01-28-2009 05:35 PM - edited 03-09-2019 09:59 PM
hey all, we have dual ASA5520 setup for failover on a dedicated interface (directly connected with a straight cable).
they will need to be located on two separate parts of the network temporarily. any way we can use a dedicated vlan to allow the failover interfaces to communicate?
i know it is not recommended but will only be temporary.
thanks
-robert
01-28-2009 06:15 PM
Robert,
A dedicated VLAN should work fine. This Cisco document references using dedicated VLAN's for LAN based failover:
Hope this helps.
Best Regards,
Eddie
01-28-2009 07:03 PM
It looks like the switch connected to the failover interfaces is used only for that purpose. In our setup, the failover will be interconnected through several switches in our core but only on one vlan.
01-28-2009 07:29 PM
As long as the VLAN is dedicated for failover traffic only, I think you should be fine.
The only other issue in your case that I can possibly think of would be the potential for increased latency by having the failover communication traversing several physical switches to reach the other unit.
According to the PIX/ASA v7.0 command reference, "For optimum performance when using long distance LAN failover, the latency for the failover link should be less than 10 milliseconds and no more than 250 milliseconds. If latency is more than 10 milliseconds, some performance degradation occurs due to retransmission of failover messages."
I don't think it should be an issue, but you never know. ;)
01-28-2009 08:51 PM
nice, thanks a lot!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: