Vwire Active Active with ASA HA Pair

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Vwire Active Active with ASA HA Pair

L3 Networker

I have a n HA pair of ASA and will be implementing an HA pair of PANS between the Core and ASAs. I can send a topology if necessary. Currently have a Cisco 3750 layer 3 connected to two separate Cisco 2960s via a trunk link. The2960s are aslo inter-connected via a trunk link. The ASAs are connected to each 2960 via access port. The original idea was to implement the Palo Altos in A/P but it seems easier to implement A/A. Are there any gotchas for this scenario. I know it is best practice and recommended for Vwire A/A in a layer 3 topology only and to make sure spanning-tree is configured properly for layer 2. From what I have read you should not carry the Vwire vlan across the inter-switch trunk but wold this just be for the trunk between the 2960's or all of the trunk links? I would think the traffic would not pass if the vlan is not allowed between the 3750 and 2960 trunks.

PCNSC, PCNSE
1 accepted solution

Accepted Solutions

the A/P scenario will be easier to troubleshoot  in case there is ever a defect in the network connection, the primary member will also remain active if the ASA dies, being one less failover the sessions need to endure (if the ASA fails over in the A/A scenario, the sessions are handed over to the second ASAs, but also to the second PA. this increases the chances of having a hickup and will have an impact on the time it takes for sessions to transition)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

I'm imagining a triangle with 2 ASA's dangling from the bottom

 

you'll want to set the PAs between the ASAs and the switches

if you like, you could also add vwires on all the trunks but this might be overkill, it sorta depends where those switches connect to and where you need to have security in between

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Here is the physical topology of the scenario. All switch connections south of the Palo are trunk ports with all of the vlans trunked. The link between the 2960s has all vlans trunked except for the primary vlan2 which is the main vlan for the network and to the ASA. I have also attached an A/P scenario adding additional switches north of the Palo connected to the ASA also. Trying to decide which scenario will work best.

 

 

 

 

 

 

Active/ActiveActive/ActiveActive/PassiveActive/Passive

PCNSC, PCNSE

the A/P scenario will be easier to troubleshoot  in case there is ever a defect in the network connection, the primary member will also remain active if the ASA dies, being one less failover the sessions need to endure (if the ASA fails over in the A/A scenario, the sessions are handed over to the second ASAs, but also to the second PA. this increases the chances of having a hickup and will have an impact on the time it takes for sessions to transition)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 1 accepted solution
  • 2732 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!