Active / Standby ASA and port-channel to core switch

Started by Dieselboy, December 01, 2021, 10:00:29 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Dieselboy

December 01, 2021, 10:00:29 PM
I have encountered a single port channel from a Cisco switch that looks like it may channel to both active and standby ASAs (rather than be two separate port channels, one to each ASA). I've yet to confirm the physical cabling, in case the ports are incorrectly labelled. I dont have access to the ASAs and cant do a layer 2 trace from the switch because it's one logical cable.

From the switch perspective, it will load-balance across the 4 1GB links in the channel. If 2 of those links are going to the standby ASA then I expect the standby ASA to be receiving about half of the traffic being sent over the channel.

What is the standby ASA expected to do with that traffic? Will it drop or process?

deanwebb

#1
December 02, 2021, 08:57:04 AM
If it's not active-active, I'd expect the standby to just do nothing with it.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Otanx

#2
December 02, 2021, 10:15:37 AM
As far as I know traffic hitting the standby ASA that is not addressed to the standby IP will be dropped. Are all the interfaces active, or are the ones going to the secondary in a suspended state? I don't know how the ASA handles the LACP system-id field, but I would assume they would be different between the active and standby ASA so the switch should only bring up interfaces to one of the ASAs.

-Otanx

icecream-guy

#3
December 02, 2021, 03:34:15 PM
good question,  is HA setup with a stateful connection along with the failover connection so state table is shared.
say .1 is primary active and 2. is secondary standby,  I would expect any traffic hitting the .1 since primary is active.
anything destined for .2 via a static route for example should be dropped. since .1 active, if connection statefulness is configure
the standby unit show already know about most connections since active shares state table with secondary,  it might know
state and pass traffic to primary for processing over state link?  capture on the firewalls should tell all

capture capin interface inside match ip any any
capture capout interface outside match ip any any

show capture capin
show capture capout

one can do ethertype captures also if the l3 traffic doesn't show, I don't remember command of the top of my head.
you can at least see what traffic is hitting standby unit.

:professorcat:

My Moral Fibers have been cut.

Dieselboy

#4
December 02, 2021, 07:51:41 PM
Thanks all, I really appreciate your replies to my cry for help :)

I would agree if traffic hitting standby ASA for the primary IP then it should be dropped.

All the LACP interfaces were up at the time. There is a possibility of misconfig on the ports description and maybe it's a single chassis at the other end of the channel. I will find out eventually :)

Dieselboy

#5
December 10, 2021, 02:19:07 AM
I went to site today and physically traced the cables. Indeed, I have a 4GB port-channel (4 physical interfaces) in up/up going to two separate ASA 5525X chassis. I dont have a log in for the ASA itself:

Code Select
per3850a-core-r1#sh etherc sum

50     Po50(SU)        LACP      Gi1/0/40(P) Gi1/0/41(P) Gi2/0/40(P)
                                 Gi2/0/41(P)

interface Port-channel50
description ASA Datalink
switchport trunk allowed vlan 903,2000-2099
switchport mode trunk
spanning-tree portfast trunk

interface GigabitEthernet1/0/40
description ASA-A G1
switchport trunk allowed vlan 903,2000-2099
switchport mode trunk
channel-group 50 mode active
spanning-tree portfast trunk
spanning-tree bpduguard enable

interface GigabitEthernet1/0/41
description ASA-B G1
switchport trunk allowed vlan 903,2000-2099
switchport mode trunk
channel-group 50 mode active
spanning-tree portfast trunk
spanning-tree bpduguard enable

interface GigabitEthernet2/0/40
description ASA-A G0
switchport trunk allowed vlan 903,2000-2099
switchport mode trunk
channel-group 50 mode active
spanning-tree portfast trunk
spanning-tree bpduguard enable

interface GigabitEthernet2/0/41
description ASA-B G0
switchport trunk allowed vlan 903,2000-2099
switchport mode trunk
channel-group 50 mode active
spanning-tree portfast trunk
spanning-tree bpduguard enable



With LACP, it would be down on both sides if a link was down?

I am physically decom this switch tomorrow and replacing with a 9300. I think I need to create a different port-channel interface ID with the same VLAN config so that there are unique channels going to unique external chassis from the switch stack.

This may be one of those odd cases where things had been working but shouldn't and because it has been working then no issues raised.

icecream-guy

#6
December 10, 2021, 05:40:01 AM
yeah, that config does not make sense.
:professorcat:

My Moral Fibers have been cut.

Dieselboy

#7
December 13, 2021, 08:03:59 PM
last update - this was no issue in the end. Apparently the customer is running them in "active/active ASA clustering" (not FTD).

I hadnt heard or seen that before.
Print
Go Up Pages1
User actions