ASA 5505 Switch Redundancy

I came across a situation where I had an ASA 5505 connected to a 3750 switch via two physical interfaces. These interfaces were both on the same chassis of a two chassis 3750 stack. This ASA has been running well for some time and no issues had arisen until one of the two 3750’s experienced an issue (the one connected to the ASA of course) causing an Internet outage. I did some research and didn’t find anything on the ASA end of things that would allow for redundant links to the secondary switch. Then as I was reading through a Cisco Catalyst IOS configuration guide I saw something about “Flex Links” and struck gold! Simply put Flex Links allow backup interfaces to be administratively defined on a switch (or stack of switches). The configuration one the switch side is very straightforward as shown in the example below. The ASA configuration is very simple as well. I simply assigned the appropriate VLAN’s to the ASA switched interfaces and attached the cables to the proper backup interfaces on my second stacked switch. The ports that are in a standby state will have orange status lights but will show “up/up” on both ends.

interface GigabitEthernet1/0/23
 description ASA 5505 INSIDE - BACKUP
 switchport access vlan 10
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/24
 description ASA 5505 OUTSIDE - BACKUP
 switchport access vlan 30
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet2/0/23
 description ASA 5505 INSIDE
 switchport access vlan 10
 switchport mode access
 switchport backup interface Gi1/0/23
 switchport backup interface Gi1/0/23 preemption mode forced
 spanning-tree portfast
!
interface GigabitEthernet2/0/24
 description ASA 5505 OUTSIDE
 switchport access vlan 30
 switchport mode access
 switchport backup interface Gi1/0/24
 switchport backup interface Gi1/0/24 preemption mode forced
 spanning-tree portfast

This configuration statically configures port Gig1/0/23 as a backup for Gig2/0/23 and Gig1/0/24 as a backup for Gig 2/0/24. The “preemption mode forced” command simply means that if a failed primary interface becomes available a failback will occur rather than just remaining in the last working state.

Two very useful show commands are “show interfaces switchport backup” which provides a simple output showing active and backup interfaces:

Active Interface        Backup Interface        State
------------------------------------------------------------------------
GigabitEthernet2/0/23   GigabitEthernet1/0/23   Active Up/Backup Standby
GigabitEthernet2/0/24   GigabitEthernet1/0/24   Active Up/Backup Standby

The second useful command is “show interfaces switchport backup detail” which strangely enough just provides more detailed information

Switch Backup Interface Pairs:

Active Interface        Backup Interface        State
------------------------------------------------------------------------
GigabitEthernet2/0/23   GigabitEthernet1/0/23   Active Up/Backup Standby
        Preemption Mode  : forced
        Preemption Delay : 35 seconds (default)
        Multicast Fast Convergence  : Off
        Bandwidth : 100000 Kbit (Gi2/0/23), 100000 Kbit (Gi1/0/23)
        Mac Address Move Update Vlan : auto

GigabitEthernet2/0/24   GigabitEthernet1/0/24   Active Up/Backup Standby
        Preemption Mode  : forced
        Preemption Delay : 35 seconds (default)
        Multicast Fast Convergence  : Off
        Bandwidth : 100000 Kbit (Gi2/0/24), 100000 Kbit (Gi1/0/24)
        Mac Address Move Update Vlan : auto

More information from Cisco can be found here

Clear WebVPN Sessions

The Cisco ASA platform ships with default licensing that permits two simultaneous WebVPN sessions. If users don’t logout when they finish using WebVPN the ASA still considers these sessions open and will consume licensing until the timeout period expires. There are two useful commands to troubleshoot issues surround WebVPN sessions. The first command shows current WebVPN sessions:

“show vpn-sessiondb webvpn”

The second command will terminate all WebVPN sessions:

“vpn-sessiondb logoff webvpn”