We have two Cisco 5525X ASA firewalls and they are in a Active/Standby failover cluster. At the moment each ASA is using Gig 0/3 plugged into a 6509 switch as part of the failover link. Each ASA are at different data centres. I need to add another physical interface Gig 0/4 in the ASA's and have this part of the failover between the existing Gig 0/3 interface. I have been reading about configuring redundant links and adding the two physical interfaces as part of a redundant group. Can someone let me know how to configure two physical interface as a redundant group and have them part of the failover between two ASA's?
See below existing config for our failover:
failover failover lan unit primary failover lan interface failover GigabitEthernet0/3 failover mac address GigabitEthernet0/0 001b.54f7.1a2b 001b.54f7.2a2b failover mac address GigabitEthernet1/0 001b.54f7.3a2d 001b.54f7.4a2d failover mac address GigabitEthernet1/1 001b.54f7.4a2e 001b.54f7.5a2e failover link failover GigabitEthernet0/3 failover interface ip failover 10.10.10.1 255.255.255.252 standby 10.10.10.2
failover failover lan unit secondary failover lan interface failover GigabitEthernet0/3 failover mac address GigabitEthernet0/0 001b.54f7.1a2b 001b.54f7.2a2b failover mac address GigabitEthernet1/0 001b.54f7.3a2d 001b.54f7.4a2d failover mac address GigabitEthernet1/1 001b.54f7.4a2e 001b.54f7.5a2e failover link failover GigabitEthernet0/3 failover interface ip failover 10.10.10.1 255.255.255.252 standby 10.10.10.2
If you have a regular/LAN failover alone configured in your firewall.... actually it waits for the idle time and it becomes active firewall... but however that doesn't have any information on the active connections going through firewall..... if you have stateful failover configured.... active unit replicate the state connection table of every connections to the standby unit... so when failover happens it will not have any interruption for the active connections in most cases.....
LAN failover will take care of the new connections that flows through the other firewall in case of failover and stateful failover will take care of the active connection that was going through primary and if failover happens it still continue to allow the active connection through the secondary unit, which is active during failover.
When stateful failover is enabled, the active unit continually passes per-connection state information to the standby unit. After a failover occurs, the same connection information is available at the new active unit. Supported end-user applications are not required to reconnect to keep the same communication session.
The state information passed to the standby unit includes these:
The NAT translation table
The TCP connection states
The UDP connection states
The ARP table
The Layer 2 bridge table (when it runs in the transparent firewall mode)
The HTTP connection states (if HTTP replication is enabled)
The ISAKMP and IPSec SA table
The GTP PDP connection database
The information that is not passed to the standby unit when stateful failover is enabled includes these:
The HTTP connection table (unless HTTP replication is enabled)
The user authentication (uauth) table
The routing tables
State information for security service modules
Note: If failover occurs within an active Cisco IP SoftPhone session, the call remains active because the call session state information is replicated to the standby unit. When the call is terminated, the IP SoftPhone client loses connection with the Call Manager. This occurs because there is no session information for the CTIQBE hang-up message on the standby unit. When the IP SoftPhone client does not receive a response back from the Call Manager within a certain time period, it considers the Call Manager unreachable and unregisters itself.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...