ASA5500 setup/cabling & failover questions

Unanswered Question
Aug 23rd, 2007

Hello all,

I've just started configuring 2x new ASA5520's. They will be either in active/active, or active/passive failover. I'd like to have stateful failover.

A couple of questions:

What is the "management" interface for (other than the potential obvious) - i know traffic can't flow into that interface and out another interface, so is it ONLY meant for managing/configuring the units?

I know that i need a dedicated network between the 2 ASA's for the failover. Can i use the above mentioned management interface for this, rather than one of the Gigabit interfaces?

Both devices have the AIP-SSM-10 module which ALSO has an interface on it. Is this just for administaring the module?

Also, anyone who has a similar setup to me, tips, experiences and pointers gladly accepted.

Setup is pretty simple:

Redundant Ethernet internet connections coming through 2x 2801's

Web,mail, app servers & 2811's providing VPN connections in DMZ

Users behind ASA's

Software VPN's will be done directly to ASA's using IPSEC VPN Client - may look at ssl in future.

Migrating from single Pix 6.1


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
anandramapathy Thu, 08/23/2007 - 06:10

mgmt can be used for failover but it is only 10/100.

mgmt interface has been designed to connect a PC to the management interface for administration ( Cisco design )

if you have huge traffic, then use the 3rd interface for failover since it will be stateful, so speed & bandwidth will be crucial. Connect both the ASA Gigabit directly with a straight cable for failover.

AIP-SSM-10 module interface is only for administration,

actual setup & admin can be done by connecting to the IP either by session 1 fromm the ASA or via the ASDM by

https:\\IP of the IPS console

The config is very similar to PIX, in fact the ACLS can be pasted directly.

The ASA will have 1 active & 1 standby

the active ASA will have the active IP & replicate the config to the standby.

HTH - pls rate if helpful


This Discussion