Distance Between Two Firewalls in Cluster

manuadoor · ‎07-16-2010

Hi All,

What is the recomended distance between two firewalls in Cluster, if it supports Failover thru wan, what is the recommended Latency? Will it support routed environment ?

Regards,

Manu B.

Kevin Redmon · ‎07-16-2010

Manu,

The two firewalls must be Layer-2 adjacent in order for the failover to work correctly. This could be geographically close or far away. If the latency is "too great" between the two firewalls, you can adjust the failover polltime interval and the holdtime to adjust and prevent/mitigate inadvertent failover.

If this helps, please be sure to mark this thread as "answered".

Best Regards,

Kevin

manuadoor · ‎07-16-2010

Hi,

So that means, the link should be a swiched network?? Can't have an MPLS or Leased line (which is L3) for failover link?

Panos Kampanakis · ‎07-16-2010

Theoretically you could use MPLS ATOM for example so that the ASAs will be L2 adjacent. Interfaces on the 2 clusters should be L2 adjacent and they should be "seeing" the same traffic. So if one fails the other one will be able to take over.

I don't understand how you would have 2 ASAs in 2 different locations and they will be routing the same traffic though.

I hope it helps.

PK