01-27-2017 11:38 PM
Hi,
I have the below topology .
Planning to put PA in vwire mode in betweent the asa and core in active standby.
If r1 fails and asa1 is active and asa2 is standby ,asa2 will become active .
. Lets say pa1 is active and pa2 is standby .
When asa changes active standby order ,is it possible pa changes the same order as asa do .
Or what is the pros and cons in this design
Thanks
01-28-2017 04:37 AM
Hi,
You can track the ASA-1 interfaces on PA-1, so when the ASA-1 failover it should shut down its interfaces connecting to PA-1 once the interfaces are down and you are tracking the Link monitoring in the PA-1. Then PA-1 will trigger the HA and if you have enabled the preempt on the PA-1 once the ASA-1 is back active the PA's will swap their roles.
02-05-2017 12:48 AM
Hi,
Is there a good design other than this
Thanks
02-06-2017 05:52 AM
Apart from totally removing the ASA's, monitoring the path/link from the Palo's to ASA is about as good as it gets. Whats the business case for having the ASA's? if your just doing layer 1-4 on the ASA its pointless them being there.
02-06-2017 06:06 AM
you could create portchannels so the ASA's can fail over all they want without interfering with the Palo Alto Networks Firewall Cluster
with this design and the PANW in AP, one member of the aggregate will always be down and simply switch if one of the PANW were to fail, if the ASA fails, the second Aggregate will kick in (controlled by the switch and ASA) and the active PANW can remain active
02-06-2017 11:52 AM
I would follow the order that @reaper laid out; that would give you true redundancy and you don't at any one point in time have a single point of failure on your firewalls. The way that you are describing would work fine, but the thing to keep in mind is that while you technicially have a backup, you are counting on that PAN to funciton during the outage. If you lose that PAN for some reason at the same time you lost the router your network sounds like it's still going to go down.
02-08-2017 03:45 PM
Another option in this scenario is to make the PA cluster Active/Active instead of Active/Passive. This way no matter what combination of device failures occur on either side you still have a traffic path with the PA devices. and you don't need to track anything for failures.
02-09-2017 07:30 AM
Hi,
You mean the port channel between core and asa ?
It means one of the link will go through PA1 and another link PA2 ( eg: red)
Thanks
02-09-2017 08:25 AM
yes that's right, that way if ASA1 fails, PA1 does not need to fail: the portchannel will smply switch to the second link
also if PA1 fails, ASA1 does not need to fail
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
