Cisco ASA 5505 User Manual
Page 1342
63-18
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 63 Configuring Active/Active Failover
Configuring Active/Active Failover
hostname(config)#
Configuring Support for Asymmetrically Routed Packets
When running in Active/Active failover, a unit may receive a return packet for a connection that
originated through its peer unit. Because the ASA that receives the packet does not have any connection
information for the packet, the packet is dropped. This most commonly occurs when the two ASAs in an
Active/Active failover pair are connected to different service providers and the outbound connection
does not use a NAT address.
You can prevent the return packets from being dropped using the asr-group command on interfaces
where this is likely to occur. When an interface configured with the asr-group command receives a
packet for which it has no session information, it checks the session information for the other interfaces
that are in the same group. If it does not find a match, the packet is dropped. If it finds a match, then one
of the following actions occurs:
•
If the incoming traffic originated on a peer unit, some or all of the layer 2 header is rewritten and
the packet is redirected to the other unit. This redirection continues as long as the session is active.
•
If the incoming traffic originated on a different interface on the same unit, some or all of the layer
2 header is rewritten and the packet is reinjected into the stream.
Note
Using the asr-group command to configure asymmetric routing support is more secure than using the
static command with the nailed option.
The asr-group command does not provide asymmetric routing; it restores asymmetrically routed packets
to the correct interface.
Prerequisites
You must have to following configured for asymmetric routing support to function properly:
•
Active/Active Failover
•
Stateful Failover—Passes state information for sessions on interfaces in the active failover group to
the standby failover group.
•
Replication HTTP—HTTP session state information is not passed to the standby failover group, and
therefore is not present on the standby interface. For the ASA to be able to re-route asymmetrically
routed HTTP packets, you need to replicate the HTTP state information.
You can configure the asr-group command on an interface without having failover configured, but it
does not have any effect until Stateful Failover is enabled.
Detailed Steps
To configure support for asymmetrically routed packets, perform the following steps:
Step 1
Configure Active/Active Stateful Failover for the failover pair. See the
Failover” section on page 63-8
Step 2
For each interface that you want to participate in asymmetric routing support, enter the following
command. You must enter the command on the unit where the context is in the active state so that the
command is replicated to the standby failover group. For more information about command replication,
see