Cisco ASA Active/Standby Failover

Unanswered Question
Mar 28th, 2007

Hi,

I am purchasing 2 new ASA 5520 and wish for the to act as a failover pair in Active/Stanby mode. How many physical interfaces do I need in order to allow this to happen. Please note that the failover should be stateful!

I don't think that I can purchase a Failover licence for the second firewall, I think it must be the same as the active firewall, is this correct.

Help well rated!

Thanks

Gavin

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
vitripat Wed, 03/28/2007 - 13:37

Hi Gavin,

For stateful Active/Standby failover on ASA pairs, you need atleast 4 interfaces.

One for outside, one for inside, one for stateful interface and one for failover link.

License requirements-

Primary ASA needs to have a UR license.

Secondary ASA can either be a UR or FO Only license.

Here is a link which explains how to configure stateful Active/Standby failover:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/general/failover.htm#wp1064158

Following link will also give you the idea about connectvity of the devices:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/failover.htm#wp1047043

Hope that helps.

Regards,

Vibhor.

gavin.mckee Wed, 03/28/2007 - 14:16

Hi Vibhor,

Thanks for your answer. Am I right then in saying that I will need to purchase an addtional 4 interfaces if I want to have ASA as my internet firewall. i.e. if I create a DMZ segment, outside, and inside segment + the failover interfaces, or can you use subiterfaces to segment the network?

Thnaks

vitripat Wed, 03/28/2007 - 14:51

I dont think you need to purchase additional interfaces for this. If you need 3 interfaces such as outside, inside & dmz, you can use 3 interfaces for these.

For failover+stateful, you can share both of them on the left interface. However there still be one more additional interface available (management interface), which also could be used for any of the above purposes, if we disable the "management-only" option on this interface. If we have a pair of ASA-5510, all these interfaces will be 100Mbps interfaces. If its ASA-5520 pair or higher, the management interface would be 100Mbps and all other interfaces would be 1Gbps interfaces.

I hope this clarifies further.

Regards,

Vibhor.

David White Wed, 03/28/2007 - 15:39

Just to add to what Vibhor said...

The LAN failover and Stateful failover interfaces can use the same physical interface. However, on a 5520, this interface must be one of the 4 gig interfaces. You should not use the management0/0 interface for the lan/state link, as the interface must be as fast or faster than the other interfaces in the ASA.

Finally, to answer your other question, yes the ASA does support dot1q trunking, and if you wanted you could place the inside, outside and dmz all on the same physical interface (say Gig0/1) and each would be a sub-interface.

For your question about the license, the ASAs do not have the concept of Unrestricted, Restricted, and Failover-Only licenses. The PIXes did. All 5520s support A/S failover.

Sincerely,

David.

Actions

This Discussion