we have 2 5550 ASAs in active-standby mode - please see attached diagram.
the ASAs LAN Failover, Stateful Failover and Inside interfaces all physically connect into Cisco catalyst 6500s.
we're about to test the resiliance of our network design by powering of one of our 6500s. If ASA A was active and 6500 A was powered off, what would happen regarding failover?
The inside (monitored) interface and the LAN failover interface on ASA A both patch into 6500 A which has been powered off. does failover to ASA B happen because a monitored interface (inside) is down or is there no failover because a failover link (LAN Failover) failed during operation?
Hey its so funny that I am actually doing the same thing now and we posted a similar scenario.
Anyway the way it works is it will monitor the interfaces you specify. If one of your interfaces detects a link down (and it is specified as an interface that you are monitoring on the firewall) It will automatically force the secondary asa to become active.
thanks for the reply. the problem is that if the 6500 connected to the primary ASA loses power then the primary ASA Inside, LAN Failover and State Failover interfaces will all go down at the same time.
so the question is does failover occur because the primary ASA inside interface goes down or is there no failover because the LAN Failover interface went down during operation?
Let me know how long your failover takes because right now my failover takes about a minute to recover sourcing a ping from the inside to any internet site.
A ping to the firewall shows about 2-4 dropped pings before the secondary becomes active. I am not sure if this is normal behavior. But since you are doing a similar test, let me know what your results are.
Yes I do have stateful configured however I do not have any of the interfaces terminated onto a secondary switch. I just have straight cables connecting the firewalls. I guess it would make more sense to create a seperate vlan on the switch for this purpose. I guess I'll have to do that instead to see how that works out.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :