RE: ASA Failover Design Issue

Eh eh eh That's by design (TM). No really, it's supposed to do that. It is
configured that way by default when you enable HA. Any ASA HA node will
failover by default if at least 1 admin up interface fails a monitor check
(like interface down) unless you change that parameter by using the
"failover interface-policy" command. You can say only failover if at least
[1-250] interfaces fail first or 1-100% of interfaces fail first. You could
also disable HA monitoring of that interface if you know it always goes up
down and you don't want to failover because of that. Or you could change the
status check timings to be more lenient (wait longer) but that's a global
change.

Anyways, Antonio seems to have his answer.

-----Original Message-----
From: Joseph L. Brunner [mailto:joe_at_affirmedsystems.com]
Sent: Friday, January 13, 2012 7:21 PM
To: 'amirsepassi_at_ccgrp.com'; 'marco207p_at_gmail.com'
Cc: 'amsoares_at_netcabo.pt'; 'ccielab_at_groupstudy.com'
Subject: Re: ASA Failover Design Issue

You just made my point.

Both asa's fail when they BOTH have at least 1 down interface (regardless of
peer ha keepalives status)

Use a switch (or two) instead of cables between the asa's to always have 1
healthy asa, ok?

----- Original Message -----
From: Armin Mirsepassi [mailto:amirsepassi_at_ccgrp.com]
Sent: Friday, January 13, 2012 06:15 PM
To: Joseph L. Brunner; marco207p_at_gmail.com <marco207p_at_gmail.com>
Cc: amsoares_at_netcabo.pt <amsoares_at_netcabo.pt>; ccielab_at_groupstudy.com
<ccielab_at_groupstudy.com>
Subject: RE: ASA Failover Design Issue

I would call tac because there is no such thing as preempt with A/S HA. The
only time your original ASA will try to be active is if something fails on
the secondary causing a failover. So what you are seeing is both your ASA's
failing.

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Joseph L. Brunner
Sent: Friday, January 13, 2012 3:54 PM
To: 'marco207p_at_gmail.com'; 'amirsepassi_at_ccgrp.com'
Cc: 'amsoares_at_netcabo.pt'; 'ccielab_at_groupstudy.com'
Subject: Re: ASA Failover Design Issue

I'm sure he was responding to me... Sorry - but I'm in the realtime managed
services business for trading firms and power generation companies - we
simply can't have surprise issues.

I have replaced many 18 inch cables between pairs of asa's lately. An asa
with a failed interface will reset it self and try to become in its normal
state at random periods possibly dropping connections. I have email scripts
I'll share with the group- we get email alerts when this happens on a
secondary asa with its fo interface down cause the primary is dead - and of
course our monitoring systems (and angry clients calling in) notice...

So an asa with 1 failed interface even fo is no good for us

Joe

----- Original Message -----
From: George J. Sanchez [mailto:marco207p_at_gmail.com]
Sent: Friday, January 13, 2012 03:49 PM
To: Armin Mirsepassi <amirsepassi_at_ccgrp.com>
Cc: Joseph L. Brunner; <amsoares_at_netcabo.pt> <amsoares_at_netcabo.pt>;
<ccielab_at_groupstudy.com> <ccielab_at_groupstudy.com>
Subject: Re: ASA Failover Design Issue

Armin, not sure which Joe you are addressing this, if it is me Joe Sanchez;
then I would say your tone and attitude is pretty nasty.. I will not respond
any further.

Regards,
 Joe Sanchez

On Jan 13, 2012, at 12:49 PM, "Armin Mirsepassi" <amirsepassi_at_ccgrp.com>
wrote:

> Joe I am well aware how ASA HA behaves in most scenarios. My question to
you
> was
>
> "Can you sanitize your "firewall to firewall data interfaces direct
connect"
> setup from your customer and share it, because you are insinuating that it
> is possible to do that and have HA."
>
> I do not see how what Antonio's customer is stating as working can
actually
> work. You keep insinuating that it can work because you have crappy
> customers that have it. So please don't be a tease and help a brother out
> with a config or explanation of the setup where it would work. You're not
> helping anyone out with just rhetoric.
>
> armin
>
> -----Original Message-----
> From: Joseph L. Brunner [mailto:joe_at_affirmedsystems.com]
> Sent: Friday, January 13, 2012 12:40 PM
> To: Armin Mirsepassi; marco207p_at_gmail.com
> Cc: amsoares_at_netcabo.pt; ccielab_at_groupstudy.com
> Subject: RE: ASA Failover Design Issue
>
> Nope... wrong...
>
> We use 2 switches, one on each asa.
>
> The asa with the perfectly healthy interfaces continues unencumbered with
a
> down failover interface :)
>
> We are not talking about "most people"... his design was looking for
> failover... here's a question for you and lets see if you or anyone else
> gets it?
>
>
> What does an ASA do that has down interfaces Itself, but does not see its
> failover neighbor?
>
> Now, tell me what you would rather have, 1 ASA (primary active or
secondary
> active) all interfaces healthy up, but not able to see its neighbor
>
> -or-
>
> One or both ASA's with a down interface?
>
> (If you don't know what is going to happen to the traffic you should
> probably lab this up for 24 hours) :0)
>
> -Joe
>
> -----Original Message-----
> From: Armin Mirsepassi [mailto:amirsepassi_at_ccgrp.com]
> Sent: Friday, January 13, 2012 12:11 PM
> To: Joseph L. Brunner; marco207p_at_gmail.com
> Cc: amsoares_at_netcabo.pt; ccielab_at_groupstudy.com
> Subject: RE: ASA Failover Design Issue
>
> Joe how does a switch remove your failure? You just moved your single
point
> of failure to the switch. A switch failure causes the same issues as a
> direct connected cable failure (split brain scenario). You could have just
> as easily just replaced the patch cable and you would be in same risk
> scenario. Unless you're saying a complicated switch is less likely to have
a
> failure then 4 strands of copper. The most common reason for direct
> connecting both the failover and state links is its a cheap method of
saving
> 4 ports in maxed out access switches in already crammed cabinets in
already
> crammed data centers. It has its pro's and con's in designs.
>
> You can throw in 2 switches, but you cant get around the fact that
> *monitored for HA* ports need to be able to send HA hello messages to each
> other, so you need to trunk the switches to carry all vlans used by any
> *monitored* interfaces (and the state/failover vlans). Hopefully, with
more
> then one port to remove that single trunk port point of failure.
>
> However, most people use only one switch (on the access side) because most
> of the time your carriers only hand off one physical connection for a
path.
> So in the end the switch that has that carrier is the single point of
> failure.
>
> And what does directly connected firewalls have to do with how eigrp is
> (mis)configured on firewalls. So equivalently, are you saying if you
> directly connect 2 interfaces on 2 routers it wont work unless you throw
in
> a switch between the 2 routers?
>
> Can you sanitize your "firewall to firewall data interfaces direct
connect"
> setup from your customer and share it, because you are insinuating that it
> is possible to do that and have HA.
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Joseph L. Brunner
> Sent: Friday, January 13, 2012 10:10 AM
> To: 'marco207p_at_gmail.com'
> Cc: 'amsoares_at_netcabo.pt'; 'ccielab_at_groupstudy.com'
> Subject: Re: ASA Failover Design Issue
>
> Have you ever had a customer failover due to power loss or a bad cable and
> drop connections when the devices failed back and forth all due to a 18
inch
> cable between the two firewall's fo interfaces? Instead of using a switch?
>
> Know what we call that customer in my firm? "The Fortinet Customer" lol
>
> They got tired of these little issues before I could save the account for
> cisco...
>
> Believe me I never just harp on the whitepaper or "what tac supports" (I
> don't call tac except for parts replacement) - but you don't want
firewalls
> cabled directly together for many reasons...
>
> Another gotcha with the "firewall cabled to firewall" design and we saw
this
> tuesday - we had the same eigrp route coming in via two interfaces - it
> choose an asymmetric way back and what do asa's do with asymmetric paths?
>
> Block
>
>
> ----- Original Message -----
> From: George J. Sanchez [mailto:marco207p_at_gmail.com]
> Sent: Friday, January 13, 2012 08:36 AM
> To: Joseph L. Brunner
> Cc: Antonio Soares <amsoares_at_netcabo.pt>; Cisco certification
> <ccielab_at_groupstudy.com>
> Subject: Re: ASA Failover Design Issue
>
> Joe, I've also read this whitepaper and the ASA cisco press books that say
> the same thing, however this not true. I've tested this many times and
had
> other engineers test the same setup with positive Results. With that
being
> said TAC may not support the setup, but to this day I've never had a
> customer comeback and indicate any problems with this design.
>
> Regards,
> Joe Sanchez
>
> On Jan 12, 2012, at 6:26 PM, "Joseph L. Brunner" <joe_at_affirmedsystems.com>
> wrote:
>
>>> I need help with this one. I have a customer asking me to connect two
> pairs of ASAs directly, without any switch in the middle. I never saw
> something like this and >after a few hours playing with this setup, I'm
> almost giving up.
>>
>> This is why the CCDE exists... to vet bullsh*t designs from people
>> that
> really should not be designing... If you read the Cisco white paper on
> failover it clearly says the design of failover is to use a switch to
avoid
> "both interfaces down the firewalls fo interface".
>>
>> I have done "all routed asa's" but used load balancers in between also
> running ospf...
>>
>> Good luck.. bad design... probably not the results you want if you do
> figure it out anyway...
>>
>> -Joe
>>
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
>> Of
> Antonio Soares
>> Sent: Thursday, January 12, 2012 6:53 PM
>> To: 'Cisco certification'
>> Subject: ASA Failover Design Issue
>>
>> Hello group,
>>
>> I need help with this one. I have a customer asking me to connect two
> pairs of ASAs directly, without any switch in the middle. I never saw
> something like this and after a few hours playing with this setup, I'm
> almost giving up.
>>
>> Please check here the diagram:
>>
>> http://www.ccie18473.net/failover.jpg
>>
>> I'm running OSPF between the two pairs of ASAs in order to get maximum
> redundancy. Suppose that initially FW-1 and FW-3 are active. The first
> problem I see is that only one OSPF adjacency is up, between the active
> ASAs. I understand that this happens because OSPF is inactive on the
standby
> ASAs. Ok, the setup is broken because is FW-1 goes down, I would need to
> wait for the new OSPF adjacency between FW-2 and FW-3. Another issue I see
> is that if I play a little with "failover active" and "no failover
active",
> this becomes completely broken: the ASAs start moving from active to
standby
> without any pattern. I think this is because the ASAs in each pair don't
see
> each other. Ok, this seems to be completely against the basic ASA Failover
> design. Each firewall must see its peer on the data interfaces.
>>
>> Can somebody tell me if this is possible to achieve ? The customer
>> keeps
> telling me that there are other vendors that do this without any issues...
>>
>> Thanks.
>>
>> Regards,
>>
>> Antonio Soares, CCIE #18473 (R&S/SP)
>> amsoares_at_netcabo.pt
>> http://www.ccie18473.net
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> ______________________________________________________________________
>> _ Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> ______________________________________________________________________
>> _ Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sat Jan 14 2012 - 00:02:04 ART