Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
590
Views
0
Helpful
2
Replies

ASA failover devices at diff locations

Go to solution
ankurs2008
Level 1
Level 1

‎08-04-2010 03:50 AM - edited ‎03-11-2019 11:20 AM

Hi halijenn / experts

I have a query that if 2 ASA firewalls (one Primary and one Secondary ) are situated in different locations , how exactly they are connected to each other ? I know that the failover will still work even if physically they are apart and i just know that they are connected to each other via extended L2 VLAN , However can you please elaborate as to how they are connected ( i.e whether fibre cables is used or same ethernet cables ) .Also is it recommended to configure like this and what would be the implications i.e whether the configuration replication from one firewall to another will be slow or it will be as usual ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Magnus Mortensen
Cisco Employee
Cisco Employee

‎08-04-2010 04:32 AM

Ankurs,     Having a failover paor be geographically separate is tricky, but possible. Every interface of the firewall must be on the same layer2 segment as the cooresponding interface of the peer for failover to work. This would involve carrying those vlans over trunks between the locations.   Performamce wise, config replication should be OK. The concern is more with the Stateful replication (a lot of traffic). We require that the stateful connection (failover link) be as fast as your fastest traffic passing interface. If you are using Gig connections on your firewall, the stateful failover link must be able to run at Gig speeds. As long as there is no chance of that shared trunk between the failover sites being saturated to the point of slowing down the traffic on the stateful failover link, you should be Ok.   - Magnus

Posted from my mobile device.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Magnus Mortensen
Cisco Employee
Cisco Employee

‎08-04-2010 04:32 AM

Ankurs,     Having a failover paor be geographically separate is tricky, but possible. Every interface of the firewall must be on the same layer2 segment as the cooresponding interface of the peer for failover to work. This would involve carrying those vlans over trunks between the locations.   Performamce wise, config replication should be OK. The concern is more with the Stateful replication (a lot of traffic). We require that the stateful connection (failover link) be as fast as your fastest traffic passing interface. If you are using Gig connections on your firewall, the stateful failover link must be able to run at Gig speeds. As long as there is no chance of that shared trunk between the failover sites being saturated to the point of slowing down the traffic on the stateful failover link, you should be Ok.   - Magnus

Posted from my mobile device.

0 Helpful

Go to solution
ankurs2008
Level 1
Level 1
In response to Magnus Mortensen

‎08-05-2010 12:53 AM

Thanks a lot for your help Magnus !

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card