ASA failover devices at diff locations

Answered Question
Aug 4th, 2010

Hi halijenn / experts

I have a query that if 2 ASA firewalls (one Primary and one Secondary ) are situated in different locations , how exactly they are connected to each other ? I know that the failover will still work even if physically they are apart and i just know that they are connected to each other via extended L2 VLAN , However can you please elaborate as to how they are connected ( i.e whether fibre cables is used or same ethernet cables ) .Also is it recommended to configure like this and what would be the implications i.e whether the configuration replication from one firewall to another will be slow or it will be as usual ?

Correct Answer by Magnus Mortensen about 6 years 6 months ago

Ankurs,     Having a failover paor be geographically separate is tricky, but possible. Every interface of the firewall must be on the same layer2 segment as the cooresponding interface of the peer for failover to work. This would involve carrying those vlans over trunks between the locations.   Performamce wise, config replication should be OK. The concern is more with the Stateful replication (a lot of traffic). We require that the stateful connection (failover link) be as fast as your fastest traffic passing interface. If you are using Gig connections on your firewall, the stateful failover link must be able to run at Gig speeds. As long as there is no chance of that shared trunk between the failover sites being saturated to the point of slowing down the traffic on the stateful failover link, you should be Ok.   - Magnus

Posted from my mobile device.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Magnus Mortensen Wed, 08/04/2010 - 04:32

Ankurs,     Having a failover paor be geographically separate is tricky, but possible. Every interface of the firewall must be on the same layer2 segment as the cooresponding interface of the peer for failover to work. This would involve carrying those vlans over trunks between the locations.   Performamce wise, config replication should be OK. The concern is more with the Stateful replication (a lot of traffic). We require that the stateful connection (failover link) be as fast as your fastest traffic passing interface. If you are using Gig connections on your firewall, the stateful failover link must be able to run at Gig speeds. As long as there is no chance of that shared trunk between the failover sites being saturated to the point of slowing down the traffic on the stateful failover link, you should be Ok.   - Magnus

Posted from my mobile device.

Actions

This Discussion