DNS Resolved after HSRP Active

I am not sure the question here if you are using HSRP on the outside it is 95% chance that you are using BGP and the IP would not change in that case, and the inbound traffic will route via BGP and ARP wouldn't play any part, ARP would only affect the single next hop router.

Based on your diagram you have a single router, so why are you running HSRP?    If you had 2 routers, then you could run HSRP on them.

I think your real question is how does ISP B send traffic to your location if the destination IP address is an address that ISP A assigned to you.

In that situation you need to have a full /24 and get a ASN for your company.   Then you need to have ISP A and ISP B agree to do BGP routing.    You can work with your two ISP's to figure out how you want to advertise routes back to your network.

Hello,

We are dual homed to ISP A using two ASAs running HSRP. The issue is ISP A is very unreliable.

I think you are correct on the full /24 and route advertisement.   Surely this is a normal request ISPs receive ?

I'm assuming, we couldnt add the  second IP of ISP B  to the DNS registrar?

If you are not running BGP then you need to look at DNS failover services.  There are plenty out there, DNSmade easy, Dyn, even amazon route 53 if you wish.  That way it detects if a IP is no longer active and will start serving the backup IP address with a very short TTL sometimes down to 5 seconds not this isn't always honored but it is functional and I know many companies that do this.  But if you are running two ISPs and can set up BGP that is the best way.

So you have two ASA's?  Once connected to ISP-A router#1 and one connected to ISP-A router#2?  Will you keep that setup if you get a second ISP?

You could add the second IP address to DNS.  However here are the "gotacha's"

1) DNS does round robin when you have 2 A records.  So both IP addresses will be "live" and will be handed out when somebody does a name lookup for that host.

2) If one of the links go down, then all connections to that IP address associated with that link will terminate.  If you use a single IP address and BGP routing, then the connection may stay alive as the same IP address can be used, just over the second link.  The connection staying alive or not will depend on the application and how long it may re-try sending packets.  With BGP it could take 30-120 seconds for routing to the second link to become active, but the connections could stay alive.  Users just get a delayed response.

3) Except for Web browsers when 2 IP addresses are re-turned from a lookup most applications only try the 1st one.  So if you have a non-web based application, if one link goes down, users may not be able to connect.  If you are doing e-mail, you can setup two MX records, one hostA using ISP-A address and one with hostB using ISP-B address.

The routing through both ASAs at the same time becomes tricky, due to the internal default route only pointing to a single gateway so the return traffic will not always match the initial session and will fail the handshake test on TCP packets that ASAs like to do.  So round robin is almost always out in this instance.

Hello let me clarify the ASA setup, we have two ASAs, one on standy usng the ASDM HA method and the other is our primary which feeds to ISP A.

We want to add a second ISP( ISP B) to our primary ASA and stand by ASA.
At that point is when we want to use HSRP for both ISPs from the primary ASA. The standy by ASA will be configured with both ISPs as well.

My real concern was with the the inbound sessions, and I think Cheever000 might of brought up a good point, I need to research the DNS failover services.

I found an article that matches my question, but there wasn't a clear answer.
https://supportforums.cisco.com/document/139051/dual-isp-implementation-asa
Scenario 4.

I appreciate everyone adding their suggestions.

I am not sure how HSRP applies to the ASA, it would be done on routers in-front of the ASA.  If you are going to run Dual ISP on the ASA you are looking at IP SLA with route tracking.  DNS failover would apply here.

okay, thats where my knowledge with ASA is weak, just assumed the ASA had the same routing functions as a router.

No ASAs are not routers, sometimes they play the part but they really are not routers.

If you are running ASA's in HA Active/Standby mode, you are really not using HSPR.  

Anyway, HSRP will not come into play in the situation you are talking about.  HSRP is when your device fails, not when your Internet connection fails.

Again, you don't really want to have "hosta" have 2 IP addresses if at all possible.  You really want a single IP address, get an ASN and then work with your ISP's (current and new) to use BGP.  That way the same, single, IP address can be use over both Internet connections.

DNS fail over can mean multiple things.  If you are talking about changing the IP address dynamically on the fly, that means you have to a a low TTL in order to get the update out there as soon as possible.  Having a low TTL is not a guarantee either, some caching DSN servers ignore the TTL and cache for anywhere between 24 and 72 hours no matter what.

Hi there,

Let me get this right.
You have a domain xyz.com published on the internet.
You have ASA's in HA where the internet links are terminated.
You now are planning to procure internet from ISP B  since the ISP A is having issues.

The concern out here is that you have is in case of ISP A failure, how would the web traffic switch to ISP B.

My queries:

i)
Have you purchased your own AS/ IP block that you have advertised with the ISP or are there IP blocks provided to you by the ISP itself (/24 that you refer to?
ii)
Are you using DNS failover services by any chance?

P.N: HSRP would not come into the picture for incoming traffic.

Based on the replies to the above queries, we could guide you.

Thank you guys for all the input, the DNS servcies would assist us however....after checking with our Dev team, it doesnt look like even that solution will work. Our application has static DNS entries with our customers which, leaves the DNS failover out.

Hi there,

Kindly elaborate on the below:

'Our application has static DNS entries with our customers which, leaves the DNS failover out'

In that case, an ISP failure means sure downtime for your clients which clearly means business impact.

Correct, so I'm looking into other solution, maybe an ISP that has a registered block of IP for both on premise and cloud in which if the on prem went offline, the cloud would be rerouted internally requiring no fail over services.

What type of failure are you trying to prevent/have recovery from?

Originally you seemed to be looking for a solution for the Internet connection failure by providing a Internet link from a second ISP.  Which again a second link from another ISP and using BGP will work.

Now you seem to be looking for a solution in case you have a application or server failure.  For application/server failure why not have a second server running another instance of your application and use a load balance in front of it.

I can't think of a way that you can have an IP address that point to a private data center and to a cloud.  It's either one or the other, not both.  If you have a on-prem server and cloud server that normally requires dynamic DNS type load balancing.  You have a "site" balancer like F5's GTM (now called DNS).

Hi Author,

Could you exemplify the below statement:

maybe an ISP that has a registered block of IP for both on premise and cloud in which if the on prem went offline, the cloud would be rerouted internally requiring no fail over services.

My suggestion:

i)
Opt for DNS failover services

OR

ii)
Purchase your own IP block and selectively advertise them on the ISP's using BGP.