To failover from one WAN connection to the other, if a WAN connection fails, is not what ASA failover means The "failover" feature is designed to deal with hardware failure on an interface of an ASA. To use that particular feature, you must have two ASA units with identical hardware configurations for one device to fail to the other.
Simple WAN failover in a multi-homed network (you have two different upstreams, but use the same IP addresses for your servers) is normally done using a routing protocol. One possibility is to have some routers inside your LAN or outside your firewall that communicates with your upstream provider using the BGP protocol.
If a WAN connection fails, the BGP peer will be lost, your router stops getting and announcing routes over the WAN that has failed, all your traffic gets routed to the remaining WAN connection, which is still advertising your IP address space.
If you have two WAN connections to one ISP, then this should be much easier to setup with your ISP (they can probably be requested to send all traffic destined for your IP addresses to the other link, if you turn off the other port).
With the right license, the ASA itself can actually learn routes from the outside interface using the OSPF protocol.
As for ASA device failover feature:
If you have two WAN connections at your site, delivered over Ethernet, each of the failover ASAs should be connected to both WANs, and the interface connected should be the same on the two ASA units.
One way to do this would be to have the WAN connections delivered to two switches, trunk the two switches together, use a separate VLAN on the two switches for each WAN.
See for failover conf: http://6200networks.com/20
Plug port #1 on ASA #1 to Switch A (WAN A port)
Plug port #2 on ASA #1 to Switch B (WAN B port)
Plug port #3 on ASA #1 to Switch C (Failover LAN)
Plug port #1 on ASA #2 to Switch A (WAN A port)
Plug port #2 on ASA #2 to Switch B (WAN B port)
Plug port #3 on ASA #2 to Switch C (Failover LAN)
And use the same GigEthernet port on each ASA to connect the ASA to the same WAN.
In this sort of manner, you can actually eliminate single points of failure, as far as your own equipment is concerned.
So you can sustain a simultaneous failure of either WAN _and_ one of your ASAs, or a failure of one of your switches and one ASA.
Main Topics
Browse All Topics
by: giltjrPosted on 2009-01-31 at 12:35:55ID: 23518380
I have not worked with ASA's but I have worked with PIX's. In the PIX world failover means that you have two PIX's and one is configured as a standby failover unit and if the primary fails (or any interface on the primary fails) the standby will take over. When setup in this enviroment, you need the second PIX with a failover license.
I am not sure if this is the same with ASA's, but I am fairly sure it is.
So from a ASA's point of view what you are doing is not really failover. What I think you need to do is setup the ASA to detect that one of the routes is no longer valid and to use a backup route.
I believe that if you go here:
http://techrepublic.com.co
you will see a setup that should provide you with what you need.
You want to look at the definitions for the interfaces outside and backup. On the outside interface you need to setup tracking.