08-27-2008 05:11 AM - edited 03-11-2019 06:36 AM
I'm not having any luck finding specs on Cisco's web site stating why you should use a direct Ethernet crossover cable (connected between two ASA 5510s without a switch) than using a switch between/uplinking two ASA 5510s.
I see notes that can use a direct crossover Ethernet cable between two ASA 5510s, but also see notes (ciscopress âCisco ASA, PIX, and FWSM Firewall Handbook; second edition) that should you not.
If you are able to find a Cisco URL/white page stating which type is better, I'll buy you a beer
Thanks, Kevin
08-27-2008 05:22 AM
Kevin,
You are refering to LAN based failover - but that is not the only way:-
In LAN based - the failover interface is recommended to go thru a switch, the "state interface" is recommended to be connected via an xover cable from device to device.
This is tru for both active/actvie & active/standby solutions:-
HTH>
08-27-2008 05:24 AM
Andrew
Apologies as this is the 2nd time today i have posted an answer just after you.
Not doing it on purpose :-)
Jon
08-27-2008 05:28 AM
Jon,
Never an issue my friend - he who types fastest eh!! ;o)
08-27-2008 05:23 AM
Kevin
Don't know of a specific white paper/URL so no beer :-( but if you use a crossover cable then the only thing that needs to fail is the active ASA for it to switch to the other ASA.
Using a switch introduces a single point of failure. If you use 2 switches connected via a trunk then you have eliminated the single point of failure.
If the firewalls are close enough i would use a crossover but you may want your firewalls in different racks in different parts of the data centre in which case using switches is the way to go. Because of the above i usually use switches.
Jon
08-27-2008 05:55 AM
HOU140ffipt1-pri# sh run | grep failover
failover
failover lan unit primary
failover lan interface faillink GigabitEthernet0/3.1
Ok, I should have stated the environment; due to 3 of the 4 Internetwork interfaces being used for other LANs (inside, outside, and DMZ), we configured the 4th interface for both STATEful and LAN-Base. The test 2950 switch was configured for trunking and tested good, but the site were the failover ASA pair is to be set up, uses a 4500 series CAT OS coded switch.
Discussion among some of our support is to use a direct crossover.
So depending on the remote site's support configuring their CAT OS switch, to support the trunked ports for the two ASA failover interfaces, we're concerned about which of the two options to go with
failover polltime unit 1 holdtime 3
failover polltime interface 3 holdtime 15
failover replication http
failover link statelink GigabitEthernet0/3.2
failover interface ip faillink 10.10.10.1 255.255.255.0 standby 10.10.10.2
failover interface ip statelink 10.10.11.1 255.255.255.0 standby 10.10.11.2
08-27-2008 05:57 AM
asa# sh run | grep failover
failover
failover lan unit primary
failover lan interface faillink GigabitEthernet0/3.1
failover polltime unit 1 holdtime 3
failover polltime interface 3 holdtime 15
failover replication http
failover link statelink GigabitEthernet0/3.2
failover interface ip faillink 10.10.10.1 255.255.255.0 standby 10.10.10.2
failover interface ip statelink 10.10.11.1 255.255.255.0 standby 10.10.11.2
08-27-2008 06:04 AM
left out the setup; active-standby
thanks, kevin
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: