RE: ASA Failover Design Issue from Armin Mirsepassi on 2012-01-13 (Ccielab archives 01/2012)

From: Armin Mirsepassi <amirsepassi_at_ccgrp.com>
Date: Fri, 13 Jan 2012 18:15:31 -0500

I would call tac because there is no such thing as preempt with A/S HA. The
only time your original ASA will try to be active is if something fails on
the secondary causing a failover. So what you are seeing is both your ASA's
failing.

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Joseph L. Brunner
Sent: Friday, January 13, 2012 3:54 PM
To: 'marco207p_at_gmail.com'; 'amirsepassi_at_ccgrp.com'
Cc: 'amsoares_at_netcabo.pt'; 'ccielab_at_groupstudy.com'
Subject: Re: ASA Failover Design Issue

I'm sure he was responding to me... Sorry - but I'm in the realtime managed
services business for trading firms and power generation companies - we
simply can't have surprise issues.

I have replaced many 18 inch cables between pairs of asa's lately. An asa
with a failed interface will reset it self and try to become in its normal
state at random periods possibly dropping connections. I have email scripts
I'll share with the group- we get email alerts when this happens on a
secondary asa with its fo interface down cause the primary is dead - and of
course our monitoring systems (and angry clients calling in) notice...

So an asa with 1 failed interface even fo is no good for us

Joe

----- Original Message -----
From: George J. Sanchez [mailto:marco207p_at_gmail.com]
Sent: Friday, January 13, 2012 03:49 PM
To: Armin Mirsepassi <amirsepassi_at_ccgrp.com>
Cc: Joseph L. Brunner; <amsoares_at_netcabo.pt> <amsoares_at_netcabo.pt>;
<ccielab_at_groupstudy.com> <ccielab_at_groupstudy.com>
Subject: Re: ASA Failover Design Issue

Armin, not sure which Joe you are addressing this, if it is me Joe Sanchez;
then I would say your tone and attitude is pretty nasty.. I will not respond
any further.

Regards,
Joe Sanchez

On Jan 13, 2012, at 12:49 PM, "Armin Mirsepassi" <amirsepassi_at_ccgrp.com>
wrote:

> Joe I am well aware how ASA HA behaves in most scenarios. My question to
you
> was
>
> "Can you sanitize your "firewall to firewall data interfaces direct
connect"
> setup from your customer and share it, because you are insinuating that it
> is possible to do that and have HA."
>
> I do not see how what Antonio's customer is stating as working can
actually
> work. You keep insinuating that it can work because you have crappy
> customers that have it. So please don't be a tease and help a brother out
> with a config or explanation of the setup where it would work. You're not
> helping anyone out with just rhetoric.
>
> armin
>
> -----Original Message-----
> From: Joseph L. Brunner [mailto:joe_at_affirmedsystems.com]
> Sent: Friday, January 13, 2012 12:40 PM
> To: Armin Mirsepassi; marco207p_at_gmail.com
> Cc: amsoares_at_netcabo.pt; ccielab_at_groupstudy.com
> Subject: RE: ASA Failover Design Issue
>
> Nope... wrong...
>
> We use 2 switches, one on each asa.
>
> The asa with the perfectly healthy interfaces continues unencumbered with
a
> down failover interface :)
>
> We are not talking about "most people"... his design was looking for
> failover... here's a question for you and lets see if you or anyone else
> gets it?
>
>
> What does an ASA do that has down interfaces Itself, but does not see its
> failover neighbor?
>
> Now, tell me what you would rather have, 1 ASA (primary active or
secondary
> active) all interfaces healthy up, but not able to see its neighbor
>
> -or-
>
> One or both ASA's with a down interface?
>
> (If you don't know what is going to happen to the traffic you should
> probably lab this up for 24 hours) :0)
>
> -Joe
>
> -----Original Message-----
> From: Armin Mirsepassi [mailto:amirsepassi_at_ccgrp.com]
> Sent: Friday, January 13, 2012 12:11 PM
> To: Joseph L. Brunner; marco207p_at_gmail.com
> Cc: amsoares_at_netcabo.pt; ccielab_at_groupstudy.com
> Subject: RE: ASA Failover Design Issue
>
> Joe how does a switch remove your failure? You just moved your single
point
> of failure to the switch. A switch failure causes the same issues as a
> direct connected cable failure (split brain scenario). You could have just
> as easily just replaced the patch cable and you would be in same risk
> scenario. Unless you're saying a complicated switch is less likely to have
a
> failure then 4 strands of copper. The most common reason for direct
> connecting both the failover and state links is its a cheap method of
saving
> 4 ports in maxed out access switches in already crammed cabinets in
already
> crammed data centers. It has its pro's and con's in designs.
>
> You can throw in 2 switches, but you cant get around the fact that
> *monitored for HA* ports need to be able to send HA hello messages to each
> other, so you need to trunk the switches to carry all vlans used by any
> *monitored* interfaces (and the state/failover vlans). Hopefully, with
more
> then one port to remove that single trunk port point of failure.
>
> However, most people use only one switch (on the access side) because most
> of the time your carriers only hand off one physical connection for a
path.
> So in the end the switch that has that carrier is the single point of
> failure.
>
> And what does directly connected firewalls have to do with how eigrp is
> (mis)configured on firewalls. So equivalently, are you saying if you
> directly connect 2 interfaces on 2 routers it wont work unless you throw
in
> a switch between the 2 routers?
>
> Can you sanitize your "firewall to firewall data interfaces direct
connect"
> setup from your customer and share it, because you are insinuating that it
> is possible to do that and have HA.
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Joseph L. Brunner
> Sent: Friday, January 13, 2012 10:10 AM
> To: 'marco207p_at_gmail.com'
> Cc: 'amsoares_at_netcabo.pt'; 'ccielab_at_groupstudy.com'
> Subject: Re: ASA Failover Design Issue
>
> Have you ever had a customer failover due to power loss or a bad cable and
> drop connections when the devices failed back and forth all due to a 18
inch
> cable between the two firewall's fo interfaces? Instead of using a switch?
>
> Know what we call that customer in my firm? "The Fortinet Customer" lol
>
> They got tired of these little issues before I could save the account for
> cisco...
>
> Believe me I never just harp on the whitepaper or "what tac supports" (I
> don't call tac except for parts replacement) - but you don't want
firewalls
> cabled directly together for many reasons...
>
> Another gotcha with the "firewall cabled to firewall" design and we saw
this
> tuesday - we had the same eigrp route coming in via two interfaces - it
> choose an asymmetric way back and what do asa's do with asymmetric paths?
>
> Block
>
>
> ----- Original Message -----
> From: George J. Sanchez [mailto:marco207p_at_gmail.com]
> Sent: Friday, January 13, 2012 08:36 AM
> To: Joseph L. Brunner
> Cc: Antonio Soares <amsoares_at_netcabo.pt>; Cisco certification
> <ccielab_at_groupstudy.com>
> Subject: Re: ASA Failover Design Issue
>
> Joe, I've also read this whitepaper and the ASA cisco press books that say
> the same thing, however this not true. I've tested this many times and
had
> other engineers test the same setup with positive Results. With that
being
> said TAC may not support the setup, but to this day I've never had a
> customer comeback and indicate any problems with this design.
>
> Regards,
> Joe Sanchez
>
> On Jan 12, 2012, at 6:26 PM, "Joseph L. Brunner" <joe_at_affirmedsystems.com>
> wrote:
>
>>> I need help with this one. I have a customer asking me to connect two
> pairs of ASAs directly, without any switch in the middle. I never saw
> something like this and >after a few hours playing with this setup, I'm
> almost giving up.
>>
>> This is why the CCDE exists... to vet bullsh*t designs from people
>> that
> really should not be designing... If you read the Cisco white paper on
> failover it clearly says the design of failover is to use a switch to
avoid
> "both interfaces down the firewalls fo interface".
>>
>> I have done "all routed asa's" but used load balancers in between also
> running ospf...
>>
>> Good luck.. bad design... probably not the results you want if you do
> figure it out anyway...
>>
>> -Joe
>>
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
>> Of
> Antonio Soares
>> Sent: Thursday, January 12, 2012 6:53 PM
>> To: 'Cisco certification'
>> Subject: ASA Failover Design Issue
>>
>> Hello group,
>>
>> I need help with this one. I have a customer asking me to connect two
> pairs of ASAs directly, without any switch in the middle. I never saw
> something like this and after a few hours playing with this setup, I'm
> almost giving up.
>>
>> Please check here the diagram:
>>
>> http://www.ccie18473.net/failover.jpg
>>
>> I'm running OSPF between the two pairs of ASAs in order to get maximum
> redundancy. Suppose that initially FW-1 and FW-3 are active. The first
> problem I see is that only one OSPF adjacency is up, between the active
> ASAs. I understand that this happens because OSPF is inactive on the
standby
> ASAs. Ok, the setup is broken because is FW-1 goes down, I would need to
> wait for the new OSPF adjacency between FW-2 and FW-3. Another issue I see
> is that if I play a little with "failover active" and "no failover
active",
> this becomes completely broken: the ASAs start moving from active to
standby
> without any pattern. I think this is because the ASAs in each pair don't
see
> each other. Ok, this seems to be completely against the basic ASA Failover
> design. Each firewall must see its peer on the data interfaces.
>>
>> Can somebody tell me if this is possible to achieve ? The customer
>> keeps
> telling me that there are other vendors that do this without any issues...
>>
>> Thanks.
>>
>> Regards,
>>
>> Antonio Soares, CCIE #18473 (R&S/SP)
>> amsoares_at_netcabo.pt
>> http://www.ccie18473.net
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> ______________________________________________________________________
>> _ Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> ______________________________________________________________________
>> _ Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Jan 13 2012 - 18:15:31 ART

This archive was generated by hypermail 2.2.0 : Thu Feb 02 2012 - 11:52:51 ART