Fritzbox on redundant ASA Firewall

When I upgraded my internet connection to a 1000 MBit contract, my ISP provided a Fritzbox as cable modem to me. The old cable modem (in bridge mode) worked fine when I connected my two Cisco ASA firewalls into it.

The setup

The Fritzbox does not support bridge mode, therefore it was required to configure a so-called “exposed host”. The “exposed host” configuration was done for the port LAN2 and LAN3 and then I connected the WAN interface of ASA #1 to LAN2 and the WAN interface of ASA #2 to LAN3. Because the Fritzbox did not accept the IP address of the WAN interfaces of my ASA’s, I was forced to register something like a PC-MAC address of the ASA’s.

Fritzbox on redundant Cisco ASA firewalls
Fritzbox on redundant Cisco ASA firewalls

The problem

The internet connection was working fine but when I tested the ASA failover, the internet was gone. After a long investigation I found out the following:

  • If ASA Primary fails, ASA Secondary should take over (That’s normal)

  • ASA Secondary inherits the MAC address via failover from ASA Primary (That’s normal)

  • During the phase of failover, the Fritzbox looses the PC-MAC for “exposed host” configuration (WTF?)

  • Because there is no more “exposed host” anymore (really, it’s gone), the internet connection is gone (WTF?)

Fritzbox / ASA Primary fails
Fritzbox / ASA Primary fails

To login to the Fritzbox and reconfigure the PC-MAC for the so-called “exposed host” contradicts the high availability and failover function of the Cisco ASA Firewall.

The same behavior I saw on the Fritzbox when I switched over from ASA Secondary back to ASA Primary. It does not matter if the switch over is done by CLI command, disconnecting WAN or LAN port on ASA (both are configured for failover monitoring) or powering one ASA off.

Fritzbox / ASA Secondary fails
Fritzbox / ASA Secondary fails

In addition I recognized that:

  • On Fritzbox LAN ports, there are no speed and no duplex settings. I prefer fixed settings for WAN connections (in Cisco terms: speed 1000/duplex full)

  • On Fritzbox, it’s not possible to set up a port channel or interface bonding

The solution

To solve this problem I realized that I must provide somehow a PC-MAC for the “exposed host” on the Fritzbox. I’m doing this by creating a port channel of interface Gi1/0/22 and Gi2/0/22 on my 3750G switch. The MAC address of the created Po interface should never change.

Because the Fritzbox “sees” now the MAC address of the Po interface on the switch, the “exposed host” configuration on the Fritzbox does not “get lost”.

MAC of Po interface of switch as "exposed host" seen by Fritzbox
MAC of Po interface of switch as “exposed host” seen by Fritzbox

My working solution looks now like shown in this drawing. I did failover tests by using CLI command, disconnecting the patch cords and powered down one of the two ASA’s. In all three tests the internet connection via the so-called “exposed host” stays on.

Fritzbox / ASA with Non-routed VLAN on 3750G switch
Fritzbox / ASA with Non-routed VLAN on 3750G switch

Share: