HA path monitoring in virtual wire

- Looks like we are in the same boat. The ASA failover does not trigger PA failover. Creating a separate L3 interface for monitoring is what suggested by our SE. Here is what I had tried over the last weekend but did not get satisfactory results due to ASA issues in our environment.

- Connect an interface from PAN to LAN switch

- Configure interface in L3 mode. I am assuming that PAN trust/inside is connected to a L3 switch having default gateway as ASA

- Configure new zone

- Configure new virtual router. I preferred to create new as the purpose was to use it purely for HA path monitoring. My PAN anyways configured in vWire mode

- Ping destination using src ping on PAN. Please note that somehow I was not able to ping ASA untrust from inside/trust. I am not sure if that is the feature in ASA but I did not have time to work on it. If you know how then please let me know. ASA egress IP is reachable from public

- Configure path monitoring with type as "virtual router". Configure destination address and select the virtual router with proper routing

- Check path monitoring status from cli # show high-availability path-monitoring

pan(active)> show high-availability path-monitoring

--------------------------------------------------------------------------------

total paths monitored :                         1

interval to send ICMP probe packets :           200 ms

last N probes to determine path availability :  10

hold time to send probe packets :               60000 ms

  (after device becomes active)

--------------------------------------------------------------------------------

name/type                        destination     succ/total rtt min/max/avg (ms)

--------------------------------------------------------------------------------

ha-monitor-vrouter/virtual-router <destination ip>    10/10      0.80/1.04/0.88

--------------------------------------------------------------------------------

My failover scenario worked fine after shutting down the ASA untrust link. I however had issues later when Active PAN become Primary again. I will be trying the same thing with Juniper firewalls again over coming weekend. If you manage to test in the meanwhile then please share the results.

thx vwaghmar for your answer.

as I remember you can't ping outside interface of ASA from inside   so don't bother. Maybe if you change "management-interface" for outside (which is not recomended) but it is not easily done casue managemnt-interface can't be the one with the lowest "security-level".

Unfortunately I dont have 2 ASAs in my lab to test all interesting parts.

My first question is whether PAN tranfers traffic in vwire when it is in passive mode? It is fundamental question cause
If the answer is yes then it is no use of creating L3 interface for path monitoring cause its default gateway (L3 switch or inside interface of ASA) is always available regardless which ASA is acitve or standby.

When ASAs do switchover the secondary one starts using the IP address of the previous primary one (which is default gateway for internal networks and L3 interface of PAN).

OK I've found the info that traffic handling links on the passive device are in "down" state. Of course it wouldn't make sanse the other way but I had to ask

As I said I can't test it in a full environment but I have to do it in production GREAT is it not?

What about your case you've mentioned earlier? is it closed with the solution presented? or still have hope for some trick? idea?

regards

Przemek

- Anyways we are getting rid of ASA with PAN so I am not bothered any more . I wanted to simulate it for other environment.

Passive PAN in vwire mode will have all its interfaces shut/down. Are you seeing the interfaces UP? Also the traffic will eventually flow from the vwire to reach ASA or gateway so the path monitor will have no data on the passive PAN. Check the output below from passive PAN. There is a possibility that the active PAN will be able to reach the destination ip from the standby ASA (when Active). I did not get time to check about it. I will check with our SE.

pan(passive)> show high-availability path-monitoring

--------------------------------------------------------------------------------

path monitoring statistics unavailable due to inactive device state

total paths monitored :                         1

interval to send ICMP probe packets :           200 ms

last N probes to determine path availability :  10

hold time to send probe packets :               60000 ms

  (after device becomes active)

--------------------------------------------------------------------------------

name/type                        destination     succ/total rtt min/max/avg (ms)

--------------------------------------------------------------------------------

ha-monitor-vrouter/virtual-router <dst monitored ip>       N/A         N/A

-------------------------------------------------------------------------------

I tested it in production as well as I have running setup with this limitation :smileygrin:. I am going to try next with Juniper firewall which has the option to assign separate management ip address apart from the floating one to an interface.

As per support, it is not possible to monitor destination which is one hop away/routed. The L3 interface on PAN will have to be in the same subnet as dst address.