ASA Redundancy Options

Unanswered Question

We are adding a new 6509 switch B to use for redundancy of current 6509 switch A using HSRP.  Currently, we have 2 ASA firewall units configured as active/standby failover single mode.  Both ASA units connects to switch A at this time.  We are planning to relocate the connection of ASA standby unit to the new 6509 switch B.  What would be the best way to configure the ASA units for redundancy if switch A fails and traffic goes thru switch B.  Will the ASA standby unit automatically start passing trying?  Please advice.

Thank you,

Abraham

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
manish arora Thu, 07/15/2010 - 09:37

Hi,

if the ASA pair is configured in an active/standby configuration then you can have asa 1 ( active ) connect to the active interface of the hsrp switch and then the standby asa interface to the standby hsrp interface ( no priority load balancing on hsrp ).  In the event of the switch a ( active hsrp ) faileur, the asa will failover as one of the interface of the active firewall will fail and the secondary will take over.

another senario could be ,  have redundant interfaces on the asa and have them connect to different switches ( redudant interfaces are generally used for interface faileur redundancy ). i do not know for sure how redundant interfaces will work with hsrp interfaces ( never configured that in that senario) , but never the less i have seen people using it with plain L 2 switches in between their firewalls and distribution/core switches.

hope it helps

manish

manish arora Thu, 07/15/2010 - 12:07

Yes ! when we configure active/standby on asa , it fails over in the event of an interface failure.

You can look into the configuration of the asa , where you can control the failover in the event of an interface failures using interface monitoring.

download the  asa82cfg.pdf from cisco.com for configuration help.

Thanks

manish

Actions

This Discussion