Cisco ASA high availability questions

atorvenatorven Member Posts: 319
Got a few questions about Cisco HA active/standby setups, what happens if I force traffic to go through the secondary firewall by setting it as a default gateway? Will traffic be allowed to go through or will it be dropped?

About the config snippet below, will the active unit respond to the it's IP address as well as the standby IP address? The standby unit will do the same when it becomes active? How about when the standby unit is still in standby mode and you connect directly to it's LAN interface, will it respond to both addresses?
interface GigabitEthernet0/0
description internal network
mac-address 6854.bdd0.4a43 standby 6854.bdd0.4a44
nameif inside
security-level 100
ip address standby

Thanks guys.


  • mayhem87mayhem87 Member Posts: 73 ■■□□□□□□□□
    probably best in the ccnp security section but ill take a crack at it.

    "what happens if I force traffic to go through the secondary firewall by setting it as a default gateway"

    I believe this traffic is dropped however, have never tested it.

    "will the active unit respond to the it's IP address as well as the standby IP address"

    No the primary ip will for the active and secondary ip will allow access to the standby at that time. This should answer the rest of your questions. Basically whatever firewall goes active ends up taking the primary ip and that is how its reached. The standby will allow you access to the standby asa.
  • atorvenatorven Member Posts: 319
    Thanks mayhem87 - That is exactly what I was told by another firewall engineer. Also, I can confirm that the secondary firewall will drop traffic sent to it when it's still the standby. This confused me as it's quite different to how routers behave when running HSRP or the like.
  • apr911apr911 Member Posts: 380 ■■■■□□□□□□
    I believe there are some configurations you could do to force the secondary firewall to accept traffic and pass it along, but it wont do it natively.

    You are introducing an Asymmetric route into the environment (traffic leaves via the standby firewall but returns via the active) and SPI doesnt like that.

    You would basically have to turn off a lot of the built-in security functions and hack together a frankenstein config on the ASA in order to get it to work and still provide "security"

    In the end though, why would you want to route traffic in this manner? By routing through the standby, you now require both units to be online for your environment to work which means you aren't really HA anymore, in fact your environment now has a greater risk of failure.

    The key thing to remember with the ASA is its a security device first, route device second (over simplification). it cares about things like connection tracking, state, ACLs/SecLevels and reverse-path verification... In their base config they get a packet, check security levels and connection state, add/match to the connection table and then forward the packet.

    Routers are the opposite. They are a route device first, security device second (again over simplification). They dont care about connection tracking, state, ACLs/SecLevels or that the can route back to where the packet came from... In their base config they get a packet, forward a packet and forget about the packet.
    Currently Working On: Openstack
    2020 Goals: AWS/Azure/GCP Certifications, F5 CSE Cloud, SCRUM, CISSP-ISSMP
Sign In or Register to comment.