ASA 8.4 transparent mode active/active questions
Hi, currently i'm trying to create network design which uses two 5585-X in transparent mode with active/active load balancing (with states), but i have some questions:
1. Do i need to configure asr-groups in transparent mode? What will happen if my packet (or now more accurately frame) will return to the standby context of one device, while the initial packet passed through active context on the another device (contexts are in the same group but on different physical devices)?
2. In 8.4 we received new feature called BVI interfaces. How this feature integrates with failover functionality? Can we now use multiple BVI bridge groups for multiple vlans (instead of bridging a single pair of vlans in single context)?
3. When implementing active/active load balancing with BVIs do we still need to use multiple context mode?
Thanks for your replies
Hello,
1. Do i need to configure asr-groups in transparent mode? What will happen if my packet (or now more accurately frame) will return to the standby context of one device, while the initial packet passed through active context on the another device (contexts are in the same group but on different physical devices)?
You only need to configure ASR groups if your routing environment would match the scenario you outlined (a return packet arrives at the unit running the Standby context).
2. In 8.4 we received new feature called BVI interfaces. How this feature integrates with failover functionality? Can we now use multiple BVI bridge groups for multiple vlans (instead of bridging a single pair of vlans in single context)?
You can configure up to 8 bridge groups per context to achieve this.
3. When implementing active/active load balancing with BVIs do we still need to use multiple context mode?
Active/Active failover is only possible in multiple context mode.
Hope that helps.
-Mike
Similar Messages
-
Hi Guys,
I had to re-post this here because I did not get any comments earlier.. hopefully I'll get something here.. :)
I'm investigating the ways that I can use 2 x ASA (5525x) to accommodate Multi-tenancy situation with overlapping addresses. Unfortunately in this particular scenario we have to stick with 5525x firewalls.
The ASAs are going to be placed in north-south traffic path between 2 routers and these routers need to be configured with multiple VRFs to segregate the traffic for each tenant with overlapping IP subnets ( We are not looking at NAT as a workaround for the time being).
As we know, this ASA model won't support VRFs so we can't use the ASA as a intermediary routing hop and therefore this is not an option.. and using security contexts per VRF seems not scale-able enough (correct me if I'm wrong). So my thinking is that, if we put the ASAs in to the transparent mode and just use the ASAs as a layer 2 interconnect (configured with different VLANs connecting VRFs served by top and bottom routers) I should be able to go up to maximum of 50 VRFs (since 5525x only supports 200 VLANs).
I'm also planning to use the 2 ASAs in a cluster mode to aggregate the bandwidth of both ASAs for better throughput.
So I need to clarify following with you guys..
1) Can I actually do this or am I missing something.
2) Are there any limitations that I might run in to with this setup
3) Is there anyone out there who's doing the same thing or can you think of a better way to tackle this scenario (with same hardware and requirements)
4) Instead of using clustering, can I use simple Active/Stanby pare and still configure transparent mode and use it that way ?
Appreciate your input.
Thanks
ShamalThere is a limitation on how many context you can have, which depends on the license you have. This is quite possible with ASA multi routed mode and even with multi transparent mode. You can have overlapping ip in each context without the need of using nat as long as you have unique mac address for each sub interface.
Thanks -
Connectivity Issues Cisco ASA 5515 in Transparent Mode
Hi,
we´re having problems with one transparent mode setup at one customer site. The ASA is equiped with a CX Module, but we´re not using it, so far in the service policy rules it was enabled and matched all traffic, but in "monitor only" mode. There is a global acl that allows any-any-IP.
Firewall-Info:
- ASA Version 9.1(2)
- Interfaces gi0/0 + gi0/2 without any interface errors
The ASA 5515x is configured as a "bump in the wire". In general our setup is working but with beginning of the installation of the firewall the customer faces following connection issues, without the firewall no problems:
- Connections to SAP-Servers behind the MPLS begin to drop, affected all users
- Incoming monitoring sessions (ping/snmp) from central management are facing ping timeouts, connection timeouts
- http downloads are stopping, Customer: it will stop responding and the download will fail.
In general the customer describes it this way: "We do not have the best connection here so once we connected the firewall all the problems are magnified"
I recognized, that we unconfigured the default inspection during initial setup and reconfigured this entry for the cx module. So the the default inspection with all the settings are not present any more... How important are these settings? One phenomen is, that I´ve seen a large numbers of concurrent connections that increased over time. And we already had that situation, that the firewall reached the max-conn count.
Should I try to reconfigure the default inspection, as it ships from factory? And whats the best way to check for problems? What can be the reason for the dropping connections?
I attached a network plan and the firewall config, hopefully, that somebody has an idea. Of course I can provide additional information...
Best Regards
SebastianHi Vibhor,
thanks for your reply. Does this also affect the traffic, even the setting is set to "Monitor Only" ?
Is it recommend to configure the default-inspection rule as a default setting?
Further Question: I´ve read sth. about, that service policy rules must be "reloaded" to take effect, after they have been changed. Is that right and how do I reload them?
Here is an output from sh asp drop, do I have to care about certain values? This values result from two connected users doing some downloads over a 2Mbit connection.
ciscoasa# show asp drop
Frame drop:
Invalid encapsulation (invalid-encap) 10
First TCP packet not SYN (tcp-not-syn) 114
TCP failed 3 way handshake (tcp-3whs-failed) 3
TCP RST/FIN out of order (tcp-rstfin-ooo) 18
Dst MAC L2 Lookup Failed (dst-l2_lookup-fail) 33
L2 Src/Dst same LAN port (l2_same-lan-port) 260
FP L2 rule drop (l2_acl) 2958
Interface is down (interface-down) 9420
No management IP address configured for TFW (tfw-no-mgmt-ip-config) 117
Dropped pending packets in a closed socket (np-socket-closed) 66
Thanks
Sebastian -
ASA 55xx in transparent mode - switch ARP table?
Guys,
It's a basic question about how transparent mode firewalls communicate with the connecting switches.
My understanding is that if I separate the LAN eg. 10.1.1.x with a transparent firewall than it will only "snoop" the traffic and will not change anything in the Ethernet header.
Is it correct or still will replace the MAC address with the firewall physical interface address to send the frame to the connecting switch?
e.g.
client--------->switch------->transparent 5510-------->switch---------->server
10.1.1.1 10.1.1.100
When the client sends the ARP to look up the hardware address of the server then what will that received back?
The MAC address of the transparent ASA, or the server?
Thank you!Source MAC address is never changed if the traffic is passing through same IP subnet (vlan). Here the firewall is in transparent mode and if it alter the source mac address communication will not happen. This is a very fundamental network concept. However it may recreate the same frame with same souce/destination mac addresses.
-
ASA 5510 in Transparent Mode-Guidelines.
Dear all,
I need to convert routed mode to transparent mode on my ASA-5510 with inbuilt IPS.
let me know which of the following features configured on my firewall will have issue if converted to transparent mode:
1. static routes.
2. object-groups.
3. ACLS.
4. URL-filter (Websense).
5. IPS . ( i doubt this )
6. have 3 data and 1 Mgmt interfaces.
7. syslog.
8. SNMP
I'm sure point 5 and 6 will have issues, need to confirm.
need to confirm this by EOD,
( 5 hours more).
thanks in advance.
Shukla.Does not participate in routing protocols but can still pass routing protocol traffic through it. You can define static routes for the traffic originated by the ASA.
in transparante mode the devices dehind and infront of the firewall will be in the same ip subnet as the firewall will be a L2 device!!
ACLs can be configured normally
syslog as well
obgect groups as well
Address translation is inherent when a firewall is configured for routed mode. Beginning with
ASA 8.0, address translation can be used in transparent mode as well
Does not participate in multicast. However, it allows passing the multicast traffic through it using the ACLs.
Does not support QoS.
Inspects Layer 2 and higher packet headers
as long as u can use
policy-map global_policy
then u can integrate with IPS if u mean AIP-ssm modul
transparent also known as a Layer 2 firewall or a stealth firewall, because its
interfaces have no IP addresses and cannot be detected or manipulated. Only a single
management address can be configured on the firewall
In transparent mode, a firewall can support only two interfaces-the inside and the outside. If
your firewall supports more than two interfaces from a physical and licensing standpoint, you
can assign the inside and outside to two interfaces arbitrarily. As soon as those interfaces are
configured, the firewall does not permit a third interface to be configured.
Some platforms also support a dedicated management interface, which can be used for all
firewall management traffic. However, the management interface cannot be involved in
accepting or inspecting user traffic
Configure a management address:
Firewall(config)# ip address ip_address subnet_mask
The firewall can support only a single IP address for management purposes. The address is
not bound to an interface, as in routed mode. Rather, it is assigned to the firewall itself,
accessible from either of the bridged interfaces.
The management address is used for all types of firewall management traffic, such as Telnet,
SSH, HTTP, SNMP, Syslog, TFTP, FTP, and so on.
A transparent firewall can also support multiple security contexts. In that case, interface IP
addresses must be configured from the respective context. The system execution space uses
the admin context interfaces and IP addresses for its management traffic
You do not have to configure a static route for the subnet directly connected to the firewall
interfaces. However, you should define one static route as a default route toward the outside
public network
i wish i covered all ur questions
good luck
if helpful Rate -
ASA Routed or Transparent mode
Hi ,
I am planning to deploy ASA as internal Firewall ... as all the Inside and Outside zones will be having same Ip range . I am confused about its deployment . Can any1 help me on deciding on deploying it as Routed mode or transparent modeTransparent.
Just the intro of the following file will answer your question:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml -
Cisco ASA 55XX Transparent mode VLAN traversing
Hello Cisco Forum Team!
In a scenario where the Cisco ASA is in Transparent mode, is it possible to transmit L2 traffic from other VLANs different than the native VLAN the management IP of the firewall resides?
The switches on the outside and inside interfaces of the ASA are in trunk mode and I am trying to pass L2 VLAN ttraffic from inside to outside and vice-versa using filters on the switches (switchport trunk allowed vlan).
Thanks in advanced for your support and comments!Yes it is possible but you will be limited to 8 VLANs, or more accurately, 8 BVI interfaces so this is not a scalable solution. The catch is that you will need to have different VLANs for the same subnet at either end of the ASA.
To clarify this, lets say you are using interface Gig0/1 and Gig0/2. On Gig0/1 you would have configured subinterfaces with VLANs 2, 3, and 4. Now if you try to configure these same VLANs on Gig0/2 you will get an error saying something like this VLAN is already configured on another interface...I don't remember the exact error.
So to get this working you would need to configure Gig0/2 with subinterfaces for VLANs...lets say...5, 6, and 7. you would then associate VLANs 2 and 5 with BVI 1, VLANs 3 and 6 with BVI 2, and VLANs 4 and 7 with BVI 3. Each BVI interface would have its own IP address for the subnet that is being bridged across the ASA.
Please remember to select a correct answer and rate helpful posts -
ASA Transparent Mode - Stateful Inspection
Hi Community,
I would appreciate any input other may be able to provide on the behaviour of ASA when in Transparent mode.
I have a few scenarios and am looking to confirm stateful inspection behaviour for.
By default I shall block all traffic.
1 - Flow initiated Inside to outside (Higher to Lower security interface)
- Rule on inside
2 - Flow Initiated Outside to Inside (Lower to Higher security interface)
- Rule on Outside
- Appears to require rule on inside to allow response - No Stateful inspection
3 - Flow initiated Inside to Outside - With Application inspection (Higher to Lower)
- Rule on inside + App inspection
4 - Flow initiated Outside to Inside - With Application Inspection (Lower to Higher)
- Rule on outside + App Inspection
- Appears to require rule on inside to allow response - No Stateful Inspection
The references guide could do with some clarification around transparent behaviour.
Many thanksHello,
For flow innitiated on the inside to the outside you do not need an acl on the outside for the returning traffic, that is the main idea of the stateful inspection.
As soon as you do not have any ACLs applied to the inside interface this will be like this:
1 - Flow initiated Inside to outside (Higher to Lower security interface)
2 - Flow Initiated Outside to Inside (Lower to Higher security interface)
- Rule on Outside
- Appears to require rule on inside to allow response - No Stateful inspection
3 - Flow initiated Inside to Outside - With Application inspection (Higher to Lower)
App inspection
4 - Flow initiated Outside to Inside - With Application Inspection (Lower to Higher)
- Rule on outside + App Inspection
Regards, -
VRF issue with Firewall in transparent Mode.
Hi Guys,
I have 7609 Router and 6513 L3 Switch connected Through ASA 5545.
I am running Multiple VRF between router and Switch and BGP routing Protocol. When they are connected directly to each other everything is normal, however, when I have connected them via ASA 5545 then everything fails. I am using ASA in transparent Mode.
My question is: Do ASA require different setting in case of VRF? If yes, then please give me sample config.I have taken following output from Firewall will this be any help?
sh interface ouTSIDE
Interface GigabitEthernet0/1 "OUTSIDE", is up, line protocol is up
Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
MAC address 7c69.f68f.df78, MTU 1500
IP address 175.4.8.35, subnet mask 255.255.255.248
8435 packets input, 680680 bytes, 0 no buffer
Received 8135 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
8138 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (476/461)
output queue (blocks free curr/low): hardware (511/511)
Traffic Statistics for "OUTSIDE":
297 packets input, 118503 bytes
0 packets output, 0 bytes
297 packets dropped
1 minute input rate 0 pkts/sec, 13 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 6 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
ciscoasa# show asp drop
Frame drop:
FP L2 rule drop (l2_acl) 297
ASA Version 9.0(1)
firewall transparent
ciscoasa# show module all
Mod Card Type Model Serial No.
0 ASA 5545-X with SW, 8 GE Data, 1 GE Mgmt ASA5545
ips ASA 5545-X IPS Security Services Processor ASA5545-IPS
Mod MAC Address Range Hw Version Fw Version Sw Version
0 7c69.f68f.df77 to 7c69.f68f.df80 1.0 2.1(9)8 9.0(1)
ips 7c69.f68f.df75 to 7c69.f68f.df75 N/A N/A 7.1(4)E4
Mod SSM Application Name Status SSM Application Version
ips IPS Up 7.1(4)E4
Mod Status Data Plane Status Compatibility
0 Up Sys Not Applicable
ips Up Up
Mod License Name License Status Time Remaining
ips IPS Module Enabled perpetual
ciscoasa#
I have create Ehtertype ACL and permit any traffic.
cdp traffic has passed through but I am still not able to ping :( -
Hi,
I need to know if the 5512X IPS will work if the ASA is in transparent mode and/or any limitations.
Thanks.Hello,
Yes, it can definetly run on transparent mode
An ASA in transparent mode can run an AIP. In the event the AIP fails,
the IPS will fail-open and the ASA will continue to pass traffic.
However, if an interface or cable fails, then traffic will stop. You
would need a failover pair to account for this failure event, which
means another ASA and matching AIP."
Regards,
Julio -
Asa in active/active vpn solution licensing question
Hello All
I have a customer with the following requirements:
1) A Cisco VPN Solution that will be support SSL VPN and Cisco Client VPN - The solution will be a failover configuration running in an active-active set up. The solution offered will be fully supported (i.e. it will not go into End of Life or and lower level of support etc) by Cisco for the next 5 Years.
a. We would expect the devices to be similar to the ASA 5520 Appliance with SW,HA,$GE+1FE,£DES/AES (Including ASA 5500 Advanced Endpoint ASS)
2) User licenses for the above - Please quote for both the following
a. 500 appropriate SSL VPN User Licenses
b. 250 appropriate SSL VPN User Licenses
I am quoting them for the 500 ssl vpn bundle
ASA5520-SSL500-K9 and for the
ASA5520-BUN-K9.
Is it right that in active/active software 8.3 and above that the 500 ssl vpn licenses will be shared between the 2 asa's or will I need to have 250 licenses on each asa.
Also I have read that in active/active I cannot use shared licenses, is this relevant in a vpn solution?
http://www.cisco.com/en/US/docs/security/asa/asa84/license/license_management/license_86.html#wp2003381
Url above has this “The backup server mechanism is separate from, but compatible with, failover.
Shared licenses are supported only in single context mode, so Active/Active failover is not supported.”
Also “Failover Guidelines
•Shared licenses are not supported in Active/Active mode. See the "Failover and Shared Licenses" section for more information.
I also need to purchase the
ASA-ADV-END-SEC and
ASA-AC-M-5520 (any connect mobile) as the vpn client is eos/eol.
Do I need to buy this for both asa's or can they share them in active/active mode.
Thanks in advance.
FeisalHi Vibhor and thanks for the quick reply. We will be using version 9.3. I was aware that the ASA does not support PBR but I thought with the new code you could do some policy nat that could help influence the outbound flow?
So in this case we have 2x ISPs and 2x public address space, one from each ISP. How is the NAT and routing handled by the ASA in this design?
Can I not identify the guest subnet (192.168.0.0/22) and NAT this to a public address from ISP1 and also identify the corp subnets (10.x.x.x) and NAT them to ISP2?
My understanding (which is probably wrong) is that the NAT will select the egress interface rather than the routing table, so guest will be sent via ISP1 since the SVI interface of the ASA that connects to this ISP1 has an IP address from the same public address space..?
Is that incorrect?
Many thanks
Rays -
Asa active/active questions
if i have asa's configured as active/active;
1. Is this situation treated as one? I mean can i manage this only with IDM?
2. The 5520 can have 130,000 connections. If i am using 2 of this which is config active/active, can i say that am having 130,000X2=260,000 connections?
thanks.1. In ASA, Active/Active can only be acrhived when both ASA is in Multiple Context Mode (Security Context). Multiple Context logically divides the ASA into multiple virtual firewall. You can refer to following configuration example.
http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008063b316.html#wp1035787
In your case, you need to create 2 context in each ASA, say Context-A and Context-B. In ASA-1, it should be active for Context-A and standby for Context-B. While in ASA-2, it should be standby in Context-A and active for Context-B. You should be have seperate set of configuration for each Context.
To manage the configuration, you can use ASDM.
2. I am sorry, I don't know that -
Can two ASA build up a loadbalance such as active/active mode ?
Hi, Professionals
I am wondering if two ASA be able to build up a loadbalance such as active/active mode, balance the traffic, ?
thanks in advance,
YangYes, running the ASA's in active/active is so you can load balance traffic. Here's a link with more information.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml
Hope it helps. -
How to tell if Active/active or Active/Standby mode is configured?
Folks:
I am still learning the output of my running config, but how do I tell if my firewall is set to Actve/Active or Active/Standby mode?
In addition, how do I tell if it uses regular or stateful failover mode?
Thank youI wanted to provide this as well, since I found it and it also helped me answering my question.
This output shows Active/Active failover output.
**Note** it says PIX; however, I beleive it will be the same output for ASA.
PIX1(config-subif)#show failover
Failover On
Cable status: N/A - LAN-based failover enabled
Failover unit Primary
Failover LAN Interface: LANFailover Ethernet3 (up)
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
Version: Ours 7.2(2), Mate 7.2(2)
Group 1 last failover at: 06:12:45 UTC Apr 16 2007
Group 2 last failover at: 06:12:43 UTC Apr 16 2007
This host: Primary
Group 1 State: Active
Active time: 359610 (sec)
Group 2 State: Standby Ready
Active time: 3165 (sec)
context1 Interface inside (192.168.1.1): Normal
context1 Interface outside (172.16.1.1): Normal
context2 Interface inside (192.168.2.2): Normal
context2 Interface outside (172.16.2.2): Normal
Other host: Secondary
Group 1 State: Standby Ready
Active time: 0 (sec)
Group 2 State: Active
Active time: 3900 (sec)
context1 Interface inside (192.168.1.2): Normal
context1 Interface outside (172.16.1.2): Normal
context2 Interface inside (192.168.2.1): Normal
context2 Interface outside (172.16.2.1): Normal -
Multiple context mode and Active Active
Hi Everyone,
ASA in multiple context mode works as active active mode.
ASA has 2 contexts admin and x.
We have 2 physical ASA say ASA1 and ASA2 .
Under system context we have hostname ASA
When i ssh to ASA1 it brings the ASA/admin mode.
sh failover shows
sh failover shows
This host: Primary
This host: Primary
When i try to login to ASA 2 it brings me to ASA/x prompt.
sh failover shows
This context: Active
Peer context: Standby Ready
Need to know is there any way that i can login to other physical ASA?
i hope my question makes sense.
Message was edited by: mahesh parmarHi Mahesh,
To it seems that you are logging to different contexts in these 2 cases.
Normally an admin always logs to the "admin" context IP address owned either by the primary IP address for the Active unit or the secondary IP address for the Standby unit.
So what I would suggest you do first is that you go to the context "admin" and issue the command "show run interface"
Then go to the context "x" and issue the command "show run interface"
Now check the IP addresses on the interfaces.
Especially the interface on the "admin" context should contain an IP address for both of the ASA units. Check the interface IP address which originally lead you to the "admin" context.
For example
ip address 10.10.10.1 255.255.255.0 standby 10.10.10.2
If the above were true you would connecto the IP address 10.10.10.1 when you wanted to connect to the Active unit and use the IP address 10.10.10.2 when you wanted to connect to the current Standby unit
- Jouni
Maybe you are looking for
-
My mac is catching tv/radio signals!!!
hello. i plugged in my speaker wire to my macbook to play it on surround sound. while i was adjusting the 3.5mm male connector suddenly sound tv or radio sound started coming from the speakers. i couldnt figure out whether it was tv sound or radio. t
-
Tokens in UCM workflow (AND Based relationship for multiple Alias)
Basically I am trying to segregate my Approvers into the following Aliases Approver1 Approver2 Approver3 Department I want the approver only to be notified if they are in (ApproverX AND Department) OOTB Tokens seems to be an OR based relationship. Ha
-
When launching firefox a pdf opens
I have a user that is running Firefox 3.6.28 when she launches Firefox a PDF opens with it. It is not a tab.
-
I have created a rfcserver application that handles "IDOC_INBOUND_ASYNCHRONOUS". When connected to SAP on windows IDOC's received are OK. From HPUX the first 8 bytes are swapped like "04CD_IDE" instead of "EDI_DC40". Have anybody seen this before ? H
-
While trying to install adobe elements 13, it would not take my password?
While trying to install adobe elements 13, it would not take my password?