failover configuration

Unanswered Question
Jan 27th, 2009
User Badges:

I have 2 ASA5520's which I need to configure in statefull failover mode.


I am using gi0/3 on both ASA's for the failover and they are directly connected to one another (not going through a switch)but cannot get them to synch.


I looked at :


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml


But was not sure which example to use.


Anyone has a sample config for statefull failover on a 5520 + steps?


On a side note, from design stand point, I would assume you would connect each firewall to one core switch internally and route to the hsrp address internall, correct? What about the outside interface, given there is only one physical port that represents the outside, do you need a switch to connect both firewalls to that single (ISP) port being the www?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
eddie.mitchell@... Wed, 01/28/2009 - 18:28
User Badges:
  • Silver, 250 points or more

Ron,


You should reference the LAN based failover configuration example in that document for the required steps. Cable based failover is not supported with the ASA appliances.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#lanbas


During failover, the "backup" ASA will assume the IP address of the previous "primary" unit. Therefore, you should route to the IP address you assigned to the internal interface of the primary ASA.


Yes, a redundant switch cluster upstream from the ASA's should be used to connect to the ISP CE device(s).


Hope this helps.


Best Regards,

Eddie

Actions

This Discussion