ASA 5500 failover design question

dd99onedd · ‎02-19-2008

Hi,

I have a quick question on failover design using two 5540 firewall running in active/standby mode. What is the Pros/Cons of using a crossover cable

between the 2 firewalls VS using a dedicated vlan? I have two 6500 switches with a layer 2 trunk connecting them.

Scenario 1:

I use a dedicated vlan for failover and connect one firewall to Switch A and the other firewall to switch B. If I reboot one of the switches (takes more than 5 minutes), will that caused the firewalls to failover? If so, is there a way to prevent it. I don't want the firewalls to failover unnecessarily.

Scenario 2:

I use a crossover cable between 2 firewalls for failover. One of the drawbacks I heard is that if something goes wrong with the cable, is very hard to troubleshoot.

Any thoughts on which is the prefer failover design?

5220 · ‎02-19-2008

Hi,

You should use a VLAN for failover.

Remember that you need to have each interface used by the ASA in a VLAN with the other matching ASA interface.

As part of the failover mechanism the ASAs will poll each others interface to check if the peer is up or down.

So for a normal setup, you have one VLAN for inside interfaces, one VLAN for outside interfaces and one VLAN for failover interfaces.

It makes little sense to use a cross-over since if a SW fails, all the VLANs for the ASA that resides on the SW fails.

You can also check this guide from Cisco:

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

Please rate if this helped.

Regards,

Daniel