I got this question from one of my readers (and based on these comments he’s not the only one facing this challenge):
I was wondering if you can do a blog post on Cisco's new ASA 5585-X clustering. My company recently purchased a few of these with the intent to run their cross data center active/active firewalls but found out we cannot do this without OTV or a layer 2 DCI.
A while ago I expressed my opinion about these ideas, but it seems some people still don’t get it. However, a picture is worth a thousand words, so maybe this will work:
On a more serious note…
Whenever someone proposes a stupidity like “let’s turn our L3 DCI into L2 DCI so we can run stretched firewall cluster on top of it”, politely ask “and what happens when (not if) the DCI link fails?” because asking “what were you smoking” might sound offensive.
Fortunately for everyone who has to work with real-life networks, Cisco engineers (even those working in marketing) tend to be pretty honest when it comes to how things really work, so it was really easy to answer that question by reading the documentation, design guides, and ASA Clustering Deep Dive Cisco Live session:
- A failure in communication between different members of the cluster will result in ejection of that firewall from the cluster;
- CCL (Cluster Communication Link) loss forces the member out of the cluster
- CCL link loss causes unit to shut down all data interfaces and disable clustering. Clustering must be re-enabled manually after such an event
For those who still don’t get it: if you lose the communication between cluster members (which would happen after DCI link failure), the firewalls in one data center shut down and cut that data center off the net.
Do keep in mind that if you have two data centers with L3 DCI between them, they could work independently after DCI link failure (apart from the potential need to synchronize data between them). Building a firewall cluster on top of L3 DCI is thus a huge step back in terms of failure resiliency.
Finally, here’s my message to the vendor sales engineers promoting such stupidities: