Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA Failover Connection--why need a dedicated switch

In Cisco doc (ID 77809), PIX/ASA: Active/Standby Failover Configuration Example, LAN-Based Active/Standby Failover Config, it states that: "Instead of using a crossover Ethernet cable to directly link the units, Cisco recommends that you use a dedicated switch between the primary and secondary units".

Please any one can let me know more about the reasoning behind it.

Also if we do not use "dedicated switch", instead, we use vlan in switch for this purpos. The config likes: primary ASA <--> primary switch <-->secondary switch <--> secondary ASA.

Tese two switches are distribution switches.

Can you see any problem?

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA Failover Connection--why need a dedicated switch

Each interface should connect to a switch port so that the link status is always up to one firewall interface if the other firewall interface fails. Otherwise, both units sense a link-down condition and assume that their own interfaces have a failure. You don't need a dedicated switch, you can use your distributions switches.

1 REPLY

Re: ASA Failover Connection--why need a dedicated switch

Each interface should connect to a switch port so that the link status is always up to one firewall interface if the other firewall interface fails. Otherwise, both units sense a link-down condition and assume that their own interfaces have a failure. You don't need a dedicated switch, you can use your distributions switches.

790
Views
0
Helpful
1
Replies