RE: ASA Failover Design Issue

I agree the OT has veered further OT. If there are no other checks, i.e. monitor-interface, how do you not get split brain if the directly connected switch goes down? So there are other beacons that are sent, otherwise how does the firewall know if an interface that it's monitoring goes down. If you watch the state changes, after bulk sync, the interfaces go into a waiting state until the active unit can verify the state of the standby. If the failover link is lost, it does not mean split brain. The devices are still able to communicate between themselves. If you place both your failover and state on the same interface, you are obviously not sending state and VPN related changes anymore and would likely have the equivalent of a warm standby unit in the event of a failure.

-ryan
-----Original Message-----
From: Carlos G Mendioroz [mailto:tron_at_huapi.ba.ar]
Sent: Friday, January 13, 2012 12:59 PM
To: Ryan West
Cc: George J. Sanchez; Joseph L. Brunner; Antonio Soares; Cisco certification
Subject: Re: ASA Failover Design Issue

Ryan,
this argument (telling which ASA has the bad port) is only valid for the
  traffic interfaces. If the FT link is down, it would be risky to assume that because your link is up the other ASA is down, so you'd better have a query interface to confirm the peer's state (or risk a split brain).

I like the cable better because for some faults it gets a quicker reaction. (No hello T/O involved)

The problem with this thread is, I guess, that we are talking about different things. Some are talking about having or not a switch for the FT link, and some are talking about Antonio's real problem of not having a switch in the service interfaces.

-Carlos

Ryan West @ 13/01/2012 10:52 -0300 dixit:
> It's not recommended for troubleshooting reasons. The thought is, if your failover link goes down, there is no way to tell which side has a bad port. Recommended solution would be to connect to two switches. That being said, the number of times I've seen an ASA fail due to a bad port is zero over the last 5 years. VPN and other software failures are much more common. The direct cable method is supported by TAC, as is the combination of failover and state interfaces.
>
> Sent from handheld
>
> On Jan 13, 2012, at 8:38 AM, "George J. Sanchez" <marco207p_at_gmail.com> wrote:
>
>> Joe, I've also read this whitepaper and the ASA cisco press books that say the same thing, however this not true. I've tested this many times and had other engineers test the same setup with positive Results. With that being said TAC may not support the setup, but to this day I've never had a customer comeback and indicate any problems with this design.
>>
>> Regards,
>> Joe Sanchez
>>
>> On Jan 12, 2012, at 6:26 PM, "Joseph L. Brunner" <joe_at_affirmedsystems.com> wrote:
>>
>>>> I need help with this one. I have a customer asking me to connect two pairs of ASAs directly, without any switch in the middle. I never saw something like this and >after a few hours playing with this setup, I'm almost giving up.
>>> This is why the CCDE exists... to vet bullsh*t designs from people that really should not be designing... If you read the Cisco white paper on failover it clearly says the design of failover is to use a switch to avoid "both interfaces down the firewalls fo interface".
>>>
>>> I have done "all routed asa's" but used load balancers in between also running ospf...
>>>
>>> Good luck.. bad design... probably not the results you want if you do figure it out anyway...
>>>
>>> -Joe
>>>
>>>
>>> -----Original Message-----
>>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
>>> Of Antonio Soares
>>> Sent: Thursday, January 12, 2012 6:53 PM
>>> To: 'Cisco certification'
>>> Subject: ASA Failover Design Issue
>>>
>>> Hello group,
>>>
>>> I need help with this one. I have a customer asking me to connect two pairs of ASAs directly, without any switch in the middle. I never saw something like this and after a few hours playing with this setup, I'm almost giving up.
>>>
>>> Please check here the diagram:
>>>
>>> http://www.ccie18473.net/failover.jpg
>>>
>>> I'm running OSPF between the two pairs of ASAs in order to get maximum redundancy. Suppose that initially FW-1 and FW-3 are active. The first problem I see is that only one OSPF adjacency is up, between the active ASAs. I understand that this happens because OSPF is inactive on the standby ASAs. Ok, the setup is broken because is FW-1 goes down, I would need to wait for the new OSPF adjacency between FW-2 and FW-3. Another issue I see is that if I play a little with "failover active" and "no failover active", this becomes completely broken: the ASAs start moving from active to standby without any pattern. I think this is because the ASAs in each pair don't see each other. Ok, this seems to be completely against the basic ASA Failover design. Each firewall must see its peer on the data interfaces.
>>>
>>> Can somebody tell me if this is possible to achieve ? The customer keeps telling me that there are other vendors that do this without any issues...
>>>
>>> Thanks.
>>>
>>> Regards,
>>>
>>> Antonio Soares, CCIE #18473 (R&S/SP) amsoares_at_netcabo.pt
>>> http://www.ccie18473.net
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> ____________________________________________________________________
>>> ___ Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> ____________________________________________________________________
>>> ___ Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _____________________________________________________________________
>> __ Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>

--
Carlos G Mendioroz  <tron_at_huapi.ba.ar>  LW7 EQI  Argentina
Blogs and organic groups at http://www.ccie.net