ASA HA pair and L2 switches

Mark Pace Balzan · ‎03-13-2010

Hi,

Ive got a question about ASA HA failover that I cant seem to get round to figuring out, so perhaps someone can help.

Assume ASA in an active/standby configuration and each ASA has got three physical interfaces on which i will configure an IP address.

interface#1 - external unprotected network

interface#2 - protected network DMZ-A

interface#3 - protected network DMZ-B

for each of these three networks i have a single physical L2 switch per network, so three switches in total to which each of the ASAs connect. my routers then connect to the external switch, and devices (servers) to be protected connect to either of the DMZ switches.

What I cant seem to find straight answers for is the following scenario:

If switch of DMZ-A fails, of course I lose connectivity to all devices in DMZ-A (no brainer so far), but both ASAs also have one monitored interface that goes down. How will the ASA pair react if they both lose a monitored interface ? What determines if and how failover will happen in such a scenario ? Of course Im also assuming here that DMZ-B is still up and running and so connectivity to DMZ-B should not affected since the path to it via at least one of the ASAs should still be available for DMZ-B.

Any ideas, explanations or pointers to documentation would be nice

thanks

Mark

Jon Marshall · ‎03-13-2010

Mark

You really should look to use a pair of switches per network. If you are monitoring both interfaces and the switch goes down then you could well get a situation where each firewall thinks it should be active and this would affect your other interfaces as well.

If you needed to you could combine the DMZ switches into a pair and simply have both vlans on the same switches so you do get DMZ redundancy and then you just need an additional switch for the outside.

Jon