RE: ASA Failover Design Issue

Joe how does a switch remove your failure? You just moved your single point
of failure to the switch. A switch failure causes the same issues as a
direct connected cable failure (split brain scenario). You could have just
as easily just replaced the patch cable and you would be in same risk
scenario. Unless you're saying a complicated switch is less likely to have a
failure then 4 strands of copper. The most common reason for direct
connecting both the failover and state links is its a cheap method of saving
4 ports in maxed out access switches in already crammed cabinets in already
crammed data centers. It has its pro's and con's in designs.

You can throw in 2 switches, but you cant get around the fact that
*monitored for HA* ports need to be able to send HA hello messages to each
other, so you need to trunk the switches to carry all vlans used by any
*monitored* interfaces (and the state/failover vlans). Hopefully, with more
then one port to remove that single trunk port point of failure.

However, most people use only one switch (on the access side) because most
of the time your carriers only hand off one physical connection for a path.
So in the end the switch that has that carrier is the single point of
failure.

And what does directly connected firewalls have to do with how eigrp is
(mis)configured on firewalls. So equivalently, are you saying if you
directly connect 2 interfaces on 2 routers it wont work unless you throw in
a switch between the 2 routers?

Can you sanitize your "firewall to firewall data interfaces direct connect"
setup from your customer and share it, because you are insinuating that it
is possible to do that and have HA.

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Joseph L. Brunner
Sent: Friday, January 13, 2012 10:10 AM
To: 'marco207p_at_gmail.com'
Cc: 'amsoares_at_netcabo.pt'; 'ccielab_at_groupstudy.com'
Subject: Re: ASA Failover Design Issue

Have you ever had a customer failover due to power loss or a bad cable and
drop connections when the devices failed back and forth all due to a 18 inch
cable between the two firewall's fo interfaces? Instead of using a switch?

Know what we call that customer in my firm? "The Fortinet Customer" lol

They got tired of these little issues before I could save the account for
cisco...

Believe me I never just harp on the whitepaper or "what tac supports" (I
don't call tac except for parts replacement) - but you don't want firewalls
cabled directly together for many reasons...

Another gotcha with the "firewall cabled to firewall" design and we saw this
tuesday - we had the same eigrp route coming in via two interfaces - it
choose an asymmetric way back and what do asa's do with asymmetric paths?

Block

----- Original Message -----
From: George J. Sanchez [mailto:marco207p_at_gmail.com]
Sent: Friday, January 13, 2012 08:36 AM
To: Joseph L. Brunner
Cc: Antonio Soares <amsoares_at_netcabo.pt>; Cisco certification
<ccielab_at_groupstudy.com>
Subject: Re: ASA Failover Design Issue

Joe, I've also read this whitepaper and the ASA cisco press books that say
the same thing, however this not true. I've tested this many times and had
other engineers test the same setup with positive Results. With that being
said TAC may not support the setup, but to this day I've never had a
customer comeback and indicate any problems with this design.

Regards,
 Joe Sanchez

On Jan 12, 2012, at 6:26 PM, "Joseph L. Brunner" <joe_at_affirmedsystems.com>
wrote:

>> I need help with this one. I have a customer asking me to connect two
pairs of ASAs directly, without any switch in the middle. I never saw
something like this and >after a few hours playing with this setup, I'm
almost giving up.
>
> This is why the CCDE exists... to vet bullsh*t designs from people that
really should not be designing... If you read the Cisco white paper on
failover it clearly says the design of failover is to use a switch to avoid
"both interfaces down the firewalls fo interface".
>
> I have done "all routed asa's" but used load balancers in between also
running ospf...
>
> Good luck.. bad design... probably not the results you want if you do
figure it out anyway...
>
> -Joe
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Antonio Soares
> Sent: Thursday, January 12, 2012 6:53 PM
> To: 'Cisco certification'
> Subject: ASA Failover Design Issue
>
> Hello group,
>
> I need help with this one. I have a customer asking me to connect two
pairs of ASAs directly, without any switch in the middle. I never saw
something like this and after a few hours playing with this setup, I'm
almost giving up.
>
> Please check here the diagram:
>
> http://www.ccie18473.net/failover.jpg
>
> I'm running OSPF between the two pairs of ASAs in order to get maximum
redundancy. Suppose that initially FW-1 and FW-3 are active. The first
problem I see is that only one OSPF adjacency is up, between the active
ASAs. I understand that this happens because OSPF is inactive on the standby
ASAs. Ok, the setup is broken because is FW-1 goes down, I would need to
wait for the new OSPF adjacency between FW-2 and FW-3. Another issue I see
is that if I play a little with "failover active" and "no failover active",
this becomes completely broken: the ASAs start moving from active to standby
without any pattern. I think this is because the ASAs in each pair don't see
each other. Ok, this seems to be completely against the basic ASA Failover
design. Each firewall must see its peer on the data interfaces.
>
> Can somebody tell me if this is possible to achieve ? The customer keeps
telling me that there are other vendors that do this without any issues...
>
> Thanks.
>
> Regards,
>
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares_at_netcabo.pt
> http://www.ccie18473.net
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Jan 13 2012 - 12:10:35 ART