ASA Failover - outside interface confusion

Unanswered Question


Customer has ASA 5520 pairs in Active/Standby configuration.  The firewalls are physically across campus from each other.  The outside interfaces are connected into the same VLAN (Cisco enterprise switches).  Upstream is a pair of Juniper routers using a virtual gateway address (VRRP).

The environment was stable for over a year until the customer made some changes to the switched environment (not totally sure what changed).

Basically when I bring the secondary firewall back online, the Internet access goes down or they experience flaky Internet behavior (slow downs).  When I disable the switch interface connected to the secondary ASA outside interface, the Internet access is still unavailable unless I reboot the primary.

So there seems to be confusion on the outside LAN segment (ARP issues, interface issues, switch issues, VRRP, etc).

I tried hard coding the primary/secondary mac addresses, but that didn't seem to help.

Sorry for the lack of detail, but just looking for some general troubleshooting ideas.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion