HA path monitoring in virtual wire

As far as I know or seen, PAN in vWire HA deployment will have ports shut on Passive device. I think I had checked/tried that initially and had same results. May be it is something different for L3 mode. My environment is vWire mode only.

I didn't get the thing about support.

"L3 interface must be on the same subnet as dst address?"

Honestly it does not make any sense to me as well as path monitoring is supposed to check path IMO. As per the support the src ip (L3 on PAN) should be part of destination subnet. May be it is limitation for vWire based deployment The option suggested was to connect a cable from PAN to the remote subnet and then configure monitoring of destination IP.

What kind of issues? Did you enable Preemptive option? I think It should be disabled in this scenario as PAN need to follow ASAs.

We had issues with managing secondary ASA after failover. Hence could not check the status on secondary ASA. After a while, the Active PAN was primary. I suspect that is due to the reason that the destination ip was reachable via Standby ASA (when Active). Yes I have preemptive option enabled. That is a good option to check for. Anyways I plan on checking the untrust IP availability and my affected environment has Juniper. I will configure the destination ip separate on PAN which will be the manage-ip of untrust interface (not floating). The aim is to failover PAN if the untrust link to connected switch dies.

I am running 4.x so cant comment about 5.x stuff.

I would love to have L3 environment but redesign is not an option for me considering config on the existing firewalls and criticality of the environment. I am however moving to L3 on PAN in some environment. ASA and PAN back to back becomes redundant. In my environment we are doing lot of stuff on PAN than ASA so we will be replacing ASA.

I just checked release notes of 5.0.4 and can see the enhancement in HA options.

• Passive Device Link State Control 
–
This enhancement improves failover times in Active/Passive deployments that make use of L2 or virtual wire interfaces by keeping the physical interface link state on the passive device in the link
-
up state. This feature already exists for L3 interfaces.

We had issues with managing secondary ASA after failover. Hence could not check the status on secondary ASA. After a while, the Active PAN was primary. I suspect that is due to the reason that the destination ip was reachable via Standby ASA (when Active). Yes I have preemptive option enabled. That is a good option to check for.

I think this was your issue - I mean PREEMPTIVE option. As I remember ASA in active/standby mode doesn't behave in a preemptive manner (it can but as I remember only in multicontext mode). So after a while passive PAN regain its connectivity with path monitoring through currently active ASA so it switches again. What is your case?

I've just tried this "Passive Device Link State Control" and I changed it  to "auto" as picture presented earlier. However this  does not mean that ASA hearbeats can keep going !!! Its true that link is green but thats all. So no connectivity to the secondary ASA will be allowed when  the PAN box is passive. This make sense in order to avoid the situation when we could evade the active box and its inspection, but it is pain in the a... when sth behind it needs to send its heartbeats

regards

pkonitz

BTW - Check the release notes of 5.0.4. You can create sub-interfaces in vWire mode. I think this is what you are looking for???

Virtual Wire Subinterface 
–
You can now create virtual wire subinterfaces in order to 
classify traffic into different zones and virtual systems. You can classify traffic according to the VLAN tag, or VLAN tag plus IP address (IP address, IP range, or subnet).