cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
599
Views
0
Helpful
6
Replies

ASA LAN Failover question

andrewswanson
Level 7
Level 7

hello

we have 2 5550 ASAs in active-standby mode - please see attached diagram.

the ASAs LAN Failover, Stateful Failover and Inside interfaces all physically connect into Cisco catalyst 6500s.

we're about to test the resiliance of our network design by powering of one of our 6500s. If ASA A was active and 6500 A was powered off, what would happen regarding failover?

The inside (monitored) interface and the LAN failover interface on ASA A both patch into 6500 A which has been powered off. does failover to ASA B happen because a monitored interface (inside) is down or is there no failover because a failover link (LAN Failover) failed during operation?

any insight appreciated

andy

6 Replies 6

amohabir1
Level 1
Level 1

Hey its so funny that I am actually doing the same thing now and we posted a similar scenario.

Anyway the way it works is it will monitor the interfaces you specify. If one of your interfaces detects a link down (and it is specified as an interface that you are monitoring on the firewall) It will automatically force the secondary asa to become active.

thanks for the reply. the problem is that if the 6500 connected to the primary ASA loses power then the primary ASA Inside, LAN Failover and State Failover interfaces will all go down at the same time.

so the question is does failover occur because the primary ASA inside interface goes down or is there no failover because the LAN Failover interface went down during operation?

thanks

andy

Hey can show me what your config looks like for the active and secondary asa's I'm still having trouble with the failover times.

Thanks

amohabir1
Level 1
Level 1

Let me know how long your failover takes because right now my failover takes about a minute to recover sourcing a ping from the inside to any internet site.

A ping to the firewall shows about 2-4 dropped pings before the secondary becomes active. I am not sure if this is normal behavior. But since you are doing a similar test, let me know what your results are.

we've already conducted some testing by manually failing over the ASAs and we aren't dropping any packets. do you have Stateful Failover configured for your ASAs?

andy

Yes I do have stateful configured however I do not have any of the interfaces terminated onto a secondary switch. I just have straight cables connecting the firewalls. I guess it would make more sense to create a seperate vlan on the switch for this purpose. I guess I'll have to do that instead to see how that works out.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: