ASA A/S failover connection with Switch

Answered Question
Mar 14th, 2008

Hi,

I want to know how we can connect asa a/s failover from the switch. i have one l3 switch from there i connected 2 asa inside interface for the failover. 1st asa ip is 10.0.0.1 standby ip 10.0.0.2 (2nd asa).

What are the procedure we have to configure in the switches ?

either we have to point on primary asa as well as 2dary asa ?

I got confused would anyone help me out ?

Thanks

I have this problem too.
0 votes
Correct Answer by JORGE RODRIGUEZ about 8 years 8 months ago

" 1. all the port in the switch in the same vlan "

Correct, if you have say 3 interfaces on each firewall Active/Failover, each must have unique VLAN in the switch. Say, PIX-1-Inside interface VLAN3 , PIX-2-Inside interface must be in VLAN3 and so on for other interfaces.

" 2. what is the default GW for the webserver ? "

"3. 2.1 or 2.2 ? "

You need to use 192.168.2.1 as your DG

Using the same link used by Jorge.

I quote from link !

Active/Standby Failover Overview

Active/Standby failover lets you use a standby security appliance to take over the functionality of a failed unit. When the active unit fails, it changes to the standby state while the standby unit changes to the active state. The unit that becomes active assumes the IP addresses (or, for transparent firewall, the management IP address) and MAC addresses of the failed unit and begins passing traffic. The unit that is now in standby state takes over the standby IP addresses and MAC addresses. Because network devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere on the network.

This means the default gateway for your webserver or any host is the ip address of the ASA/PIX physical interface, not the standby IP address you configured.

In Active/Standby scenario, if active fails and standby becomes active the standby will use the the IP addresses of physical interface you configured in primary PIX/ASA.

My hosts default gateway are the physical interface IP addresses configured in Primary PIX.. same principle for ASA.

HTH

Rgds

Jorge

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
helponline Sun, 03/16/2008 - 21:35

Thanks for your reply, Could you explain briefly how we can configure the switch.

As i understood,

1. all the port in the switch in the same vlan

2. what is the default GW for the webserver ?

3. 2.1 or 2.2 ?

If i am wrong please correct me !

Thanks,

Correct Answer
JORGE RODRIGUEZ Sun, 03/16/2008 - 22:18

" 1. all the port in the switch in the same vlan "

Correct, if you have say 3 interfaces on each firewall Active/Failover, each must have unique VLAN in the switch. Say, PIX-1-Inside interface VLAN3 , PIX-2-Inside interface must be in VLAN3 and so on for other interfaces.

" 2. what is the default GW for the webserver ? "

"3. 2.1 or 2.2 ? "

You need to use 192.168.2.1 as your DG

Using the same link used by Jorge.

I quote from link !

Active/Standby Failover Overview

Active/Standby failover lets you use a standby security appliance to take over the functionality of a failed unit. When the active unit fails, it changes to the standby state while the standby unit changes to the active state. The unit that becomes active assumes the IP addresses (or, for transparent firewall, the management IP address) and MAC addresses of the failed unit and begins passing traffic. The unit that is now in standby state takes over the standby IP addresses and MAC addresses. Because network devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere on the network.

This means the default gateway for your webserver or any host is the ip address of the ASA/PIX physical interface, not the standby IP address you configured.

In Active/Standby scenario, if active fails and standby becomes active the standby will use the the IP addresses of physical interface you configured in primary PIX/ASA.

My hosts default gateway are the physical interface IP addresses configured in Primary PIX.. same principle for ASA.

HTH

Rgds

Jorge

Actions

This Discussion