Dual ISP - Cisco ASA HA Active/Standby

So a single ISP isn't cutting it anymore you need a backup just in case the primary fails and might as well add a second ASA into this design, more redundancy equals more up-time, right? On paper it sounds good but in the "real" world there probably is tipping point, more redundancy increases complexity. In this post we'll aim to keep it simple, with setting up a Cisco ASA HA active/standby pair and then add in the second ISP. Let's get started! So this is what our topology will look like all said and done, we have two firewalls and two different ISPs. The primary ISP is ISP-1 and the secondary ISP is ISP-2. We will always be using ISP-1 as the primary and won't be load balancing between the two. ISP-2 will only be used when ISP-1 goes offline. When ISP-1 comes back online we will switch back over to ISP-1.

ASA-HA

So let's first look at getting the ASA HA pair setup. In this example I have two ASA's that are the same hardware and software version, For the HA I have to be able to use two interfaces for the LAN failover and State link interface. I need to choose one ASA that will be the primary and one that is secondary. If you already have a configuration on one ASA, choose that as the primary. The secondary ASA just needs enough configuration so that you can get into it as the configuration gets overwritten on the secondary ASA from the primary.

1ASA-HA-1(config)# failover
2ASA-HA-1(config)# failover lan unit primary

Move to the secondary ASA

1ASA-HA-1(config)# failover
2ASA-HA-1(config)# failover lan unit secondary

Now I need to configure the interfaces each ASA will be using two interfaces and they are connected directly to each other. Configuration is the same across the two ASAs with the exception of the IP address make sure they are different and are in the same network. I like to use a completely different range of IP addresses that are not in my network or public IP networks, otherwise you get into trouble. ;) In this example I'm using the link local address RFC 3927.

1ASA-HA-1(config)# failover lan interface FAILOVER GigabitEthernet0/3
2ASA-HA-1(config)# failover key password
3ASA-HA-1(config)# failover link STATELINK GigabitEthernet0/4
4ASA-HA-1(config)# failover interface ip FAILOVER 169.254.255.1 255.255.255.252 standby 169.254.255.2

Once you have configured both ASAs the primary will sync its configuration to the secondary and you will now have an active/standby pair of ASAs. You can verify the status by issuing the command show failover. We now need to switch gears and configure our secondary ISP and modify the primary ISP interface (OUTSIDE-ISP-1). On the primary ISP we need to configure a standby IP address on the interface and it needs to be on the same network. So in this example the standby IP is going to be 198.51.100.5 which was available to use from our primary ISP. We also need to do the same thing on the our secondary ISP interface (OUTSIDE-ISP-2. In this example the IP address is 198.51.100.140. Below is running configuration for that, this would be synced to both firewalls since they are now in an HA pair.

 1interface GigabitEthernet0/0
 2nameif OUTSIDE-ISP-1
 3security-level 0
 4ip address 198.51.100.10 255.255.255.128 standby 198.51.100.5
 5!
 6interface GigabitEthernet0/1
 7nameif OUTSIDE-ISP-2
 8security-level 0
 9ip address 198.51.100.135 255.255.255.128 standby 198.51.100.140
10!

Once that is done we now need to configure these ASA's to only use the primary ISP. If the primary ISP fails we switch over to the secondary ISP, we are not load balancing between the two, its one or the other. To do that we need to track the route. On this network we have a default static route that points to the primary ISP's next hop address. In this example that is 198.51.100.1 the command to track that route.

1ASA-HA-1(config)# route OUTSIDE-ISP-1 0.0.0.0 0.0.0.0 198.51.100.1 1 track 1

This does not do anything yet, we are close but we also need to add another default route and point that to the secondary ISP.

1ASA-HA-1(config)# route OUTSIDE-ISP-2 0.0.0.0 0.0.0.0 198.51.100.129 254

Notice that I'm putting a distance metric on this route, this has a higher metric than the first default route so it won't be used until the primary route fails.

The track command will remove the primary route if it fails and then the ASA will install this the route in the routing table to switch over to the secondary ISP. We still have to configure some additional settings in order for this to work. We need to create an SLA on the ASA, in this example I'm using Google's Public DNS as a reachability test. If this was production setup I would probably use a system that I own instead of relaying one somebody else.

1ASA-HA-1(config)# sla monitor 10
2ASA-HA-1(config)# type echo protocol ipIcmpEcho 8.8.8.8 interface OUTSIDE-ISP-1 
3ASA-HA-1(config)# num-packets 5
4ASA-HA-1(config)# frequency 10

Create the schedule and reference the sla monitor number. We want this run forever (as long as the hardware lives) and we want to start it now.

1ASA-HA-1(config)# sla monitor schedule 10 life forever start-time now

We finally can create a track on this route

1ASA-HA-1(config)# track 1 rtr 10 reachability

If we look at show route we can see we are using the primary ISP

 1show  route
 2 
 3Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
 4D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
 5N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 6E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
 7i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 8ia - IS-IS inter area, * - candidate default, U - per-user static route
 9o - ODR, P - periodic downloaded static route, + - replicated route
10Gateway of last resort is 198.51.100.1 to network 0.0.0.0
11 
12S*       0.0.0.0 0.0.0.0 [1/0] via 198.51.100.1, OUTSIDE-ISP-1
13C        169.254.255.0 255.255.255.252 is directly connected, FAILOVER
14L        169.254.255.1 255.255.255.255 is directly connected, FAILOVER
15C        192.168.2.0 255.255.255.0 is directly connected, INSIDE
16L        192.168.2.50 255.255.255.255 is directly connected, INSIDE
17C        198.51.100.0 255.255.255.128 is directly connected, OUTSIDE-ISP-1
18L        198.51.100.10 255.255.255.255 is directly connected, OUTSIDE-ISP-1
19C        198.51.100.128 255.255.255.128 is directly connected, OUTSIDE-ISP-2
20L        198.51.100.135 255.255.255.255 is directly connected, OUTSIDE-ISP-2

If that link fails or if the reachability fails the ASA will change over to the secondary ISP. Looking at the show route confirms this

 1ASA-HA-1# show route
 2 
 3Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
 4D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
 5N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 6E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
 7i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 8ia - IS-IS inter area, * - candidate default, U - per-user static route
 9o - ODR, P - periodic downloaded static route, + - replicated route
10Gateway of last resort is 198.51.100.129 to network 0.0.0.0
11 
12S*       0.0.0.0 0.0.0.0 [254/0] via 198.51.100.129, OUTSIDE-ISP-2
13C        169.254.255.0 255.255.255.252 is directly connected, FAILOVER
14L        169.254.255.1 255.255.255.255 is directly connected, FAILOVER
15C        192.168.2.0 255.255.255.0 is directly connected, INSIDE
16L        192.168.2.50 255.255.255.255 is directly connected, INSIDE
17C        198.51.100.0 255.255.255.128 is directly connected, OUTSIDE-ISP-1
18L        198.51.100.10 255.255.255.255 is directly connected, OUTSIDE-ISP-1
19C        198.51.100.128 255.255.255.128 is directly connected, OUTSIDE-ISP-2
20L        198.51.100.135 255.255.255.255 is directly connected, OUTSIDE-ISP-2

That's all I got for this one, being able to switch between ISP automatically depending on reachability is an easy way to add additional redundancy, we don't have to have to two ASA's you could do this if you only had one ASA with two ISPs. I hope this information is helpful


Static Comments:

gs@plusline.de - That's just the routing part. You will have to do the source NAT of your inside prefix depending on the currently used ISP interface. But this is easy. Now try to set up the redundancy with native IPv6 from both providers.... no chance (regardless which method you might chose, DHCPv6-PD for inside, static prefix with 6to6NAT for inside, ...), you will hate the ASA for this.


Ryan - Yes your right and that was implied PAT/NAT would be enabled on this for this work on the outside interfaces, since its active/standby each ASA has both ISP interfaces on both of them so this is pretty easy setup. Never tired IPv6 on ASA ever! So I'll have to take your word ;) Might play around with that for.... fun. :| Ryan


bmdfisa101 - Thanks Ryan


Jay - Hi how would you achieve this on Cisco Firepower 1122 with HA enabled. not using FCM only FDM


Ryan - Hey Jay, It would be the same process, it looks like Cisco only recently introduced this feature in 6.5 for Firepower (Service Level Agreement (SLA) Monitor for static routes.) https://www.cisco.com/c/en/us/td/docs/security/firepower/650/fdm/fptd-fdm-config-guide-650/fptd-fdm-get-started.html Hope this Helps. Ryan


Hemant - Hi Ryan, Need to know what happens to the connectivity for the devices which were using NAT from primary ISP, if primary ISP link goes down. Manually NAT to secondary ISP IP or what ? Thanks


Ryan - Hey Hemant, If the primary link goes down and it fails over to the secondary link your NATed IP will be from the secondary ISP, You would just create a NAT/PAT rule, So when you use the secondary ISP it will use that IP instead of the primary. OUTSIDE-ISP-2 would be the interface you would configure the NAT/PAT rule, just like you would with the OUTSIDE-ISP-1 interface. Hope that Helps Ryan