rebuilding interfaces on ASA pair...will this affect failover?

Unanswered Question
Jan 10th, 2009

We have pair of ASA's that are running active/standby failover between them. We have a need to take one of the physical interfaces (not the one we use to connect to for management) and split it into two subinterfaces. So my question is how should I approach it? what will happen with failover once I strip the IP off the physical interface and remove the security-level? will it trigger confusion for the failover firewall? Or should I disable failover when I do it, in which case once I have the primary failover configured, will it replicate the changes to the standby once I re-enable the failover? Or will I need to manually need to do anything on the standby firewall? Please explain the best method of accomplishing this as this will be done remotely, but as I indicated, the physical interface we are splitting is not the interface in which our SSH will be established. ASA is running 7.2. Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Mon, 01/12/2009 - 14:55

Hi Matt,

Nothing will happen to the failover, I can assure you of that, as long you do not touch the actual Physical LAN failover configuration you should be safe, or remove the LAN failover link if you are doing it by dedicated interface. Literally you do not have to touch the secondary failover unit for anything since you will be working from the Primary unit always and your L2 switch for the trunking.

All above said is assuming you will not touch the dedicated LAN failover link , Im assuming you are working with a different ethernet0/x interface you had configured for something else before and want to reconfigured that interface with more logical interfaces.

So to summarize your implemenation to split up a physical interface into logical simply work from the primary unit, and your respective physical connections on the switch for the l2 vlans and trunking each physical connection on each of the ASA appliences for thier physical interfaces. Again, since failover is in place u do not need to reconfigured failover or touch its configuration for LAN failover or even Statefull failover. Once your write mem on the Primary , configuration will be replicated to Secondary_standby unit fine.

one thing you do however need to be aware is when you create the new logical subinterfaces on the Primary ASA they will appear as bellow:

For example when you do show failover after your impemention they will look as :

Interface NEW_TEST1 (10.30.30.2): Normal (Not-Monitored)

Interface NEW_TEST2 (10.40.40.2): Normal (Not-Monitored)

to have them monitored you need to :

from config mode issue

monitor-interface ?

asa(config)#

asa(config)#monitor-interface NEW_TEST1

asa(config)#monitor-interface NEW_TEST2

then do a show failover

Interface NEW_TEST1 (10.30.30.2): Normal (Waiting)

Interface NEW_TEST2 (10.40.40.2): Normal (Waiting)

show failover again and the new interfaces will show normal

Last Failover at: 13:05:10 UTC Jan 12 2009

This host: Primary - Active

Active time: 9168 (sec)

slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys)

Interface outside (172.16.1.1): Normal

Interface inside (10.20.20.1): Normal

Interface NEW_TEST1 (10.30.30.1): Normal

Interface NEW_TEST2 (10.40.40.1): Normal

slot 1: empty

Other host: Secondary - Standby Ready

Active time: 0 (sec)

slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys)

Interface outside (172.16.1.2): Normal

Interface inside (10.20.20.2): Normal

Interface NEW_TEST1 (10.30.30.2): Normal

Interface NEW_TEST2 (10.40.40.2): Normal

Regards

PLS rate any helpful posts

JORGE RODRIGUEZ Wed, 01/14/2009 - 07:37

Hi Matt, just following up on your original post, do you still have concerns or any other questions on your implementation , PLS let us know if you do to assist you fruther.

Regards

Jorge

Actions

This Discussion