Networks Training

You are here: Home / General Networking / Network Failover Redundancy Scenario – Two sites with two ASA Firewalls

Network Failover Redundancy Scenario – Two sites with two ASA Firewalls

Written By

A few months ago I was involved in a project where we had to design a network redundancy scenario with two physically separate networks in two different buildings (the sites were a few kilometers away from each other).

The main requirement was to provide Inbound Internet Access to two Server Pools (Linux Servers in High Availability Cluster). Traffic therefore would flow from the Internet to the Servers which were protected by two Cisco ASA Firewalls. The network has been implemented successfully and is working pretty good with no problems.

Let’s see the high level network diagram that we have designed below.

site network redundancy

NOTE: In this article I will not provide all the details with configuration commands etc. The purpose is to describe the architecture designed in high level, so if you have any specific questions let me know in the comments section below this article.

Network Description

First of all, we have decided to go with ACTIVE/STANDBY approach in all elements of the network. SITE 1 is the ACTIVE network site and SITE2 is the STANDBY network site. During normal operation, traffic flows from the Internet towards SITE1 network in order to reach “SERVER POOL A”.

Starting from top to bottom, let me describe the main features and elements of the network.

Routers R1/R2

The public Interfaces of the routers are connected to the ISP for Internet access. BGP protocol is running between the routers and the ISP network. With BGP we arranged traffic to flow towards SITE1 as main path from the ISP.

A fiber link runs between the two routers to enhance certain failure scenarios and to facilitate better functioning of the HSRP mechanism.

The internal interfaces of R1/R2 are connected to two switches (SW1 and SW3 respectively). These two internal interfaces are connected to VLAN20 of both switches, so they belong in the same network subnet.

MORE READING:  Most Popular Blog Posts for 2009

HSRP is configured between routers R1 and R2 with R1 being the active primary router in the HSRP group.

A static route for the SERVER POOL subnet was configured on the Routers. This static route points to the Active ASA outside IP.

Switches SW1/SW3

These are Layer2 switches connected with two fiber optic links. The two links are configured as PortChannel and Trunk. The trunk switchport mode is required so that all Vlans can pass between the two switches.

ASA1 and ASA2

The two ASA firewalls are configured in Active/Standby mode (ASA1 being the Active and ASA2 the Standby one).

Usually, when we configure ASA firewalls in a failover mode, both devices are physically located next to each other and are connected directly with a failover link. In our scenario above, we decided to separate the two devices in the two distant buildings. The failover links are communicating between them via the Layer2 switches (SW1/SW3) and the trunk fiber links. As you can see from the diagram above, both Failover Links belong to VLAN30, thus it is like being directly connected in the same Layer2 vlan.

Also, notice that the outside interfaces of ASA1/ASA2 belong to VLAN20 and the inside interfaces of the two ASAs belong to VLAN10 (same VLANs on both sites). Thus, both outside and inside ASA links have Layer 2 connectivity so that the failover mechanism will operate correctly.

The ASA configuration has a default route pointing to the Internal HSRP IP of R1/R2 router group.

Switches SW2/SW4

These are the internal Layer2 switches hosting the two SERVER POOLS as shown in the schematic diagram. Just like the other two switches on top (SW1/SW3), these two internal switches are connected with two fiber links which are configured as PortChannel and Switchport Trunk.

SERVER POOLS

I don’t know much about the actual configuration of the two Server groups, but I know that they are Linux based and they are using Linux High Availability cluster configuration. Basically they host the same services and are somehow synchronized between them.

MORE READING:  Comparison and Differences Between IPv4 vs IPv6

Failover/Redundancy Scenarios

OK, I know that this is not a 99.999% failsafe network topology but it is relatively simple to implement, it provides good redundancy and works very well. Let’s see some failover scenarios and describe the traffic flow for each failover case.

NOTE: Since during normal operation all traffic flows through SITE1 devices, we will describe the failover cases whereby a network element of SITE1 has a failure.

1) Failure of Router R1

In this case, the HSRP mechanism will kick in and Router R2 will become the active device. Note that ASA1 is still active here.

Traffic flow for this case: Internet –> R2 –> SW3 –> ASA1 (through Fiber Links) –> SERVER POOL A

2) Failure of switch SW1

If the whole switch fails (e.g power failure and switched off), then both R2 and ASA2 will become active.

Traffic flow for this case: Internet –> R2 –> SW3 –> ASA2 –> SW4 –> SW2 –> SERVER POOL A

3) Failure of Firewall ASA1

If ASA1 fails, then ASA2 will become Active:

Traffic flow for this case: Internet –> R1 –> SW1 –> SW3 –> ASA2 –> SW4 –> SW2 –> SERVER POOL A

4) Failure of switch SW2

If the whole switch fails (e.g power failure and switched off), then ASA2 will become active. Also, Server Pool B will become active as well.

Traffic flow for this case: Internet –> R1 –> SW1 –> SW3 –> ASA2 –> SW4 –> SERVER POOL B

I hope you have found the above useful. With some modifications and careful planning you can implement similar network topologies with even more complicated traffic flows.

Related Posts

Filed Under: General Networking

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  1. imran shahid says

    Thanks Haris. Would that be possible for you to provide the configs so we can see what and how the gears are working, I have known that there could be issues with HSRP and tracking the interfaces plus i have come to situations where design of fail over itself is a challenge specially when using ADSL links , probably to reduce cost. I would really appreciate if you can put some more light on configs and also on fail overs specially of firewalls and when interfaces to track will be really awesome.
    Thanks again
    Imran

  2. imran shahid says

    i mean which interfaces, in which scenario we will track , starting from top to bottom.

    Thanks again

    Imran

  3. Josu says

    Hi,

    thanks for sharing :)

    SOME RANDOM COMMENTS:
    – When I was working for a bank, one of the rules was that the broadcast domains dont go from datacenter to datacenter. Here you do it. That is of course easier to implement because the Servers share the same croadcast domain, henceyou dont worry too much about routing.
    – So I guess both Servers Clusters, in both Datacentes, are the same (one is a copy of the other, including L3), right?
    I wonder how the clients outside the internet talk to this server clusters. Perhaps you could illustrate just a bit about IP addressing.

    Congrats for a successfull project!

  4. Harris Andrea says

    Unfortunately I can’t provide the exact configs now. It was a project on which I don’t have access to the equipment now. However, the ASA failover configuration is the standard Active/Standby configuration (it doesn’t matter if the two devices are far away from each other).

  5. Harris Andrea says

    Hi Josu,
    Yes you are right in terms of broadcast domains. In normal network designs you need to have separate Layer2 broadcast domains and hence separate Layer3 subnets etc. However in this case it was done intentionally so that the redundancy would be the same as having double equipment connected on the same switch in the same location.
    About the Server Clusters, yes they had the same Layer3 subnet and they were copy of each other. There was one public class C subnet (e.g 100.100.100.0/24) assigned to the servers and each one had its own DNS name.

  7. Sahir says

    Hi,

    Great article, it would be great if you add an option to where we can save/download the articles as a pdf for future reference.

    Thanks
    Sahir

  8. Ethem says

    Dear Harris,

    Many thanks for the article, I still have a question if you can enlighten me about it.
    I know that in the failover scenarios 1&3 ,the failover mechanism for the routers and firewalls will take the decision to shift or gear the traffic to the other firewall or router.
    here is my question, who is deciding and how to gear the traffic in both scenarios 2&4 when the switch is totally down?

    Thanks,
    Ethem

  9. Ethem says

    Dear Harris,

    Many thanks for the helpful article, I still have a question if you could enlighten me about it.

    I know that in both failover scenarios 1&3 ,the failover mechanism in both the router and the firewall is taking the decision to gear or shift the traffic to the other firewall or router.

    My question is how and who is taking this decision (gear the traffic) in both scenarios 2&4 when the switch goes down completely?

    Thanks,
    Ethem

  10. Harris Andrea says

    Ethen,

    When a switch goes down completely, the physical interfaces of the routers and ASA will go down as well, therefore the failover mechanism of these devices will kick in and the peer unit will become active. Note that both the routers and ASA will fail-over if one of their interfaces goes down.

    Harris

  12. Olivier says

    Hi Andrea,

    Many thanks for your design. I install this week the same infrastructure as you mention in your article.
    I would say that it’s working perfectly. I tested the failover and HSRP and yes, works as it should be.

    Cisco should put your design into their books.

    Regards
    Olivier

  13. Olivier says

    Hi Andrea,

    A question about the NAT. Let’s say that I have a public subnet IP range. Actually, all public IP ended on my ASA and NATed through it.

    Now that my ASA is no more connected to the internet and you have the R1 router in between, means that the public IP is configured on the outside interface of R1. The ASA outside interface will be configured with an IP address which belongs to the vlan 20, am I right ?

    If so, should I have to recreate all my firewalls NAT rules and change the IP of all objects that have a public IP with an IP belonging to the vlan 20 ?

    Thanks

  14. Harris Andrea says

    Hi Olivier,

    Yes the ASA outside interface should be configured with an IP address belonging in VLAN20. Also, all the NAT rules need to be configured on Router R1 instead of the ASA. You can remove all NAT rules from the ASA and apply only an access-lists on the outside ASA interface. This ofcourse assumes that the only public range is assigned on the outside of R1 and then you have private IPs everywhere else.

    Harris

  15. Andrew says

    Hello Andrea,
    I have been tasked to implement a new Edge Solution, this is my first time. Your design is along the lines of were I was going with mine. I have a few questions.
    Due to funding, I am only given 2 access switches. So 1 will be using one outside and the other for the inside to ensure redundancy. Secondly, Are your R1 and ASA1 to include stby path /30 addresses.

    So in short, both ext Routers will have links to the outside access sw, with links to both FW and the inside will be the same.
    Finally HSRP and Track statements should be used correct. Thanks

  16. Andrew says

    Also, besides the failover commands on ASA1/2 is their any other failover commands i.e… ip address #.#.#.# .240 standby #.#.#.# . To be used to ensure failover or are you just using basic /30 addresses on your inside an outside interfaces. Thanks

  17. Harris Andrea says

    Sorry I didn’t understand your exact questions.

    ASA failover is configured to both outside and inside interfaces and you will need 2 IPs for the failover (one for each ASA unit).Also, the failover link needs two IP addresses on a different subnet.

  22. Harris Andrea says

    Don’t remember exactly (it has been a long time) but after testing several failover scenarios that extra fiber helped to increase redundancy.

  24. Harris Andrea says

    In this project I was involved in the network design but not in the actual configuration of the devices so unfortunately I don’t have the actual configs.

  25. cham says

    hi harris,

    i think this is a great topology with two distant sites with redundancies.
    would that be possible to provide the configs by any chance.. That would be really helpful.

    thanks
    cham

  26. Harris Andrea says

    Cham,

    Unfortunately I don’t have the configs right now. Sorry about that.

  27. Simphiwe Mkhize says

    Great article this is, have a question as well since I`m also involved in a project close to this design (ours is a bit complicated though but won`t go into details now). When failing over to site2, does your servers use the same IP addresses, DNS, etc? eg server1 (1.1.1.1) in site1 will be server1 (1.1.1.1) in site2?
    Challenge I have with the team I`m working with is that they not on my side when I say servers should still keep same configs on site2 but they all agreeing that in a failover situation servers will use different IPs from site2 and I`m the only 1 in the team against this approach.

  28. Harris Andrea says

    Hello,

    Yes, the servers will have the same IP address and DNS etc. As you can see from the diagram, the servers belong in the same Layer2 Vlan (VLAN10) even if they are located in different buildings. The fiber links between the switches allow to create trunks between the switches and thus have the same Vlan across.

    We have used Linux high availability cluster for the servers (they are Linux machines) so you have two machines having the same IP address.

    Harris

  29. Crunchy says

    Hi Harris,
    Thank you so much for this design, I think it should be suggested by Cisco.
    Anyway I have few questions:
    So the link of the FW connected to the routers should have each it’s own ip address right ?( FW1 should have it’s own ip on VLAN 20 and FW2 too ) ?
    Is their a way to have only one ip address for the 2 FW on VLAN 20 and have a MGT ip for each ? , make them a kind of cluster ?
    Also without a L2 switch connecting the FW to the routers, is this design is possible ? I mean can we connect directly for example ( FW1 to R1 and FW2 to R2) and have HSRP on routers and only 1 ip on VLAN20 for both FW ?
    Third question: The Active/Standby for the FW is configured only on the LAN side of the FW right ? I mean on VLAN 10 right ?
    Thank you

  30. Harris Andrea says

    Let me answer each question separately:

    1) Since the ASA firewalls are working as Active/Standby, you must assign 2 IP addresses on each interface of the ASA (one IP for the active interface and one IP for the standby interface belonging in the same subnet).

    For example, for the outside interface of Active ASA here is the command:
    ip address 100.100.100.1 255.255.255.0 standby 100.100.100.2

    2) You need the Layer2 switches to provide layer2 connectivity between the outside interfaces of the ASA. In order for Active/Standby to work there must be layer2 connectivity between interfaces. So the switches are required.

    3) No, the Active/Standby is configured on BOTH outside and inside interfaces (vlan10 and vlan20).

  31. Crunchy says

    Ok Harris, thank you for the preply, so I guess I’m mixing up with the Palo-alto deployment ( see attached picture) https://ibb.co/C9VQXDX
    Where can see the 2 FW are sharing the same ip address, so only the active FW will hold the ip if my understanding is correct. But I’m still not sure about how the HSRP/VRRP between the upstream routers will flow.
    Thank you anyway

  32. Harris Andrea says

    With the ASA, although there are 2 IP addresses assigned only one IP will be used (the one of the Active firewall). If the standby ASA becomes active then it will take the IP of the previously active ASA (so always the same IP will be used).

    The same works with the HSRP on the routers. Only one of the routers is active at anytime.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

BLOGROLL

Tech21Century
Firewall.cx