I was not addressing that to you. And there was nothing uncivil in the
discussion so far, so not sure where you are getting that from. The only
rude word was crappy, and that wasn't my description, that was my
paraphrasing of Joes distaste for some of his customers' network designs.
However, I do see that yesterday you said the same thing as Joe B. Well you
went further and stated that you have done the same config and have it
working. Joe only stated his customers were setup like that before he
changed it.
Same question then, you state to Antonio that he should spend more time
trying to get the config working (which I think is unworkable.) Can you
share any sort of info on why you think it is workable? Because I can't see
how that is technically/physically possible.
But I have zero problem admitting I don't know everything or that I have
been wrong many a time. Hence my question: how did you configure his
scenario to work? I don't mind being wrong, it means I learned something.
armin
I already stated why it wont work even if he removed the multihoming. But in
the case of multihoming, in case its not clear. When you setup HA on ASAs,
the configuration is replicated over to the other unit (whether in A/S or
A/A). So your physical interfaces have to be wired the same. Since he stated
both pairs of firewalls are supposed to be running HA, he cant take one
cable from one pair into an opposing pair on the other side. I cant figure
out any configuration match 2x A/S or 2x A/A or 1x A/A and 1x A/S where
"direct connected data interfaces" are used (HAS to imply disabling
monitoring on the data interfaces for HA or you will be perpetually failing)
and you aren't always setup to send traffic to an inactive ASA either from
the beginning or after a failover.
-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
George J. Sanchez
Sent: Friday, January 13, 2012 3:50 PM
To: Armin Mirsepassi
Cc: Joseph L. Brunner; <amsoares_at_netcabo.pt>; <ccielab_at_groupstudy.com>
Subject: Re: ASA Failover Design Issue
Armin, not sure which Joe you are addressing this, if it is me Joe Sanchez;
then I would say your tone and attitude is pretty nasty.. I will not respond
any further.
Regards,
Joe Sanchez
On Jan 13, 2012, at 12:49 PM, "Armin Mirsepassi" <amirsepassi_at_ccgrp.com>
wrote:
> Joe I am well aware how ASA HA behaves in most scenarios. My question to
you
> was
>
> "Can you sanitize your "firewall to firewall data interfaces direct
connect"
> setup from your customer and share it, because you are insinuating that it
> is possible to do that and have HA."
>
> I do not see how what Antonio's customer is stating as working can
actually
> work. You keep insinuating that it can work because you have crappy
> customers that have it. So please don't be a tease and help a brother out
> with a config or explanation of the setup where it would work. You're not
> helping anyone out with just rhetoric.
>
> armin
>
> -----Original Message-----
> From: Joseph L. Brunner [mailto:joe_at_affirmedsystems.com]
> Sent: Friday, January 13, 2012 12:40 PM
> To: Armin Mirsepassi; marco207p_at_gmail.com
> Cc: amsoares_at_netcabo.pt; ccielab_at_groupstudy.com
> Subject: RE: ASA Failover Design Issue
>
> Nope... wrong...
>
> We use 2 switches, one on each asa.
>
> The asa with the perfectly healthy interfaces continues unencumbered with
a
> down failover interface :)
>
> We are not talking about "most people"... his design was looking for
> failover... here's a question for you and lets see if you or anyone else
> gets it?
>
>
> What does an ASA do that has down interfaces Itself, but does not see its
> failover neighbor?
>
> Now, tell me what you would rather have, 1 ASA (primary active or
secondary
> active) all interfaces healthy up, but not able to see its neighbor
>
> -or-
>
> One or both ASA's with a down interface?
>
> (If you don't know what is going to happen to the traffic you should
> probably lab this up for 24 hours) :0)
>
> -Joe
>
> -----Original Message-----
> From: Armin Mirsepassi [mailto:amirsepassi_at_ccgrp.com]
> Sent: Friday, January 13, 2012 12:11 PM
> To: Joseph L. Brunner; marco207p_at_gmail.com
> Cc: amsoares_at_netcabo.pt; ccielab_at_groupstudy.com
> Subject: RE: ASA Failover Design Issue
>
> Joe how does a switch remove your failure? You just moved your single
point
> of failure to the switch. A switch failure causes the same issues as a
> direct connected cable failure (split brain scenario). You could have just
> as easily just replaced the patch cable and you would be in same risk
> scenario. Unless you're saying a complicated switch is less likely to have
a
> failure then 4 strands of copper. The most common reason for direct
> connecting both the failover and state links is its a cheap method of
saving
> 4 ports in maxed out access switches in already crammed cabinets in
already
> crammed data centers. It has its pro's and con's in designs.
>
> You can throw in 2 switches, but you cant get around the fact that
> *monitored for HA* ports need to be able to send HA hello messages to each
> other, so you need to trunk the switches to carry all vlans used by any
> *monitored* interfaces (and the state/failover vlans). Hopefully, with
more
> then one port to remove that single trunk port point of failure.
>
> However, most people use only one switch (on the access side) because most
> of the time your carriers only hand off one physical connection for a
path.
> So in the end the switch that has that carrier is the single point of
> failure.
>
> And what does directly connected firewalls have to do with how eigrp is
> (mis)configured on firewalls. So equivalently, are you saying if you
> directly connect 2 interfaces on 2 routers it wont work unless you throw
in
> a switch between the 2 routers?
>
> Can you sanitize your "firewall to firewall data interfaces direct
connect"
> setup from your customer and share it, because you are insinuating that it
> is possible to do that and have HA.
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Joseph L. Brunner
> Sent: Friday, January 13, 2012 10:10 AM
> To: 'marco207p_at_gmail.com'
> Cc: 'amsoares_at_netcabo.pt'; 'ccielab_at_groupstudy.com'
> Subject: Re: ASA Failover Design Issue
>
> Have you ever had a customer failover due to power loss or a bad cable and
> drop connections when the devices failed back and forth all due to a 18
inch
> cable between the two firewall's fo interfaces? Instead of using a switch?
>
> Know what we call that customer in my firm? "The Fortinet Customer" lol
>
> They got tired of these little issues before I could save the account for
> cisco...
>
> Believe me I never just harp on the whitepaper or "what tac supports" (I
> don't call tac except for parts replacement) - but you don't want
firewalls
> cabled directly together for many reasons...
>
> Another gotcha with the "firewall cabled to firewall" design and we saw
this
> tuesday - we had the same eigrp route coming in via two interfaces - it
> choose an asymmetric way back and what do asa's do with asymmetric paths?
>
> Block
>
>
> ----- Original Message -----
> From: George J. Sanchez [mailto:marco207p_at_gmail.com]
> Sent: Friday, January 13, 2012 08:36 AM
> To: Joseph L. Brunner
> Cc: Antonio Soares <amsoares_at_netcabo.pt>; Cisco certification
> <ccielab_at_groupstudy.com>
> Subject: Re: ASA Failover Design Issue
>
> Joe, I've also read this whitepaper and the ASA cisco press books that say
> the same thing, however this not true. I've tested this many times and
had
> other engineers test the same setup with positive Results. With that
being
> said TAC may not support the setup, but to this day I've never had a
> customer comeback and indicate any problems with this design.
>
> Regards,
> Joe Sanchez
>
> On Jan 12, 2012, at 6:26 PM, "Joseph L. Brunner" <joe_at_affirmedsystems.com>
> wrote:
>
>>> I need help with this one. I have a customer asking me to connect two
> pairs of ASAs directly, without any switch in the middle. I never saw
> something like this and >after a few hours playing with this setup, I'm
> almost giving up.
>>
>> This is why the CCDE exists... to vet bullsh*t designs from people
>> that
> really should not be designing... If you read the Cisco white paper on
> failover it clearly says the design of failover is to use a switch to
avoid
> "both interfaces down the firewalls fo interface".
>>
>> I have done "all routed asa's" but used load balancers in between also
> running ospf...
>>
>> Good luck.. bad design... probably not the results you want if you do
> figure it out anyway...
>>
>> -Joe
>>
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
>> Of
> Antonio Soares
>> Sent: Thursday, January 12, 2012 6:53 PM
>> To: 'Cisco certification'
>> Subject: ASA Failover Design Issue
>>
>> Hello group,
>>
>> I need help with this one. I have a customer asking me to connect two
> pairs of ASAs directly, without any switch in the middle. I never saw
> something like this and after a few hours playing with this setup, I'm
> almost giving up.
>>
>> Please check here the diagram:
>>
>> http://www.ccie18473.net/failover.jpg
>>
>> I'm running OSPF between the two pairs of ASAs in order to get maximum
> redundancy. Suppose that initially FW-1 and FW-3 are active. The first
> problem I see is that only one OSPF adjacency is up, between the active
> ASAs. I understand that this happens because OSPF is inactive on the
standby
> ASAs. Ok, the setup is broken because is FW-1 goes down, I would need to
> wait for the new OSPF adjacency between FW-2 and FW-3. Another issue I see
> is that if I play a little with "failover active" and "no failover
active",
> this becomes completely broken: the ASAs start moving from active to
standby
> without any pattern. I think this is because the ASAs in each pair don't
see
> each other. Ok, this seems to be completely against the basic ASA Failover
> design. Each firewall must see its peer on the data interfaces.
>>
>> Can somebody tell me if this is possible to achieve ? The customer
>> keeps
> telling me that there are other vendors that do this without any issues...
>>
>> Thanks.
>>
>> Regards,
>>
>> Antonio Soares, CCIE #18473 (R&S/SP)
>> amsoares_at_netcabo.pt
>> http://www.ccie18473.net
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> ______________________________________________________________________
>> _ Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> ______________________________________________________________________
>> _ Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Fri Jan 13 2012 - 17:56:09 ART
This archive was generated by hypermail 2.2.0 : Thu Feb 02 2012 - 11:52:51 ART
