we recently tried to implement an architecture with ASA Redundant Interface, but we experienced some issues and had to rollback. This is the scenario:
- 2 Active/Standby ASA 5580 (rel 8.2.1) firewalls
- 2 routers connected on the frontend of ASAs
- each ASA is connected through a double physical link to the 2 routers: one link to each router and the 2 links belonging to a same Redundant Interface
- the 2 routers are frontend next hop for ASA and they also give L2 for ASA thanks to a channel interconnecting them
RTR1 == == RTR2
| \ / |
| \ / |
a| / \ |a
| b / \ b |
The normal condition is: having HSRP Active on RTR1, ASA2 Primary Active and link 'a' on ASA2 Active.
Now, both the links on Primary Active ASA were 'up' but ping from ASA2 to HSRP didn't work at all, as soon as link 'a' was forced down, link 'b' went active and ping between ASA2 and RTR1 began working.
Do you have any idea why the connectivity between ASA2 and RTR1 (HSRP active) through active link 'a' and trunk RTR1-RTR2 didn't work?
Thanks a lot for any help/idea