asa failover config

Unanswered Question
Sep 12th, 2008

Hi i am trying to config active/standby over stateful on 5520 ASA. I currently have two core switches running HSRP with one ASA connected to one of them. Now i am trying to add a second ASA as a failover and wanting to connect the second ASA to the other core switch. Will this work or will both ASA have to connect to the same core switch?

What is the best way to connect the ASA for the failover? I was thinking of using a dedicated interface on the ASA and using a crossover cable. I also read to use a switch in between them besides easier troubleshooting, is there another benefit for using a switch?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
francisco_1 Fri, 09/12/2008 - 14:29


you should connect the active to one core and the standby to the other core as long as they can both devices can communicate with each other. My understanding and from experience you should Ethernet connection that is dedicated to failover traffic. The connection between firewalls should be on an isolated VLAN, configured for full duplex and fast convergence so that the connection is highly available.

Don't use a crossover Ethernet cable to connect the two failover LAN interfaces if the firewalls are located close to each other. Instead, each interface should connect to a switch port so that the link status is always up to one firewall interface if the other firewall interface fails. Otherwise, both units sense a link-down condition and assume that their own interfaces have a failure.

You should also prepare the switch ports where the LAN-based failover interfaces connect so that failover communication can begin almost immediately. You should enable Spanning Tree Protocol PortFast and disable trunking and EtherChannel negotiation. You can use the following IOS software commands to configure the switch ports:

Switch# configure terminal

Switch(config)# interface type mod/num

! Enable PortFast for immediate traffic forwarding

Switch(config-if)# spanning-tree portfast

! Disable trunking by making it an access switch port

Switch(config-if)# switchport mode access

! Disable EtherChannel negotiation

Switch(config-if)# no channel-group



This Discussion