Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
496
Views
0
Helpful
7
Replies

ASA Failover

fvanlancker
Level 1
Level 1

‎10-01-2009 07:56 AM - edited ‎03-11-2019 09:22 AM

If an ASA has lan failover and statefull crossover-cables connected without an intermediate switch. If one ASA goes down the other asa senses two links are down, will this be an issue ? In the cisco the second edition of the firewall handbook it is a tip not to connect the back to back but it does not say what happens in a real situation.

Labels:
0 Helpful
7 Replies 7

Collin Clark
VIP Alumni
VIP Alumni

‎10-01-2009 08:18 AM

Each interface should connect to a switch port so that the link status is always up to one firewall interface if the other firewall interface fails. Otherwise, both units sense a link-down condition and assume that their own interfaces have a failure.

0 Helpful

fvanlancker
Level 1
Level 1
In response to Collin Clark

‎10-01-2009 08:22 AM

Hi Collin,

Thanks for the info, but do you think that the statefull en Lan link are also monitored ? There is certainly no option to monitor them.

And what if switch would fail ? Will both asa's become active ?

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to fvanlancker

‎10-01-2009 08:26 AM

You typically attach each ASA to a different switch for full redundancy. The failover link is inherently monitored because that link is where the majority of failover communications occur. If that link fails, then each ASA thinks it's primary.

0 Helpful

fvanlancker
Level 1
Level 1
In response to Collin Clark

‎10-02-2009 05:20 AM

Assume:

a:

2 ASA connected via 2 failover interfaces in active/standby configuration. The secondary ASA goes down.

What happens ?

b: Same scenario but the primary goes down.

c: They both go down and come back up again,but the secondary is first. How will te switches mac-address tables and the routers handle their arp table ?

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to fvanlancker

‎10-02-2009 05:33 AM

a. Nothing really. The primary still thinks it's primary and continues to pass traffic.

b. Once the heartbeat fails (2 times I believe) the secondary becomes primary and starts passing traffic.

c. The ARP tables will be empty because of the ASA outage so when the ASAs come back up, the switch will populate their ARP tables as normal. Since the 2nd ASA comes up first, it will be primary.

0 Helpful

fvanlancker
Level 1
Level 1
In response to Collin Clark

‎10-02-2009 05:52 AM

but the failover interfaces are monitored, so if I put the threshold on 1 no ASA will be active.

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to fvanlancker

‎10-02-2009 05:57 AM

They both think they are active. They both want to be active. The active keeps telling the secondary to 'stand down, I'm in charge right now.' The standby keeps waiting and wanting to be in charge. As soon as it doesn't here from the one in charge, it takes over and assumes the role.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card