failover configuration

ronshuster · ‎01-27-2009

I have 2 ASA5520's which I need to configure in statefull failover mode.

I am using gi0/3 on both ASA's for the failover and they are directly connected to one another (not going through a switch)but cannot get them to synch.

I looked at :

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

But was not sure which example to use.

Anyone has a sample config for statefull failover on a 5520 + steps?

On a side note, from design stand point, I would assume you would connect each firewall to one core switch internally and route to the hsrp address internall, correct? What about the outside interface, given there is only one physical port that represents the outside, do you need a switch to connect both firewalls to that single (ISP) port being the www?

eddie.mitchell · ‎01-28-2009

Ron,

You should reference the LAN based failover configuration example in that document for the required steps. Cable based failover is not supported with the ASA appliances.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#lanbas

During failover, the "backup" ASA will assume the IP address of the previous "primary" unit. Therefore, you should route to the IP address you assigned to the internal interface of the primary ASA.

Yes, a redundant switch cluster upstream from the ASA's should be used to connect to the ISP CE device(s).

Hope this helps.

Best Regards,

Eddie