Active/Standby Failover with pair of 5510s and redundant L2 links

Jul 8th, 2007


I just got two ASA5510-SEC-BUN-K9 and I'm wondering is it possible to implement an Active/Standby Failover configuration (Routed mode) with two ASA5510 and redundant pair of switches from both inside and outside interfaces? In other words, I would like to have two L2 links from each ASA (in pair od ASAa) to each L2 switch (in pair of redundant L2 Switches). The configuration I would like to achive is just like one in Cisco Security Appliance Command Line Configuration Guide, page B-23, figure B-8, with only difference that I wouldn't go with multiple security contexts (I want Active/Standby failover).

Thanks in advance

Zoran Milenkovic

vitripat Sun, 07/08/2007 - 13:50

Hello Zoran,

Absolutely. You can have 2 ASAs configured in Active/Standby mode. For reference, here is a link which has a network connectivity diagram based on PIX, however, connectivity would still be same with ASAs-

The difference is that on ASA, you can only have LAN-Based failover, hence you'll need to use one additional interface on both ASAs for failover-link. You can connect these two failover-link interfaces directly using a cross cable.

Apart from this, please refer to following link on how to go with configuration of Lan-based Active/Standby failover-

Also make sure that both ASAs have required hardware/software/license based on following link-

Hope this helps.



mizoran78 Sun, 07/08/2007 - 15:51

Hello Vibhor,

Thanks for a prompt reply! Unfortunately, I'm still confused with that how should I configure ASAs interfaces!?

I have two ASAs with all needed licenses and 5 FE interfaces on each. One I will use for combined state/failover link, and that's OK. Then, first two interfaces I will use to connect each ASA with two redundant L2 switches in INSIDE zone, and the last two FE interfaces I will use to connect each ASA with two redundant L2 switches in OUTSIDE zone.

But, the question is how should I configure those interfaces?

AFAIK there is no chance to create BVI or something similar on ASA, is there? It would bi nice to use VLAN interface and those two pairs of interfaces as switchports, but it seems that's possible only on 5505!? The other option might be to create a virtual IP for all those interfaces (like virtual IP in HSRP), but I haven't seen ASA supports it also. So is there any suggestions?




