Configuring ASA failover
sofuca
Registered Users Posts: 2 ■□□□□□□□□□
Hi All
Just a little bit of background info
We have 2 locations with a layer 2 fiber link between them both.
Both sites have their own internet connection and firewalls.
Both firewalls are as follows
Hardware: ASA5515, 8192 MB RAM, CPU Clarkdale 3059 MHz, 1 CPU (4 cores)
ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB
and are running
Cisco Adaptive Security Appliance Software Version 9.1(2)
Device Manager Version 7.1(3)
Both are configured with failover so if internet connection in building A stops working, building A firewall uses building B's internet connection.
The firewalls are also set up with failover.
So we now have redundancy for both internet and firewalls.
The problems comes when the monitoring doesn't work correctly.
We set up so that the firewall pings 4.2.2.2 every 10 seconds and if it didn't get a responce it'd fall over the the other buildings internet connection. It then fell over about 3 times per hour which meant that all the vpn tunnels and hosts connected were dropped.
Now it's configured to fall over after 2 pings as so
sla monitor 10
type echo protocol ipIcmpEcho 4.2.2.2 interface outside
num-packets 2
frequency 10
sla monitor schedule 10 life forever start-time now
Anyway to my question, given that we have two internet connections and two firewalls can we not set up another rule in the firewall so that if the ping to 4.2.2.2 fails then it trys a different DNS server and then only after failing on both it fails over? Can you set up two static routes if you only have one ISP gateway to send the pings to?
Please see attached picture - I blanked out the external IP addresses
Just a little bit of background info
We have 2 locations with a layer 2 fiber link between them both.
Both sites have their own internet connection and firewalls.
Both firewalls are as follows
Hardware: ASA5515, 8192 MB RAM, CPU Clarkdale 3059 MHz, 1 CPU (4 cores)
ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB
and are running
Cisco Adaptive Security Appliance Software Version 9.1(2)
Device Manager Version 7.1(3)
Both are configured with failover so if internet connection in building A stops working, building A firewall uses building B's internet connection.
The firewalls are also set up with failover.
So we now have redundancy for both internet and firewalls.
The problems comes when the monitoring doesn't work correctly.
We set up so that the firewall pings 4.2.2.2 every 10 seconds and if it didn't get a responce it'd fall over the the other buildings internet connection. It then fell over about 3 times per hour which meant that all the vpn tunnels and hosts connected were dropped.
Now it's configured to fall over after 2 pings as so
sla monitor 10
type echo protocol ipIcmpEcho 4.2.2.2 interface outside
num-packets 2
frequency 10
sla monitor schedule 10 life forever start-time now
Anyway to my question, given that we have two internet connections and two firewalls can we not set up another rule in the firewall so that if the ping to 4.2.2.2 fails then it trys a different DNS server and then only after failing on both it fails over? Can you set up two static routes if you only have one ISP gateway to send the pings to?
Please see attached picture - I blanked out the external IP addresses
Comments
-
eten
Member Posts: 67 ■■□□□□□□□□
With IOS routers, you can set up two ip sla monitor with 2 different tracking objects to your different DNS servers. Then you would create your 3rd tracking object to get the result of the boolean AND operator of your first 2 objects.
track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
track 10 list boolean and
object 1
object 2
ip route 0.0.0.0 0.0.0.0 1.2.3.4 20 track 10
With ASA 8.4 (my version), they don't support this feature. I came across a thread where a workaround was posted, but have not implemented something like this before. Not sure if it works.
https://supportforums.cisco.com/thread/1004053
https://supportforums.cisco.com/thread/2178127
ASA1(config)# track ?
configure mode commands/options:
<1-500> Tracked object
ASA1(config)# track 10 ?
configure mode commands/options:
rtr Response Time Reporter (RTR) entry
ASA1(config)# track 10 rtr ?
configure mode commands/options:
<[URL="tel:1-2147483647"]1-2147483647[/URL]> Entry number
ASA1(config)# track 10 rtr 1 ?
configure mode commands/options:
reachability Reachability
ASA1(config)# track 10 rtr 1 re
ASA1(config)# track 10 rtr 1 reachability ?
configure mode commands/options:
<cr> -
sofuca
Registered Users Posts: 2 ■□□□□□□□□□
Fabulous, thanks for that. I'll test it out and then go live once I understand exactly what's going on.
Do you know if there is any way of configuring email alerts for when the connection falls over to the backup IPS, so saving having to log into the console and typing sh track 1