Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA HA design question

Hello.

I have a question regarding ASA's in HA or failover setup.Topology is based on this design guide:

http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/IE_DG.html#wp41976

Basically, ISP1 and ISP2 routers connect to outside SW1 and SW2 that are trunked. Both external switches have one connection each to the outside interface of ASA1 and ASA2 configured in Failover mode. So my question is, if the active firewall is ASA1 and it's directly connected external switch dies, what mechanism enables the ASA1 to automatically trigger a failover to SW2? My understanding with failover is only when the actual device no longer sends a heartbeat across the FO cable or if it dies. Will the ASA's have to run a dynamic routing protocol to be aware that L3 topology has changed?

Thanks.

MG

2 REPLIES
Hall of Fame Super Blue

Re: ASA HA design question

michaelgrann wrote:

Hello.

I have a question regarding ASA's in HA or failover setup.Topology is based on this design guide:

http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/IE_DG.html#wp41976

Basically, ISP1 and ISP2 routers connect to outside SW1 and SW2 that are trunked. Both external switches have one connection each to the outside interface of ASA1 and ASA2 configured in Failover mode. So my question is, if the active firewall is ASA1 and it's directly connected external switch dies, what mechanism enables the ASA1 to automatically trigger a failover to SW2? My understanding with failover is only when the actual device no longer sends a heartbeat across the FO cable or if it dies. Will the ASA's have to run a dynamic routing protocol to be aware that L3 topology has changed?

Thanks.

MG

Michael

As long as you are monitoring the interface(s) that connect to the external switch then if the switch fails the standby ASA no longer gets a response from the monitored interface on the active ASA and will assume the active role. See this link for more details -

ASA interface monitoring

Jon

New Member

Re: ASA HA design question

Jon,

Thank you so much for this link. I will be testing this in my lab.

MG

734
Views
5
Helpful
2
Replies
CreatePlease to create content