PIX/ASA Failover ques

Unanswered Question
Jul 25th, 2007
User Badges:

Can i use the same name/IP address for LAN and statefull link ?

Below is the config, PIX accepts this config, just wanted to confirm if it'll wrk fine this way.

failover lan interface LAN-AND-STATE Ethernet2

failover link LAN-AND-STATE Ethernet2

failover interface ip LAN-AND-STATE standby

Also, if I use the same physical interface and assign 2 different set of names and different set of IP's , is this fine ..


failover lan interface LAN Ethernet2

failover link STATE Ethernet2

failover interface ip LAN standby

failover interface ip STATE standby

any comments guys ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mark.j.hodge Wed, 07/25/2007 - 09:25
User Badges:
  • Bronze, 100 points or more

What version of software are you running?

You can do it in PIX V6 but recommendation is against. In V7 is not supportecd at all, from the Reldease notes :-

If you share the Stateful Failover update link with a link for regular traffic such as your inside interface, you must change your configuration before upgrading. Do not upgrade until you have corrected your configuration, as this is not a supported configuration and Version 7.2(2) treats the LAN failover and Stateful Failover update interfaces as special interfaces. If you upgrade to Version 7.2(2) with a configuration that shares an interface for both regular traffic and the Stateful Failover updates, configuration related to the regular traffic interface will be lost after the upgrade. The lost configuration may prevent you from connecting to the security appliance over the network.


** Please rate post if helpfull **

swapnendum Wed, 07/25/2007 - 21:35
User Badges:

I'm using 7.2(2)

Just to clarify yor reply, I'm not sharing the STATEFUL interface with any regular traffic interface, rather i'm sharing it with the LAN Failover interface and PIX is accepting my commands.

So is this acceptable ?

mark.j.hodge Thu, 07/26/2007 - 10:30
User Badges:
  • Bronze, 100 points or more

Sorry, my misunderstanding by LAN I thought you meant inside LAN.

Yes you can use the same interface for the satefull and failover link. Cisco have an example of this here :-


If possible, I would recommend using cable based failover, if this is not possible due to phyical limits, remember the failover link must go through a switch or hub, it cannot be a crossover cable.

** Please rate posts if helpfull **


This Discussion