-- 
Carlos G Mendioroz  <tron_at_huapi.ba.ar>  LW7 EQI  Argentina
Blogs and organic groups at http://www.ccie.net

Received on Fri Jan 13 2012 - 08:58:18 ART

This archive was generated by hypermail 2.2.0 : Thu Feb 02 2012 - 11:52:51 ART