Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
338
Views
4
Helpful
2
Replies

ASA5500 setup/cabling & failover questions

chris.rosan
Level 1
Level 1

‎08-23-2007 05:53 AM - edited ‎03-11-2019 04:01 AM

Hello all,

I've just started configuring 2x new ASA5520's. They will be either in active/active, or active/passive failover. I'd like to have stateful failover.

A couple of questions:

What is the "management" interface for (other than the potential obvious) - i know traffic can't flow into that interface and out another interface, so is it ONLY meant for managing/configuring the units?

I know that i need a dedicated network between the 2 ASA's for the failover. Can i use the above mentioned management interface for this, rather than one of the Gigabit interfaces?

Both devices have the AIP-SSM-10 module which ALSO has an interface on it. Is this just for administaring the module?

Also, anyone who has a similar setup to me, tips, experiences and pointers gladly accepted.

Setup is pretty simple:

Redundant Ethernet internet connections coming through 2x 2801's

Web,mail, app servers & 2811's providing VPN connections in DMZ

Users behind ASA's

Software VPN's will be done directly to ASA's using IPSEC VPN Client - may look at ssl in future.

Migrating from single Pix 6.1

Cheers

Labels:
0 Helpful
2 Replies 2

froggy3132000
Level 3
Level 3

‎08-23-2007 05:57 AM

Yes, you can use the management interface for failover.

0 Helpful

anandramapathy
Level 3
Level 3

‎08-23-2007 06:10 AM

mgmt can be used for failover but it is only 10/100.

mgmt interface has been designed to connect a PC to the management interface for administration ( Cisco design )

if you have huge traffic, then use the 3rd interface for failover since it will be stateful, so speed & bandwidth will be crucial. Connect both the ASA Gigabit directly with a straight cable for failover.

AIP-SSM-10 module interface is only for administration,

actual setup & admin can be done by connecting to the IP either by session 1 fromm the ASA or via the ASDM by

https:\\IP of the IPS console

The config is very similar to PIX, in fact the ACLS can be pasted directly.

The ASA will have 1 active & 1 standby

the active ASA will have the active IP & replicate the config to the standby.

HTH - pls rate if helpful

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card