Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX/ASA Failover ques

Can i use the same name/IP address for LAN and statefull link ?

Below is the config, PIX accepts this config, just wanted to confirm if it'll wrk fine this way.

failover lan interface LAN-AND-STATE Ethernet2

failover link LAN-AND-STATE Ethernet2

failover interface ip LAN-AND-STATE 10.10.10.1 255.255.255.252 standby 10.10.10.2

Also, if I use the same physical interface and assign 2 different set of names and different set of IP's , is this fine ..

e.g.

failover lan interface LAN Ethernet2

failover link STATE Ethernet2

failover interface ip LAN 10.1.1.1 255.255.255.252 standby 10.1.1.2

failover interface ip STATE 10.2.2.1 255.255.255.252 standby 10.2.2.2

any comments guys ?

3 REPLIES

Re: PIX/ASA Failover ques

What version of software are you running?

You can do it in PIX V6 but recommendation is against. In V7 is not supportecd at all, from the Reldease notes :-

If you share the Stateful Failover update link with a link for regular traffic such as your inside interface, you must change your configuration before upgrading. Do not upgrade until you have corrected your configuration, as this is not a supported configuration and Version 7.2(2) treats the LAN failover and Stateful Failover update interfaces as special interfaces. If you upgrade to Version 7.2(2) with a configuration that shares an interface for both regular traffic and the Stateful Failover updates, configuration related to the regular traffic interface will be lost after the upgrade. The lost configuration may prevent you from connecting to the security appliance over the network.

http://www.cisco.com/en/US/docs/security/pix/pix72/release/notes/pixrn722.html

** Please rate post if helpfull **

New Member

Re: PIX/ASA Failover ques

I'm using 7.2(2)

Just to clarify yor reply, I'm not sharing the STATEFUL interface with any regular traffic interface, rather i'm sharing it with the LAN Failover interface and PIX is accepting my commands.

So is this acceptable ?

Re: PIX/ASA Failover ques

Sorry, my misunderstanding by LAN I thought you meant inside LAN.

Yes you can use the same interface for the satefull and failover link. Cisco have an example of this here :-

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

If possible, I would recommend using cable based failover, if this is not possible due to phyical limits, remember the failover link must go through a switch or hub, it cannot be a crossover cable.

** Please rate posts if helpfull **

118
Views
0
Helpful
3
Replies