ASA failover design

Unanswered Question
Aug 6th, 2009

Hello Everyone,

We are replacing all of our PIX firewalls in our main data center with ASA 5550s. We have 7 pairs of the 5550s, what would be the best design scenario to setup the LAN/Stateful failover connection? The documentation states, you can have it plugged between each other or in a dedicated switch as long as there are no hosts, routers or security appliances on the same segment as the failover link.

We are thinking of having them plugged into a stack of 3750E switches, since we have the available ports on them. The primary firewall will plug into one of the switches in the stack and the secondary into the other switch in the stack with separate vlans for all of the pairs. Are there any issues with having them plugged into a cross stack?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Thu, 08/06/2009 - 18:48

as long as the failover/stateful interfaces have network connectivity to each other, it's fine. i don't recommend connecting them directly with a crossover though be/c it results in unpredictable behavior if one goes down - then the other thinks it's failover interface is down also.

solpandor Wed, 08/12/2009 - 02:49

hi

the way our 5510's are set up is by putting the failover interfaces in their own vlan rather than connecting them together.

HTH

Actions

This Discussion