10-21-2009 02:50 AM - edited 03-11-2019 09:28 AM
I have a pair of ASA 5510 with security plus license. I am going to setup site-2-site VPN on them in Active/Stanby configuration STATEFUL failover. I WILL NOT BE USING ANY 802.1Q. I will be running ASA 8.2.1 code.
The ASA5510 comes with 5 interfaces. I have a requirements to have outside, inside, dmz1 and dmz2. However, upon reading this document, I think it stated that I need to have two NICs, one for the failover interface and one for the state interface. If that is the case, that will leave me with only three interfaces.
Is it possible to combine both the state and failover interface into a single physical interface? I remembered I had done it once three years with Pix firewall and even though does not recommend it, it can be done.
Can it be done on ASA with LAN-based failover with combining both failover and state
into a single interface? If so how?
Thanks in advance.
Solved! Go to Solution.
10-21-2009 06:34 AM
below is what i have on my ASA for stateful/failover with same code as you. just change interface to match yours...Polltime you can change to match yours..
failover
failover lan unit primary
failover lan interface LAN-Failover TenGigabitEthernet7/0
failover polltime unit 1 holdtime 3
failover polltime interface 1 holdtime 5
failover link LAN-Failover TenGigabitEthernet7/0
failover interface ip LAN-Failover 10.1.1.1 255.255.255.0 standby 10.1.1.2
10-21-2009 03:16 AM
yes you can have state and failover on the same interface. You can keep it seperate if you have high volume of stateful data synchronize between your ASAs not to affect failover.
10-21-2009 03:51 AM
OK. Do you have the link that provide a sample configuration for this?
10-21-2009 03:53 AM
10-21-2009 03:56 AM
You are sending me the same html link I put in the original thread. Where in there that it shows how to share both the failover and the state link?
10-21-2009 04:09 AM
in the url under LAN-Based Active/Standby Failover Configuration, option 5 shows how to enable statful failover on the failover link.
10-21-2009 04:20 AM
Would you mind pasted the configuration in here? I am not seeing it. All I am seeing is TWO interfaces, one of state, the other one for link:
interface Ethernet0
nameif outside
security-level 0
ip address 172.16.1.1 255.255.0.0 standby 172.16.1.2
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
!
!--- Configure "no shutdown" in the stateful failover interface
!--- of both Primary and secondary PIX.
interface Ethernet2
nameif state
description STATE Failover Interface
interface ethernet3
nameif failover
description LAN Failover Interface
!
10-21-2009 05:12 AM
Step1, First enable failover
hostname(config)#failover lan enable
hostname(config)#failover lan unit primary
hostname(config)#failover lan interface failover Ethernet3
hostname(config)#failover interface ip failover 10.1.0.1
255.255.255.0 standby 10.1.0.2
hostname(config)#interface Ethernet3
hostname(config-if)#no shutdown
Step2,
In order to enable stateful failover, configure the stateful failover link.
hostname(config)#failover link state Ethernet3
hostname(config)#failover interface ip state 10.0.0.1 255.0.0.0
standby 10.0.0.2
Note: If the stateful failover link uses the failover link or a data interface, you only need to supply the if_name argument.
10-21-2009 06:22 AM
How do you do this:
hostname(config)#failover lan enable
rdhllasa0n(config)# failover lan ?
configure mode commands/options:
interface Configure the interface and vlan to be used for failover
communication
unit Configure the unit as primary or secondary
rdhllasa0n(config)# failover lan
There is no "failover lan enable" option.
10-21-2009 06:30 AM
i think that comand depends on version! i got it from the url for version 7.2(1. what version are you using?
10-21-2009 06:31 AM
I stated in the original thread that I use version 8.2.1
10-21-2009 06:34 AM
below is what i have on my ASA for stateful/failover with same code as you. just change interface to match yours...Polltime you can change to match yours..
failover
failover lan unit primary
failover lan interface LAN-Failover TenGigabitEthernet7/0
failover polltime unit 1 holdtime 3
failover polltime interface 1 holdtime 5
failover link LAN-Failover TenGigabitEthernet7/0
failover interface ip LAN-Failover 10.1.1.1 255.255.255.0 standby 10.1.1.2
10-21-2009 06:35 AM
on the secondary ...
change failover lan unit primary to failover lan unit secondary
10-21-2009 06:39 AM
that's all you should need to get failover/state going on your ASA...
10-21-2009 06:55 AM
Thank you. That works.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide