ASA5515x MCEC to two 3750X and two 4500X

Hi

I have a design wherein two ASA5515Xs (ASA1 and ASA2) are configured as multicontext mode. ASA's Interface G0/1 and G0/3 respectively are conected to two 3750Xs for OUTSIDE traffic Po1. And ASA's Interface G0/0 and G0/2 respectively to two 4500X (configured as VSS) for INSIDE traffic Po2. These physical interfaces are configured as etherchannel.

 

Inside the two ASAs, are two contexts, CTX1 and CTX2. CTX1 is active on ASA1 and CTX2 is active on ASA2. On top of 3750x-SW1 I have a CE_ROUTER connected to G1/0/2 and below the 4500x-SW1-G1/1/2 is connected to InternalRTR.

 

Everything works fine, until I encounter a failover on the OUTSIDE interface of CTX1, so CTX1's outside interface had failover to ASA2. Then after the failover, the BGP communications between CE_ROUTER and InternalRTR was stopped (OpenSent/Active). I run a packet capture inside the CTX1 and there was no syn/ack ack from InternalRTR. Bi-drectional ping was successful but BGP was not able to establish. But If I move the InternalRTR to port G2/1/2 of 4500xSW2 the BGP connection was able to establish.

 

My assumption on this issue is the Multi-Chassis Etherchannel configuration of ASA to two 3750X and 4500X. Am I correct? My question here are the ff.

1. Is ASA supports MCEC?

2. It seems to me, that somewhere along the port channels, the bgp tcp packets was asymmetrically traversing the network. How do I mitigate this kind of issue?

3. What is the best practice design for two ASAs (ACTIVE/ACTIVE configuration) to leverage the technology of VSS in 4550x and stackwise technology in 3750X.

Please advise, thank you in advanced.

 

 

Comments

  • Hi,

       I don't understand what you mean by "until I encounter a failover on the OUTSIDE interface of CTX1, so CTX1's outside interface had failover to ASA2"; the whole context with all interfaces are now associated with ASA2, not only the outside interface. You sure failover works correctly, verified that? Other traffic through the ASA works goodafter failover except this BGP session?

       1. If the 3750's are in a stack and the 4500X in VSS, than there is no MCEC, because from the ASA point of view, even though it has links in the same channel connected to two different physical switches, those two physical switches have one common control-plane, so all good.

       2. ASAs run in transparent or routed mode? Assymetric traffic can be fixed with ASR groups easily.

       3. They way you have ti connected sounds just right.

    Regardless, you should always use VMACs for the failover.

    Cristian.

  • Hi Cristian,

     

    Thanks for your reply. Yes failover works fine, what I did was forced the the other FW to be the ACTIVE for that context, see "show failover group 2" below. I can ping the BGP peer. But the BGP won't establish. The ASA runs in routed mode.

     

     

    Before failover.

    OS27-77G-FW03/pri/stby/77gsi.com# sh failover group 2

      Last Failover at: 20:11:29 PHT Jun 16 2015

      This host:    Primary
                    State:          Active
                    Active time:    252986 (sec)

                    TEST Interface OUTSIDE (172.16.31.10): Normal (Monitored)
                    TEST Interface INSIDE (172.16.31.17): Normal (Monitored)


      Other host:   Secondary
                    State:          Standby Ready
                    Active time:    6471062 (sec)

                    TEST Interface OUTSIDE (172.16.31.11): Normal (Monitored)
                    TEST Interface INSIDE (172.16.31.18): Normal (Monitored)

     

    After failover.

     

    OS27-77G-FW03/sec/act/77gsi.com# show failover group 2

      Last Failover at: 18:29:51 PHT Jun 19 2015

      This host:    Secondary
                    State:          Active
                    Active time:    2036 (sec)

                    TEST Interface OUTSIDE (172.16.31.10): Normal (Monitored)
                    TEST Interface INSIDE (172.16.31.17): Normal (Monitored)


      Other host:   Primary
                    State:          Standby Ready
                    Active time:    253083 (sec)

                    TEST Interface OUTSIDE (172.16.31.11): Normal (Monitored)
                    TEST Interface INSIDE (172.16.31.18): Normal (Monitored)

  • After failover can you look up on the session state for BGP peering on the active ASA?

    Sent from my iPhone

    On Jun 19, 2015, at 19:25, johnggdejesus <[email protected]> wrote:

    Hi Cristian,

     

    Thanks for your reply. Yes failover works fine, what I did was forced the the other FW to be the ACTIVE for that context, see "show failover group 2" below. I can ping the BGP peer. But the BGP won't establish. The ASA runs in routed mode.

     

     

    Before failover.

    OS27-77G-FW03/pri/stby/77gsi.com# sh failover group 2

      Last Failover at: 20:11:29 PHT Jun 16 2015

      This host:    Primary
                    State:          Active
                    Active time:    252986 (sec)

                    TEST Interface OUTSIDE (172.16.31.10): Normal (Monitored)
                    TEST Interface INSIDE (172.16.31.17): Normal (Monitored)


      Other host:   Secondary
                    State:          Standby Ready
                    Active time:    6471062 (sec)

                    TEST Interface OUTSIDE (172.16.31.11): Normal (Monitored)
                    TEST Interface INSIDE (172.16.31.18): Normal (Monitored)

     

    After failover.

     

    OS27-77G-FW03/sec/act/77gsi.com# show failover group 2

      Last Failover at: 18:29:51 PHT Jun 19 2015

      This host:    Secondary
                    State:          Active
                    Active time:    2036 (sec)

                    TEST Interface OUTSIDE (172.16.31.10): Normal (Monitored)
                    TEST Interface INSIDE (172.16.31.17): Normal (Monitored)


      Other host:   Primary
                    State:          Standby Ready
                    Active time:    253083 (sec)

                    TEST Interface OUTSIDE (172.16.31.11): Normal (Monitored)
                    TEST Interface INSIDE (172.16.31.18): Normal (Monitored)




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • Can you share a simple diagram of the layout as well as the related configs on the switches? 

    Sent from my iPhone

    On Jun 18, 2015, at 5:55 AM, johnggdejesus <[email protected]> wrote:

    Hi

    I have a design wherein two ASA5515Xs (ASA1 and ASA2) are configured as multicontext mode. ASA's Interface G0/1 and G0/3 respectively are conected to two 3750Xs for OUTSIDE traffic Po1. And ASA's Interface G0/0 and G0/2 respectively to two 4500X (configured as VSS) for INSIDE traffic Po2. These physical interfaces are configured as etherchannel.

     

    Inside the two ASAs, are two contexts, CTX1 and CTX2. CTX1 is active on ASA1 and CTX2 is active on ASA2. On top of 3750x-SW1 I have a CE_ROUTER connected to G1/0/2 and below the 4500x-SW1-G1/1/2 is connected to InternalRTR.

     

    Everything works fine, until I encounter a failover on the OUTSIDE interface of CTX1, so CTX1's outside interface had failover to ASA2. Then after the failover, the BGP communications between CE_ROUTER and InternalRTR was stopped (OpenSent/Active). I run a packet capture inside the CTX1 and there was no syn/ack ack from InternalRTR. Bi-drectional ping was successful but BGP was not able to establish. But If I move the InternalRTR to port G2/1/2 of 4500xSW2 the BGP connection was able to establish.

     

    My assumption on this issue is the Multi-Chassis Etherchannel configuration of ASA to two 3750X and 4500X. Am I correct? My question here are the ff.

    1. Is ASA supports MCEC?

    2. It seems to me, that somewhere along the port channels, the bgp tcp packets was asymmetrically traversing the network. How do I mitigate this kind of issue?

    3. What is the best practice design for two ASAs (ACTIVE/ACTIVE configuration) to leverage the technology of VSS in 4550x and stackwise technology in 3750X.

    Please advise, thank you in advanced.

     

     




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • Hi,

    Please see attached file.

    On Sat, Jun 20, 2015 at 4:07 AM, olushile <[email protected]> wrote:
    Can you share a simple diagram of the layout as well as the related configs on the switches? 

    Sent from my iPhone

    On Jun 18, 2015, at 5:55 AM, johnggdejesus <[email protected]> wrote:

    Hi

    I have a design wherein two ASA5515Xs (ASA1 and ASA2) are configured as multicontext mode. ASA's Interface G0/1 and G0/3 respectively are conected to two 3750Xs for OUTSIDE traffic Po1. And ASA's Interface G0/0 and G0/2 respectively to two 4500X (configured as VSS) for INSIDE traffic Po2. These physical interfaces are configured as etherchannel.

     

    Inside the two ASAs, are two contexts, CTX1 and CTX2. CTX1 is active on ASA1 and CTX2 is active on ASA2. On top of 3750x-SW1 I have a CE_ROUTER connected to G1/0/2 and below the 4500x-SW1-G1/1/2 is connected to InternalRTR.

     

    Everything works fine, until I encounter a failover on the OUTSIDE interface of CTX1, so CTX1's outside interface had failover to ASA2. Then after the failover, the BGP communications between CE_ROUTER and InternalRTR was stopped (OpenSent/Active). I run a packet capture inside the CTX1 and there was no syn/ack ack from InternalRTR. Bi-drectional ping was successful but BGP was not able to establish. But If I move the InternalRTR to port G2/1/2 of 4500xSW2 the BGP connection was able to establish.

     

    My assumption on this issue is the Multi-Chassis Etherchannel configuration of ASA to two 3750X and 4500X. Am I correct? My question here are the ff.

    1. Is ASA supports MCEC?

    2. It seems to me, that somewhere along the port channels, the bgp tcp packets was asymmetrically traversing the network. How do I mitigate this kind of issue?

    3. What is the best practice design for two ASAs (ACTIVE/ACTIVE configuration) to leverage the technology of VSS in 4550x and stackwise technology in 3750X.

    Please advise, thank you in advanced.

     

     




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx


    --
    View this message online at: http://127.0.0.1/forums/p/32697/256854.aspx#256854

    Regards,
    John Gregory G. de Jesus

Sign In or Register to comment.