Cisco ASA firewall advice: Using ASA 8.4 for stateful failover in DRP

In his series offering Cisco ASA firewall advice, Fast Packet blogger Brandon Carroll explains the new Cisco ASA 8.4 feature, Stateful Failover with Dynamic Routing Protocols.

Fast Packet blogger Brandon Carroll offers Cisco ASA firewall advice. In his last blog, Carroll gave command line tips for Cisco ASA and BGP peering problems. In this entry, Carroll discusses the use of Cisco ASA firewalls for Stateful Failover with Dynamic Routing Protocols (DRP).

When you’re using an ASA for failover, a standby unit takes over when the primary unit fails. In this situation the standby unit assumes the IP and MAC address of the active unit.  If you’re running routing protocols, you’ll notice OSPF (Open Shortest Path First) and EIGRP (Enhanced Interior Gateway Routing Protocol) are forced to re-establish adjacencies. Because of this behavior you end up with long convergence times and routes flapping. With ASA 8.4 there is a new feature that addresses this issue.

Stateful Failover with Dynamic Routing Protocols: Cisco ASA 8.4

In Cisco ASA version 8.4, a new feature known as Stateful Failover with Dynamic Routing Protocols (DRP) takes care of this for us. 

Stateful failover works with the routing protocols and syncs the routing information between the failover devices. This information is stored in a Routing Information Base (RIB) table that exists on the standby unit. 

When a failover event occurs, packets travel normally because the secondary ASA, which now goes active, has rules that are identical to that of the primary ASA. As soon as the failover occurs, the sequence or epoch number for the RIB increments and a re-convergence timer starts on the newly active unit.

Next the newly active unit forms an adjacency with the peer routers and learns routes from those peers.  These routes are likely the same as the routes that we learned through stateful failover; however, these routes are still placed in the routing table with the updated epoch number, which replaced the old routes that came from the previous active device. In other words, out with the old and in with the new.

You can verify that routing information is being sent between failover devices using the show failover command. From the highlighted portion of the output you can see that routing information has been transmitted and received between the active and standby devices. Now we can verify the routing table:

ciscoasa(config)# show failover

Failover On

Failover unit Secondary

Failover LAN Interface: failover GigabitEthernet0/0 (up)

Unit Poll frequency 300 milliseconds, holdtime 900 milliseconds

……

…….

Stateful Failover Logical Update Statistics

        Link : failover GigabitEthernet0/0 (up)

        Stateful Obj          xmit       xerr       rcv        rerr

        General               2870       0          2644       0

        sys cmd               2572         0          2572       0

        up time        0          0          0          0

        RPC services    0          0          0          0

        TCP conn       0          0          0          0

        UDP conn        0          0          0          0

        ARP tbl               242        0          33         0

        Xlate_Timeout         0          0          0          0

        IPv6 ND tbl           0          0          0          0

        VPN IKEv1 SA   0          0          0          0

        VPN IKEv1 P2          0          0          0          0

        VPN IKEv2 SA          0          0          0          0

        VPN IKEv2 P2          0          0          0          0

        VPN CTCP upd    0          0          0          0

        VPN SDI upd           0          0          0          0

        VPN DHCP upd    0          0          0          0

        SIP Session           0          0          0          0

        Route Session      56              0          39         0

        SIA data              0          0          0          0

        Logical Update Queue Information

                        Cur     Max     Total

        Recv Q:        0       7       4304

        Xmit Q:         0       1       23765

If we use the show route failover command, we can see the sequence number of the routing table.

ciscoasa(config)# show route failover

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

Gateway of last resort is 10.104.54.129 to network 0.0.0.0

Routing table seq num 5

Reconvergence timer expired

D    20.20.210.0 255.255.255.0  [90/28416] via 192.101.1.30, 0:13:14, outside, seq 5

D    20.20.249.0 255.255.255.0  [90/30976] via 192.101.1.30, 0:13:14, outside, seq 5

D    20.20.250.0 255.255.255.0  [90/33536] via 192.101.1.30, 0:13:14, outside, seq 5

O IA 172.198.40.0 255.255.255.0  [110/30] via 192.168.32.2, 0:12:37, inside, seq 5

O IA 172.168.34.0 255.255.255.0  [110/20] via 192.168.32.2, 0:12:37, inside, seq 5

O IA 172.188.36.0 255.255.255.0  [110/30] via 192.168.32.2, 0:12:37, inside, seq 5

O IA 172.16.30.0 255.255.255.0    [110/20] via 192.168.32.2, 0:12:40, inside, seq 5

C    10.104.54.0 255.255.255.0 is directly connected, mgmt, seq 4

C    192.101.1.0 255.255.255.0 is directly connected, outside, seq 5

C    192.168.253.0 255.255.255.0 is directly connected, failover, seq 0

C    192.168.32.0 255.255.255.0 is directly connected, inside, seq 5

S*   0.0.0.0 0.0.0.0 [1/0] via 10.104.54.129, mgmt, seq 5

And if we were using the debug route ha command, we would see the following as the routes are added:

ROUTE HA: RIB Epoch number 5 assigned to NDB: 192.168.32.0

ROUTE HA: Sending Message Version: 1 Action: add Object: route Address: 192.168.32.0 Mask: 255.255.255.0

ROUTE HA: RIB Epoch number 5 assigned to NDB: 172.16.0.0

ROUTE HA: Sending Message Version: 1 Action: add Object: route Address: 172.16.30.0 Mask: 255.255.255.0

ROUTE HA: RIB epoch number 5 assigned to SDB: 172.16.30.0

ROUTE HA: RIB Epoch number 5 assigned to NDB: 172.168.0.0

ROUTE HA: Sending Message Version: 1 Action: add Object: route Address: 172.168.34.0 Mask: 255.255.255.0

ROUTE HA: RIB epoch number 5 assigned to SDB: 172.168.34.0

ROUTE HA: RIB Epoch number 5 assigned to NDB: 172.188.0.0

ROUTE HA: Sending Message Version: 1 Action: add Object: route Address: 172.188.36.0 Mask: 255.255.255.0

ROUTE HA: RIB epoch number 5 assigned to SDB: 172.188.36.0

ROUTE HA: RIB Epoch number 5 assigned to NDB: 172.198.0.0

ROUTE HA: Sending Message Version: 1 Action: add Object: route Address: 172.198.40.0 Mask: 255.255.255.0

ROUTE HA: RIB epoch number 5 assigned to SDB: 172.198.40.0

This functionality is already enabled on the ASA so there is no need to do anything other than configure failover and routing on your ASAs.

About the author: Brandon Carroll, CCIE # 23837, is a full-time instructor with Ascolta, with a focus in network security and business development. He is also the author of the GlobalConfig blog.

Dig deeper on Network Monitoring

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close