Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
901
Views
5
Helpful
2
Replies

ASA HA design question

Michael Grann
Level 1
Level 1

‎11-17-2010 09:43 AM - edited ‎03-11-2019 12:10 PM

Hello.

I have a question regarding ASA's in HA or failover setup.Topology is based on this design guide:

http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/IE_DG.html#wp41976

Basically, ISP1 and ISP2 routers connect to outside SW1 and SW2 that are trunked. Both external switches have one connection each to the outside interface of ASA1 and ASA2 configured in Failover mode. So my question is, if the active firewall is ASA1 and it's directly connected external switch dies, what mechanism enables the ASA1 to automatically trigger a failover to SW2? My understanding with failover is only when the actual device no longer sends a heartbeat across the FO cable or if it dies. Will the ASA's have to run a dynamic routing protocol to be aware that L3 topology has changed?

Thanks.

MG

Labels:
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎11-17-2010 11:41 AM 

michaelgrann wrote:
Hello.
I have a question regarding ASA's in HA or failover setup.Topology is based on this design guide:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/IE_DG.html#wp41976
Basically, ISP1 and ISP2 routers connect to outside SW1 and SW2 that are trunked. Both external switches have one connection each to the outside interface of ASA1 and ASA2 configured in Failover mode. So my question is, if the active firewall is ASA1 and it's directly connected external switch dies, what mechanism enables the ASA1 to automatically trigger a failover to SW2? My understanding with failover is only when the actual device no longer sends a heartbeat across the FO cable or if it dies. Will the ASA's have to run a dynamic routing protocol to be aware that L3 topology has changed?
Thanks.
MG

Michael

As long as you are monitoring the interface(s) that connect to the external switch then if the switch fails the standby ASA no longer gets a response from the monitored interface on the active ASA and will assume the active role. See this link for more details -

ASA interface monitoring

Jon

Michael Grann
Level 1
Level 1
In response to Jon Marshall

‎11-17-2010 11:50 AM

Jon,

Thank you so much for this link. I will be testing this in my lab.

MG

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card