Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA failover design

Hello Everyone,

We are replacing all of our PIX firewalls in our main data center with ASA 5550s. We have 7 pairs of the 5550s, what would be the best design scenario to setup the LAN/Stateful failover connection? The documentation states, you can have it plugged between each other or in a dedicated switch as long as there are no hosts, routers or security appliances on the same segment as the failover link.

We are thinking of having them plugged into a stack of 3750E switches, since we have the available ports on them. The primary firewall will plug into one of the switches in the stack and the secondary into the other switch in the stack with separate vlans for all of the pairs. Are there any issues with having them plugged into a cross stack?


Re: ASA failover design

as long as the failover/stateful interfaces have network connectivity to each other, it's fine. i don't recommend connecting them directly with a crossover though be/c it results in unpredictable behavior if one goes down - then the other thinks it's failover interface is down also.

Community Member

Re: ASA failover design


the way our 5510's are set up is by putting the failover interfaces in their own vlan rather than connecting them together.


CreatePlease to create content