01-10-2009 06:54 AM - edited 03-11-2019 07:35 AM
We have pair of ASA's that are running active/standby failover between them. We have a need to take one of the physical interfaces (not the one we use to connect to for management) and split it into two subinterfaces. So my question is how should I approach it? what will happen with failover once I strip the IP off the physical interface and remove the security-level? will it trigger confusion for the failover firewall? Or should I disable failover when I do it, in which case once I have the primary failover configured, will it replicate the changes to the standby once I re-enable the failover? Or will I need to manually need to do anything on the standby firewall? Please explain the best method of accomplishing this as this will be done remotely, but as I indicated, the physical interface we are splitting is not the interface in which our SSH will be established. ASA is running 7.2. Thanks
01-12-2009 10:39 AM
anyone?
01-12-2009 02:55 PM
Hi Matt,
Nothing will happen to the failover, I can assure you of that, as long you do not touch the actual Physical LAN failover configuration you should be safe, or remove the LAN failover link if you are doing it by dedicated interface. Literally you do not have to touch the secondary failover unit for anything since you will be working from the Primary unit always and your L2 switch for the trunking.
All above said is assuming you will not touch the dedicated LAN failover link , Im assuming you are working with a different ethernet0/x interface you had configured for something else before and want to reconfigured that interface with more logical interfaces.
So to summarize your implemenation to split up a physical interface into logical simply work from the primary unit, and your respective physical connections on the switch for the l2 vlans and trunking each physical connection on each of the ASA appliences for thier physical interfaces. Again, since failover is in place u do not need to reconfigured failover or touch its configuration for LAN failover or even Statefull failover. Once your write mem on the Primary , configuration will be replicated to Secondary_standby unit fine.
one thing you do however need to be aware is when you create the new logical subinterfaces on the Primary ASA they will appear as bellow:
For example when you do show failover after your impemention they will look as :
Interface NEW_TEST1 (10.30.30.2): Normal (Not-Monitored)
Interface NEW_TEST2 (10.40.40.2): Normal (Not-Monitored)
to have them monitored you need to :
from config mode issue
monitor-interface ?
asa(config)#
asa(config)#monitor-interface NEW_TEST1
asa(config)#monitor-interface NEW_TEST2
then do a show failover
Interface NEW_TEST1 (10.30.30.2): Normal (Waiting)
Interface NEW_TEST2 (10.40.40.2): Normal (Waiting)
show failover again and the new interfaces will show normal
Last Failover at: 13:05:10 UTC Jan 12 2009
This host: Primary - Active
Active time: 9168 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys)
Interface outside (172.16.1.1): Normal
Interface inside (10.20.20.1): Normal
Interface NEW_TEST1 (10.30.30.1): Normal
Interface NEW_TEST2 (10.40.40.1): Normal
slot 1: empty
Other host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys)
Interface outside (172.16.1.2): Normal
Interface inside (10.20.20.2): Normal
Interface NEW_TEST1 (10.30.30.2): Normal
Interface NEW_TEST2 (10.40.40.2): Normal
Regards
PLS rate any helpful posts
01-14-2009 07:37 AM
Hi Matt, just following up on your original post, do you still have concerns or any other questions on your implementation , PLS let us know if you do to assist you fruther.
Regards
Jorge
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: