[c-nsp] ASA High Availability - Stateful Failover with Dynamic Routing Protocols
Antonio Soares
amsoares at netcabo.pt
Thu Oct 25 18:33:24 EDT 2012
Hello group,
ASA release 8.4.1 introduced a feature called "Stateful Failover with
Dynamic Routing Protocols":
"Routes that are learned through dynamic routing protocols (such as OSPF and
EIGRP) on the active unit are now maintained in a Routing Information Base
(RIB) table on the standby unit. Upon a failover event, traffic on the
secondary active unit now passes with minimal disruption because routes are
known. Routes are synchronized only for link-up or link-down events on an
active unit. If the link goes up or down on the standby unit, dynamic routes
sent from the active unit may be lost. This is normal, expected behavior."
http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html#w
p43273
But this feature has many limitations. When you have a failover and you are
peering with another IOS Router or Switch, the IOS device detects that the
neighbor changed and deletes everything learned from the ASA and about 10
seconds later rebuilds the routing table:
+++++++++++++++++++++++++++++++++++++++
000190: *Mar 1 04:08:26: %OSPF-5-ADJCHG: Process 2011, Nbr 172.x.x.x on
Vlanxxx from FULL to EXSTART, SeqNumberMismatch
000191: *Mar 1 04:08:31: %OSPF-5-ADJCHG: Process 2011, Nbr 172.x.x.x on
Vlanxxx from EXSTART to EXCHANGE, Negotiation Done
000192: *Mar 1 04:08:31: %OSPF-5-ADJCHG: Process 2011, Nbr 172.x.x.x on
Vlanxxx from EXCHANGE to LOADING, Exchange Done
000193: *Mar 1 04:08:31: %OSPF-5-ADJCHG: Process 2011, Nbr 172.x.x.x on
Vlanxxx from LOADING to FULL, Loading Done
000194: *Mar 1 04:08:32.277: RT: del 172.x.x.x/29 via 172.x.x.x, ospf
metric [110/21]
(...)
000275: *Mar 1 04:08:42.284: RT: add 172.x.x.x/29 via 172.x.x.x, ospf
metric [110/21]
+++++++++++++++++++++++++++++++++++++++
This causes the obvious downtime of 10 seconds but worse than that, other
ASAs in the network terminate the TCP connections due to lack of routing
information:
+++++++++++++++++++++++++++++++++++++++
%ASA-6-110003: Routing failed to locate next hop for TCP from
outside:172.x.x.x/23 to inside:9.x.x.x/35365
%ASA-6-302014: Teardown TCP connection 3609 for inside:9.x.x.x/35365 to
outside:172.x.x.x/23 duration 0:01:00 bytes 50721 No valid adjacency
+++++++++++++++++++++++++++++++++++++++
Cisco has an enhancement to solve this that basically is the implementation
of the Non-Stop Forwarding feature (CSCsu90386) but it seems it will take
months or years to be available.
Basically the current implementation of Stateful Failover is a Joke. The
only workaround I have is getting rid of OSPF or EIGRP and use static
routing.
Does anyone has/had this problem and found any type of workaround ?
I have this in the lab if someone is interested in more details:
(inside network)===IOS Switch===OSPF===ASA Failover Pair===OSPF===ASA
Failover Pair===(outside network)
Thanks.
Regards,
Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt
http://www.ccie18473.net
More information about the cisco-nsp
mailing list