ASA 5520 - Failover on sub-interface

Unanswered Question
Dec 7th, 2009

Hi All,

I'm tryng to configure Active/Stanby failover on two ASA-5520, regular and statefull, on two sub-interfaces, but I receive the same ERROR:

"Can not configure failover interface on a shared physical interface"

It is possible? and how can I resolve?

Regards

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
andre.ortega Mon, 12/07/2009 - 05:16

You cant use a sub-interface.

LAN-Based Failover Link

You can use any unused Ethernet interface on the device as the failover link; however, you cannot specify an interface that is currently configured with a name. The LAN failover link interface is not configured as a normal networking interface. It exists for failover communication only. This interface should only be used for the LAN failover link (and optionally for the stateful failover link).

Regards.

Stuart Hare Mon, 12/07/2009 - 08:23

Hi

You can configure Failover on sub-interfaces as long as the physical interface is dedicated to failover.

I.e. you can have 2 vlans one for lan based failover and one for state.

If you are using the same physical interface for any other vlans i.e. inside or outside interfaces then this is not allowed.

HTH

Stu

Rafal Sobecki Thu, 09/03/2015 - 03:18

Hi

I know this thread is old but did not find a more relevant one for my question and could not find any specific guidelines on cisco.com abt. using one dedicated interface for both failover and state vs. creating two subinterfaces - one for failover and the other for state.

In my setup, EtherChannel (Gi0/4 + Gi0/5) is dedicated for both failover and state and two L2 catalyst stacks connected in series sit between the ASAs:

ASA1=STACK1=STACK2=ASA2

In this setup STACK ports facing the ASAs are regular access ports (with a dedicated VLAN present in the 802.1q trunk between the stacks)

Alternatively, I can imagine breaking down the EtherChannel interfaces into subinterfaces on the ASAs and converting the ASA=STACK links from access into trunks.

But in the end, are there any practical advantages which would justify the configuration/management slight overhead?

Regards,

Rafal

Actions

This Discussion