Cisco ASA high availability theory - how to eliminate single point of failure??

I'm interested in the high availability features of the ASA, in particular mitigating a failed ASA.

I am aware of the idea of two ASAs in active/standby failover configuration.  I also understand that the standby ASA assumes the IP addresses and MAC addresses of the active unit in a failover, and vice-versa.  Since the MAC and IP addresses are the same, the routing or ARP tables of devices in front of and behind the ASA(s) see no difference.

My question is how to further increase resiliency - since on the outside interfaces of the ASAs there would need to be a connection to a switch (one to each ASA), that switch is now the single point of failure.  Do users ever add redundancy to the switches in front of or behind that ASA?  For instance, a set of stacked switches?  I can't imagine there would be two ports from the same switch with one going into each ASA as that defeats the purpose of a single point of failure right?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jeff C.Network EngineerCommented:
Alot of deployments follow a standard design.  Cisco sometimes refers to them as 'validated designs'.  I've attached a link to the Internet edge validated design.

Generally Cisco ASA HA designs are deployed in pairs, like you mentioned, and will connect into (2) outside switches that are typically connected directly to each ISP, usually (2) ISPs.  These switches can be stacked or standalone.

Taking this one step further you get into Internet edge routers running BGP and advertising provider independent address space - but thats another topic.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Pete LongTechnical ConsultantCommented:
In the past I have used ISP Failover, so each ASA has two internet connections, each ISP is on its own switch, so a switch can fail.

Then I've put Active Standby Firewalls behind those switches like so

Of you can deploy two routers outside with HSRP

ArchiTech89IT Security EngineerCommented:
The 'outside' interfaces in our HA pairs connects to either the core in some cases (layer 3), or to PE or CE routers. Yes, you'll want your 'outside', 'inside', and even 'dmz' interfaces going to redundant devices.

By the way, in my experience these failovers are as close to instantaneous as you can get. We set up constant ping to a public IP address and watched what happened during a failover. I think we missed just one ping, but I might be mistaken--I can't quite recall whether we didn't miss a single one. In any event, it was so smooth and quick that there was no service degradation, even with HTTP sessions on-going.

Very cool.
Mystical_IceAuthor Commented:
How about if it's still just one ISP, with one Ethernet handoff.  I guess in that case there will always be a single point of failure, but to further mitigate risk, how would that be handled?
ArchiTech89IT Security EngineerCommented:
Well, without knowing much about your network, I would say the inside interface goes to redundant "core" switches -- layer 3. Then they get routed wherever they need to go internally.

For the outside interface, you could set up dual switches -- even layer 2 switches -- which link to an edge router for your ISP upstream connection. In that case, if one of the outside interface links (to the switch) dies, the other one would still have a path to the router, and would cause the failover.

If they were dual layer 3 switches connected to the outside interface, you could set up a redundant router protocol between them and then connect that to the edge router.

If you don't have redundant links to your ISP, you pretty much have to face the fact that when that link goes down, so does the Internet. But it sounds like you're already there in your thinking anyway.

Does that make sense? Any other ideas out there?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.