RE: ASA Failover Design Issue from Joseph L. Brunner on 2012-01-13 (Ccielab archives 01/2012)

From: Joseph L. Brunner <joe_at_affirmedsystems.com>
Date: Fri, 13 Jan 2012 17:40:04 +0000

Nope... wrong...

We use 2 switches, one on each asa.

The asa with the perfectly healthy interfaces continues unencumbered with a down failover interface :)

We are not talking about "most people"... his design was looking for failover... here's a question for you and lets see if you or anyone else gets it?

What does an ASA do that has down interfaces Itself, but does not see its failover neighbor?

Now, tell me what you would rather have, 1 ASA (primary active or secondary active) all interfaces healthy up, but not able to see its neighbor

-or-

One or both ASA's with a down interface?

(If you don't know what is going to happen to the traffic you should probably lab this up for 24 hours) :0)

-Joe

-----Original Message-----
From: Armin Mirsepassi [mailto:amirsepassi_at_ccgrp.com]
Sent: Friday, January 13, 2012 12:11 PM
To: Joseph L. Brunner; marco207p_at_gmail.com
Cc: amsoares_at_netcabo.pt; ccielab_at_groupstudy.com
Subject: RE: ASA Failover Design Issue

Joe how does a switch remove your failure? You just moved your single point of failure to the switch. A switch failure causes the same issues as a direct connected cable failure (split brain scenario). You could have just as easily just replaced the patch cable and you would be in same risk scenario. Unless you're saying a complicated switch is less likely to have a failure then 4 strands of copper. The most common reason for direct connecting both the failover and state links is its a cheap method of saving
4 ports in maxed out access switches in already crammed cabinets in already crammed data centers. It has its pro's and con's in designs.

You can throw in 2 switches, but you cant get around the fact that *monitored for HA* ports need to be able to send HA hello messages to each other, so you need to trunk the switches to carry all vlans used by any
*monitored* interfaces (and the state/failover vlans). Hopefully, with more then one port to remove that single trunk port point of failure.

However, most people use only one switch (on the access side) because most of the time your carriers only hand off one physical connection for a path.
So in the end the switch that has that carrier is the single point of failure.

And what does directly connected firewalls have to do with how eigrp is (mis)configured on firewalls. So equivalently, are you saying if you directly connect 2 interfaces on 2 routers it wont work unless you throw in a switch between the 2 routers?

Can you sanitize your "firewall to firewall data interfaces direct connect"
setup from your customer and share it, because you are insinuating that it is possible to do that and have HA.

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Joseph L. Brunner
Sent: Friday, January 13, 2012 10:10 AM
To: 'marco207p_at_gmail.com'
Cc: 'amsoares_at_netcabo.pt'; 'ccielab_at_groupstudy.com'
Subject: Re: ASA Failover Design Issue

Have you ever had a customer failover due to power loss or a bad cable and drop connections when the devices failed back and forth all due to a 18 inch cable between the two firewall's fo interfaces? Instead of using a switch?

Know what we call that customer in my firm? "The Fortinet Customer" lol

They got tired of these little issues before I could save the account for cisco...

Believe me I never just harp on the whitepaper or "what tac supports" (I don't call tac except for parts replacement) - but you don't want firewalls cabled directly together for many reasons...

Another gotcha with the "firewall cabled to firewall" design and we saw this tuesday - we had the same eigrp route coming in via two interfaces - it choose an asymmetric way back and what do asa's do with asymmetric paths?

Block

----- Original Message -----
From: George J. Sanchez [mailto:marco207p_at_gmail.com]
Sent: Friday, January 13, 2012 08:36 AM
To: Joseph L. Brunner
Cc: Antonio Soares <amsoares_at_netcabo.pt>; Cisco certification <ccielab_at_groupstudy.com>
Subject: Re: ASA Failover Design Issue

Joe, I've also read this whitepaper and the ASA cisco press books that say the same thing, however this not true. I've tested this many times and had other engineers test the same setup with positive Results. With that being said TAC may not support the setup, but to this day I've never had a customer comeback and indicate any problems with this design.

Regards,
Joe Sanchez

On Jan 12, 2012, at 6:26 PM, "Joseph L. Brunner" <joe_at_affirmedsystems.com>
wrote:

>> I need help with this one. I have a customer asking me to connect two
pairs of ASAs directly, without any switch in the middle. I never saw something like this and >after a few hours playing with this setup, I'm almost giving up.
>
> This is why the CCDE exists... to vet bullsh*t designs from people
> that
really should not be designing... If you read the Cisco white paper on failover it clearly says the design of failover is to use a switch to avoid "both interfaces down the firewalls fo interface".
>
> I have done "all routed asa's" but used load balancers in between also
running ospf...
>
> Good luck.. bad design... probably not the results you want if you do
figure it out anyway...
>
> -Joe
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
> Of
Antonio Soares
> Sent: Thursday, January 12, 2012 6:53 PM
> To: 'Cisco certification'
> Subject: ASA Failover Design Issue
>
> Hello group,
>
> I need help with this one. I have a customer asking me to connect two
pairs of ASAs directly, without any switch in the middle. I never saw something like this and after a few hours playing with this setup, I'm almost giving up.
>
> Please check here the diagram:
>
> http://www.ccie18473.net/failover.jpg
>
> I'm running OSPF between the two pairs of ASAs in order to get maximum
redundancy. Suppose that initially FW-1 and FW-3 are active. The first problem I see is that only one OSPF adjacency is up, between the active ASAs. I understand that this happens because OSPF is inactive on the standby ASAs. Ok, the setup is broken because is FW-1 goes down, I would need to wait for the new OSPF adjacency between FW-2 and FW-3. Another issue I see is that if I play a little with "failover active" and "no failover active", this becomes completely broken: the ASAs start moving from active to standby without any pattern. I think this is because the ASAs in each pair don't see each other. Ok, this seems to be completely against the basic ASA Failover design. Each firewall must see its peer on the data interfaces.
>
> Can somebody tell me if this is possible to achieve ? The customer
> keeps
telling me that there are other vendors that do this without any issues...
>
> Thanks.
>
> Regards,
>
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares_at_netcabo.pt
> http://www.ccie18473.net
>
>
> Blogs and organic groups at http://www.ccie.net
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Jan 13 2012 - 17:40:04 ART

This archive was generated by hypermail 2.2.0 : Thu Feb 02 2012 - 11:52:51 ART