L3 routing on ASA5520 - how to provide failover to L3 lan switches

Unanswered Question
Feb 27th, 2008

Have dual identical 5520s to provide active/failover for lab environment. To secure environment behind firewalls, I've read that I will need to do L3 routing on ASA and remove L3 vlan routing from dual redundant C6509s.

If i'm doing failover / redundancy between the C6509s (L3 for entire network), how will failover work on ASAs once one L3 lan switch goes down?

Does someone have a sample config which could be used as reference?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Harald-Norvik Wed, 02/27/2008 - 19:02

This is mainly a routing issue.

Failover on the ASAs is handled by the standby unit takes over the IP and MAC address of the active unit, so from you core 6509s you would use one IP gateway address - the ASAs IP.

To have failover toward the LAN side, you will have to use features like VRRP or HSRP on your 6509. It looks like you have dual 6509s, so I would connect the primary ASA to 6509A and the secondary ASA to 6509B. Same VLAN and of course same IP subnet.

The ASAs are sending hello packets between the two inside interfaces to verify of the other link is operational (maybe your link between the 6509s failed or of some other reason the interface is still up).

Fairly simple, and I always recommend using a /29 subnet between the core router and the ASA (not a /30) - even if the client don't have a failover config. This way you can easily add features like ASA failover and dual cores at a later time - without changing the subnet.


purohit_810 Wed, 02/27/2008 - 20:48


Connect two crossover cables between firewall. one you will use for LAN failover a, other one you will use for Stateful table.

Interface {type}

nameif failover

interface {type}

nameif state


failover lan unit secondary

failover lan interface failover Ethernet3

failover interface ip failover standby




This Discussion