ASA 5540 failover

Unanswered Question
Mar 8th, 2010
User Badges:

Hi,

ASA 5540 has 4 gigabit and 1 FE ports. ( most likely it is management - correct me if I am worng ). If we need three interfaces inside,outside and DMZ we are left with only one gigabit interface.


if we need to configure failover in stateful mode we need two more interfaces  first for "Failover-LAN" and another for "State".  In our case we would need total 5 gigabit interfces namely - inside,outside,dmz, failover-lan, state.


Case 1 : configure regular failover where you need only one interface, second interface for  "state"  is optional. This is - inside, outside, dmz and Failover-LAN total four interfaces. In this case it will be regular failover configuration ( stateful failover is not posible ).  Can this be done for regular failover configuration?


Case 2 : if possible use management interface  as the state interface and configure "statefull" failover. I am not sure if this ca be done.


Please share the experience

Thanks in advance

Subodh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
francisco_1 Mon, 03/08/2010 - 09:18
User Badges:
  • Gold, 750 points or more

You can use subinterfaces.


For example you can use subinterface for your failover and stateful under the same phsical interface.


You can use mgt interface for your failover if you like but i alway suggest you use subinterface were possible and keep mgt dedicated to managment only.

AnujPratap Mon, 03/08/2010 - 18:17
User Badges:

Case 1: In ASA 5540 you cannot use Regular failover. (Because ASA firewall don't support Regular failover).


Case 2: Yes, you can use management interface for failover by using 1st below commands on firewall management interface.


ASA(config)#int Management0/0
ASA(config-if)#no management-only
ASA(config-if)#exit


We have another option to configuration failover.
We can configure both LAN base failover and SATEFULL failover on same firewall interface. Below are the sample configuration for your help.

###############Primary Firewall###############

ASA-Prim(config)#failover
ASA-Prim(config)#failover lan unit primary
ASA-Prim(config)#failover lan interface failover GigabitEthernet0/3
ASA-Prim(config)#failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2
ASA-Prim(config)#failover replication http
ASA-Prim(config)#failover link failover GigabitEthernet0/3
!
ASA-Prim(config)#interface GigabitEthernet0/3
ASA-Prim(config-if)#Description LAN/SATE failover inteface
ASA-Prim(config-if)#no shutdown


###############Secondary Firewall###############

ASA-Standby(config)#failover
ASA-Standby(config)#failover lan unit secondary
ASA-Standby(config)#failover lan interface failover GigabitEthernet0/3
ASA-Standby(config)#failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2
ASA-Standby(config)#failover link failover GigabitEthernet0/3

ASA-Standby(config)#failover replication http
!
ASA-Standby(config)#interface GigabitEthernet0/3
ASA-Standby(config-if)#Description LAN/SATE failover inteface
ASA-Standby(config-if)#no shutdown

Actions

This Discussion