Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1866
Views
0
Helpful
2
Replies

ASA 5540 failover

bapatsubodh
Level 1
Level 1

‎03-08-2010 09:16 AM - edited ‎03-12-2019 05:59 PM

Hi,

ASA 5540 has 4 gigabit and 1 FE ports. ( most likely it is management - correct me if I am worng ). If we need three interfaces inside,outside and DMZ we are left with only one gigabit interface.

if we need to configure failover in stateful mode we need two more interfaces  first for "Failover-LAN" and another for "State".  In our case we would need total 5 gigabit interfces namely - inside,outside,dmz, failover-lan, state.

Case 1 : configure regular failover where you need only one interface, second interface for  "state"  is optional. This is - inside, outside, dmz and Failover-LAN total four interfaces. In this case it will be regular failover configuration ( stateful failover is not posible ).  Can this be done for regular failover configuration?

Case 2 : if possible use management interface  as the state interface and configure "statefull" failover. I am not sure if this ca be done.

Please share the experience

Thanks in advance

Subodh

Labels:
0 Helpful
2 Replies 2

francisco_1
Level 7
Level 7

‎03-08-2010 09:18 AM

You can use subinterfaces.

For example you can use subinterface for your failover and stateful under the same phsical interface.

You can use mgt interface for your failover if you like but i alway suggest you use subinterface were possible and keep mgt dedicated to managment only.

0 Helpful

AnujPratap
Level 1
Level 1
In response to francisco_1

‎03-08-2010 06:17 PM

Case 1: In ASA 5540 you cannot use Regular failover. (Because ASA firewall don't support Regular failover).

Case 2: Yes, you can use management interface for failover by using 1st below commands on firewall management interface.

ASA(config)#int Management0/0
ASA(config-if)#no management-only
ASA(config-if)#exit


We have another option to configuration failover.
We can configure both LAN base failover and SATEFULL failover on same firewall interface. Below are the sample configuration for your help.

###############Primary Firewall###############

ASA-Prim(config)#failover
ASA-Prim(config)#failover lan unit primary
ASA-Prim(config)#failover lan interface failover GigabitEthernet0/3
ASA-Prim(config)#failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2
ASA-Prim(config)#failover replication http
ASA-Prim(config)#failover link failover GigabitEthernet0/3
!
ASA-Prim(config)#interface GigabitEthernet0/3
ASA-Prim(config-if)#Description LAN/SATE failover inteface
ASA-Prim(config-if)#no shutdown


###############Secondary Firewall###############

ASA-Standby(config)#failover
ASA-Standby(config)#failover lan unit secondary
ASA-Standby(config)#failover lan interface failover GigabitEthernet0/3
ASA-Standby(config)#failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2
ASA-Standby(config)#failover link failover GigabitEthernet0/3

ASA-Standby(config)#failover replication http
!
ASA-Standby(config)#interface GigabitEthernet0/3
ASA-Standby(config-if)#Description LAN/SATE failover inteface
ASA-Standby(config-if)#no shutdown

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card