Re: ASA Failover Design Issue

I'd blame Cisco for this for not having simple feature like this for
failover interfaces.

U hang them off the Nexus 7K and we know 7K is never going to fail with
fully redundant. Things get complex and the more $$$ u pump the more
redundancy u get.

In linux we can do anything that we want and things like this (neighbor not
being seen from other peer member) are piece of cake.

Whats stopping us to do a scripting on ASA that removes the gap of what
we're missing?

Obvious answer is yes we cna do something using ASA API?

On Sat, Jan 14, 2012 at 7:54 AM, Joseph L. Brunner
<joe_at_affirmedsystems.com>wrote:

> I'm sure he was responding to me... Sorry - but I'm in the realtime
> managed services business for trading firms and power generation companies
> - we simply can't have surprise issues.
>
> I have replaced many 18 inch cables between pairs of asa's lately. An asa
> with a failed interface will reset it self and try to become in its normal
> state at random periods possibly dropping connections. I have email scripts
> I'll share with the group- we get email alerts when this happens on a
> secondary asa with its fo interface down cause the primary is dead - and of
> course our monitoring systems (and angry clients calling in) notice...
>
> So an asa with 1 failed interface even fo is no ging ood for us
>
> Joe
>
>
> ----- Original Message -----
> From: George J. Sanchez [mailto:marco207p_at_gmail.com]
> Sent: Friday, January 13, 2012 03:49 PM
> To: Armin Mirsepassi <amirsepassi_at_ccgrp.com>
> Cc: Joseph L. Brunner; <amsoares_at_netcabo.pt> <amsoares_at_netcabo.pt>; <
> ccielab_at_groupstudy.com> <ccielab_at_groupstudy.com>
> Subject: Re: ASA Failover Design Issue
>
> Armin, not sure which Joe you are addressing this, if it is me Joe
> Sanchez; then I would say your tone and attitude is pretty nasty.. I will
> not respond any further.
>
> Regards,
> Joe Sanchez
>
> On Jan 13, 2012, at 12:49 PM, "Armin Mirsepassi" <amirsepassi_at_ccgrp.com>
> wrote:
>
> > Joe I am well aware how ASA HA behaves in most scenarios. My question to
> you
> > was
> >
> > "Can you sanitize your "firewall to firewall data interfaces direct
> connect"
> > setup from your customer and share it, because you are insinuating that
> it
> > is possible to do that and have HA."
> >
> > I do not see how what Antonio's customer is stating as working can
> actually
> > work. You keep insinuating that it can work because you have crappy
> > customers that have it. So please don't be a tease and help a brother out
> > with a config or explanation of the setup where it would work. You're not
> > helping anyone out with just rhetoric.
> >
> > armin
> >
> > -----Original Message-----
> > From: Joseph L. Brunner [mailto:joe_at_affirmedsystems.com]
> > Sent: Friday, January 13, 2012 12:40 PM
> > To: Armin Mirsepassi; marco207p_at_gmail.com
> > Cc: amsoares_at_netcabo.pt; ccielab_at_groupstudy.com
> > Subject: RE: ASA Failover Design Issue
> >
> > Nope... wrong...
> >
> > We use 2 switches, one on each asa.
> >
> > The asa with the perfectly healthy interfaces continues unencumbered
> with a
> > down failover interface :)
> >
> > We are not talking about "most people"... his design was looking for
> > failover... here's a question for you and lets see if you or anyone else
> > gets it?
> >
> >
> > What does an ASA do that has down interfaces Itself, but does not see its
> > failover neighbor?
> >
> > Now, tell me what you would rather have, 1 ASA (primary active or
> secondary
> > active) all interfaces healthy up, but not able to see its neighbor
> >
> > -or-
> >
> > One or both ASA's with a down interface?
> >
> > (If you don't know what is going to happen to the traffic you should
> > probably lab this up for 24 hours) :0)
> >
> > -Joe
> >
> > -----Original Message-----
> > From: Armin Mirsepassi [mailto:amirsepassi_at_ccgrp.com]
> > Sent: Friday, January 13, 2012 12:11 PM
> > To: Joseph L. Brunner; marco207p_at_gmail.com
> > Cc: amsoares_at_netcabo.pt; ccielab_at_groupstudy.com
> > Subject: RE: ASA Failover Design Issue
> >
> > Joe how does a switch remove your failure? You just moved your single
> point
> > of failure to the switch. A switch failure causes the same issues as a
> > direct connected cable failure (split brain scenario). You could have
> just
> > as easily just replaced the patch cable and you would be in same risk
> > scenario. Unless you're saying a complicated switch is less likely to
> have a
> > failure then 4 strands of copper. The most common reason for direct
> > connecting both the failover and state links is its a cheap method of
> saving
> > 4 ports in maxed out access switches in already crammed cabinets in
> already
> > crammed data centers. It has its pro's and con's in designs.
> >
> > You can throw in 2 switches, but you cant get around the fact that
> > *monitored for HA* ports need to be able to send HA hello messages to
> each
> > other, so you need to trunk the switches to carry all vlans used by any
> > *monitored* interfaces (and the state/failover vlans). Hopefully, with
> more
> > then one port to remove that single trunk port point of failure.
> >
> > However, most people use only one switch (on the access side) because
> most
> > of the time your carriers only hand off one physical connection for a
> path.
> > So in the end the switch that has that carrier is the single point of
> > failure.
> >
> > And what does directly connected firewalls have to do with how eigrp is
> > (mis)configured on firewalls. So equivalently, are you saying if you
> > directly connect 2 interfaces on 2 routers it wont work unless you throw
> in
> > a switch between the 2 routers?
> >
> > Can you sanitize your "firewall to firewall data interfaces direct
> connect"
> > setup from your customer and share it, because you are insinuating that
> it
> > is possible to do that and have HA.
> >
> > -----Original Message-----
> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> > Joseph L. Brunner
> > Sent: Friday, January 13, 2012 10:10 AM
> > To: 'marco207p_at_gmail.com'
> > Cc: 'amsoares_at_netcabo.pt'; 'ccielab_at_groupstudy.com'
> > Subject: Re: ASA Failover Design Issue
> >
> > Have you ever had a customer failover due to power loss or a bad cable
> and
> > drop connections when the devices failed back and forth all due to a 18
> inch
> > cable between the two firewall's fo interfaces? Instead of using a
> switch?
> >
> > Know what we call that customer in my firm? "The Fortinet Customer" lol
> >
> > They got tired of these little issues before I could save the account for
> > cisco...
> >
> > Believe me I never just harp on the whitepaper or "what tac supports" (I
> > don't call tac except for parts replacement) - but you don't want
> firewalls
> > cabled directly together for many reasons...
> >
> > Another gotcha with the "firewall cabled to firewall" design and we saw
> this
> > tuesday - we had the same eigrp route coming in via two interfaces - it
> > choose an asymmetric way back and what do asa's do with asymmetric paths?
> >
> > Block
> >
> >
> > ----- Original Message -----
> > From: George J. Sanchez [mailto:marco207p_at_gmail.com]
> > Sent: Friday, January 13, 2012 08:36 AM
> > To: Joseph L. Brunner
> > Cc: Antonio Soares <amsoares_at_netcabo.pt>; Cisco certification
> > <ccielab_at_groupstudy.com>
> > Subject: Re: ASA Failover Design Issue
> >
> > Joe, I've also read this whitepaper and the ASA cisco press books that
> say
> > the same thing, however this not true. I've tested this many times and
> had
> > other engineers test the same setup with positive Results. With that
> being
> > said TAC may not support the setup, but to this day I've never had a
> > customer comeback and indicate any problems with this design.
> >
> > Regards,
> > Joe Sanchez
> >
> > On Jan 12, 2012, at 6:26 PM, "Joseph L. Brunner" <
> joe_at_affirmedsystems.com>
> > wrote:
> >
> >>> I need help with this one. I have a customer asking me to connect two
> > pairs of ASAs directly, without any switch in the middle. I never saw
> > something like this and >after a few hours playing with this setup, I'm
> > almost giving up.
> >>
> >> This is why the CCDE exists... to vet bullsh*t designs from people
> >> that
> > really should not be designing... If you read the Cisco white paper on
> > failover it clearly says the design of failover is to use a switch to
> avoid
> > "both interfaces down the firewalls fo interface".
> >>
> >> I have done "all routed asa's" but used load balancers in between also
> > running ospf...
> >>
> >> Good luck.. bad design... probably not the results you want if you do
> > figure it out anyway...
> >>
> >> -Joe
> >>
> >>
> >> -----Original Message-----
> >> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
> >> Of
> > Antonio Soares
> >> Sent: Thursday, January 12, 2012 6:53 PM
> >> To: 'Cisco certification'
> >> Subject: ASA Failover Design Issue
> >>
> >> Hello group,
> >>
> >> I need help with this one. I have a customer asking me to connect two
> > pairs of ASAs directly, without any switch in the middle. I never saw
> > something like this and after a few hours playing with this setup, I'm
> > almost giving up.
> >>
> >> Please check here the diagram:
> >>
> >> http://www.ccie18473.net/failover.jpg
> >>
> >> I'm running OSPF between the two pairs of ASAs in order to get maximum
> > redundancy. Suppose that initially FW-1 and FW-3 are active. The first
> > problem I see is that only one OSPF adjacency is up, between the active
> > ASAs. I understand that this happens because OSPF is inactive on the
> standby
> > ASAs. Ok, the setup is broken because is FW-1 goes down, I would need to
> > wait for the new OSPF adjacency between FW-2 and FW-3. Another issue I
> see
> > is that if I play a little with "failover active" and "no failover
> active",
> > this becomes completely broken: the ASAs start moving from active to
> standby
> > without any pattern. I think this is because the ASAs in each pair don't
> see
> > each other. Ok, this seems to be completely against the basic ASA
> Failover
> > design. Each firewall must see its peer on the data interfaces.
> >>
> >> Can somebody tell me if this is possible to achieve ? The customer
> >> keeps
> > telling me that there are other vendors that do this without any
> issues...
> >>
> >> Thanks.
> >>
> >> Regards,
> >>
> >> Antonio Soares, CCIE #18473 (R&S/SP)
> >> amsoares_at_netcabo.pt
> >> http://www.ccie18473.net
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> ______________________________________________________________________
> >> _ Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> ______________________________________________________________________
> >> _ Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sat Jan 14 2012 - 10:03:50 ART