Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
768
Views
0
Helpful
4
Replies

ASA A/S failover connection with Switch

Go to solution
helponline
Level 1
Level 1

‎03-14-2008 10:58 PM - edited ‎03-11-2019 05:17 AM

Hi,

I want to know how we can connect asa a/s failover from the switch. i have one l3 switch from there i connected 2 asa inside interface for the failover. 1st asa ip is 10.0.0.1 standby ip 10.0.0.2 (2nd asa).

What are the procedure we have to configure in the switches ?

either we have to point on primary asa as well as 2dary asa ?

I got confused would anyone help me out ?

Thanks

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to helponline

‎03-16-2008 10:18 PM

" 1. all the port in the switch in the same vlan "

Correct, if you have say 3 interfaces on each firewall Active/Failover, each must have unique VLAN in the switch. Say, PIX-1-Inside interface VLAN3 , PIX-2-Inside interface must be in VLAN3 and so on for other interfaces.

" 2. what is the default GW for the webserver ? "

"3. 2.1 or 2.2 ? "

You need to use 192.168.2.1 as your DG

Using the same link used by Jorge.

I quote from link !

Active/Standby Failover Overview

Active/Standby failover lets you use a standby security appliance to take over the functionality of a failed unit. When the active unit fails, it changes to the standby state while the standby unit changes to the active state. The unit that becomes active assumes the IP addresses (or, for transparent firewall, the management IP address) and MAC addresses of the failed unit and begins passing traffic. The unit that is now in standby state takes over the standby IP addresses and MAC addresses. Because network devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere on the network.

This means the default gateway for your webserver or any host is the ip address of the ASA/PIX physical interface, not the standby IP address you configured.

In Active/Standby scenario, if active fails and standby becomes active the standby will use the the IP addresses of physical interface you configured in primary PIX/ASA.

My hosts default gateway are the physical interface IP addresses configured in Primary PIX.. same principle for ASA.

HTH

Rgds

Jorge

Jorge Rodriguez

View solution in original post

0 Helpful
4 Replies 4

Go to solution
helponline
Level 1
Level 1
In response to jojuarez

‎03-16-2008 09:35 PM

Thanks for your reply, Could you explain briefly how we can configure the switch.

As i understood,

1. all the port in the switch in the same vlan

2. what is the default GW for the webserver ?

3. 2.1 or 2.2 ?

If i am wrong please correct me !

Thanks,

0 Helpful

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to helponline

‎03-16-2008 10:18 PM

" 1. all the port in the switch in the same vlan "

Correct, if you have say 3 interfaces on each firewall Active/Failover, each must have unique VLAN in the switch. Say, PIX-1-Inside interface VLAN3 , PIX-2-Inside interface must be in VLAN3 and so on for other interfaces.

" 2. what is the default GW for the webserver ? "

"3. 2.1 or 2.2 ? "

You need to use 192.168.2.1 as your DG

Using the same link used by Jorge.

I quote from link !

Active/Standby Failover Overview

Active/Standby failover lets you use a standby security appliance to take over the functionality of a failed unit. When the active unit fails, it changes to the standby state while the standby unit changes to the active state. The unit that becomes active assumes the IP addresses (or, for transparent firewall, the management IP address) and MAC addresses of the failed unit and begins passing traffic. The unit that is now in standby state takes over the standby IP addresses and MAC addresses. Because network devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere on the network.

This means the default gateway for your webserver or any host is the ip address of the ASA/PIX physical interface, not the standby IP address you configured.

In Active/Standby scenario, if active fails and standby becomes active the standby will use the the IP addresses of physical interface you configured in primary PIX/ASA.

My hosts default gateway are the physical interface IP addresses configured in Primary PIX.. same principle for ASA.

HTH

Rgds

Jorge

Jorge Rodriguez
0 Helpful

Go to solution
helponline
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎03-16-2008 11:10 PM

Thanks,

It's really help full..

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card