We have a ASA 5510 with a hardware web filter device between the inside interface and our LAN switch. The web filter recently failed after hours and we had to physically remove the device to restore connectivity to the lan, so I'm trying to come up with a way to avoid having to be onsite if it fails again in the future.
Would setting up a port redundancy with one cable going to the filter, and one directly to the switch work? Not sure when a port is considered down, when the device failed the network status lights were still lit.
A cable directly between the ASA and switch, with the interface on the ASA disabled until needed. With this option I was thinking someone could log in to the ASA from the outside interface and manually change the IP settings and name on the interface.
you should connect a cable between your switch and the ASA and configure the port failover on the switch so that when the port is unable to go out through the web filter it should failback to the port directly connected to the ASA
Put the two ports at each end in a port channel and shut the port that has NOT got the web filter between the ASA and the switch. In a web filter fail scenario, open the redundant link. this way you dont have to play around with like HSRP, also the ASA's dont support spanning tree so there is no automated L2 fail over mechanism available.
Please remember to rate useful posts, by clicking on the stars below.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :