ASA Failover

Hi;

In configuring Failover between two ASA 5500x series ASA, we assign different IPs to any interfaces on both ASA; for example, we assign 1.1.1.1 to inside interface on primary ASA and 1.1.1.2 to inside interface of standby ASA. so if the ASA is going to be dwfault gateway, which of these IP addresses need to be set as clients default gateway? do we need to configure VRRP/HSRP on ASA as well as the failover for this?

Comments

  • Hi.  In this case, you point traffic to the primary IP address.  If the primary (1.1.1.1) fails and the secondary (1.1.1.2) takes over, the secondary will adopt the IP (1.1.1.1) of the primary, and continue forwarding like nothing happened (assuming you have a link state interface in your failover config to sync the state table).  I believe the secondary in this case sends a gratuitous ARP or maps the MAC address of the primary to the secondary in the process to facilitate connected devices from getting into a WTF situation.  Note that this is basically how VRRP works, but I dont believe the ASA is running VRRP, but some proprietary mechanism.

    I hope that helps (I hope it is correct, also)

    -Lance

  • Hi.  In this case, you point traffic to the primary IP address.  If the primary (1.1.1.1) fails and the secondary (1.1.1.2) takes over, the secondary will adopt the IP (1.1.1.1) of the primary, and continue forwarding like nothing happened (assuming you have a link state interface in your failover config to sync the state table).  I believe the secondary in this case sends a gratuitous ARP or maps the MAC address of the primary to the secondary in the process to facilitate connected devices from getting into a WTF situation.  Note that this is basically how VRRP works, but I dont believe the ASA is running VRRP, but some proprietary mechanism.

    I hope that helps (I hope it is correct, also)

    -Lance

     

    Thanks for your reply Lance. I searched the Cisco support page and found the doc. as you said, we need to setup client's GW to point to the primary ASA. on failover, the standby ASA will assume the IP/MAC addresses of the primary, so no interruption will occur on the passing traffic. if primary ASA comes back, it will preempt the IP/MAC addresses again and this will be transparent to users. even we can setup virtual MAC on ASA devices. I'm going to put the link here for reference:

     

    Configuring ASA Failover for High Availability

     

Sign In or Register to comment.