topic Vwire Active Active with ASA HA Pair in General Topics

Vwire Active Active with ASA HA Pair

Gene_Barden — Mon, 24 Aug 2020 20:39:23 GMT

I have a n HA pair of ASA and will be implementing an HA pair of PANS between the Core and ASAs. I can send a topology if necessary. Currently have a Cisco 3750 layer 3 connected to two separate Cisco 2960s via a trunk link. The2960s are aslo inter-connected via a trunk link. The ASAs are connected to each 2960 via access port. The original idea was to implement the Palo Altos in A/P but it seems easier to implement A/A. Are there any gotchas for this scenario. I know it is best practice and recommended for Vwire A/A in a layer 3 topology only and to make sure spanning-tree is configured properly for layer 2. From what I have read you should not carry the Vwire vlan across the inter-switch trunk but wold this just be for the trunk between the 2960's or all of the trunk links? I would think the traffic would not pass if the vlan is not allowed between the 3750 and 2960 trunks.

Re: Vwire Active Active with ASA HA Pair

reaper — Tue, 25 Aug 2020 11:28:09 GMT

I'm imagining a triangle with 2 ASA's dangling from the bottom

you'll want to set the PAs between the ASAs and the switches

if you like, you could also add vwires on all the trunks but this might be overkill, it sorta depends where those switches connect to and where you need to have security in between

Re: Vwire Active Active with ASA HA Pair

Gene_Barden — Tue, 25 Aug 2020 12:59:21 GMT

Here is the physical topology of the scenario. All switch connections south of the Palo are trunk ports with all of the vlans trunked. The link between the 2960s has all vlans trunked except for the primary vlan2 which is the main vlan for the network and to the ASA. I have also attached an A/P scenario adding additional switches north of the Palo connected to the ASA also. Trying to decide which scenario will work best.

Active/ActiveActive/Passive

Re: Vwire Active Active with ASA HA Pair

reaper — Tue, 25 Aug 2020 13:26:24 GMT

the A/P scenario will be easier to troubleshoot in case there is ever a defect in the network connection, the primary member will also remain active if the ASA dies, being one less failover the sessions need to endure (if the ASA fails over in the A/A scenario, the sessions are handed over to the second ASAs, but also to the second PA. this increases the chances of having a hickup and will have an impact on the time it takes for sessions to transition)