ASA Failover Connection--why need a dedicated switch

Answered Question
Oct 23rd, 2009

In Cisco doc (ID 77809), PIX/ASA: Active/Standby Failover Configuration Example, LAN-Based Active/Standby Failover Config, it states that: "Instead of using a crossover Ethernet cable to directly link the units, Cisco recommends that you use a dedicated switch between the primary and secondary units".

Please any one can let me know more about the reasoning behind it.

Also if we do not use "dedicated switch", instead, we use vlan in switch for this purpos. The config likes: primary ASA <--> primary switch <-->secondary switch <--> secondary ASA.

Tese two switches are distribution switches.

Can you see any problem?

Thanks.

I have this problem too.
0 votes
Correct Answer by Collin Clark about 7 years 2 months ago

Each interface should connect to a switch port so that the link status is always up to one firewall interface if the other firewall interface fails. Otherwise, both units sense a link-down condition and assume that their own interfaces have a failure. You don't need a dedicated switch, you can use your distributions switches.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Collin Clark Fri, 10/23/2009 - 05:54

Each interface should connect to a switch port so that the link status is always up to one firewall interface if the other firewall interface fails. Otherwise, both units sense a link-down condition and assume that their own interfaces have a failure. You don't need a dedicated switch, you can use your distributions switches.

Actions

This Discussion