Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
800
Views
0
Helpful
3
Replies

problem with ASA 5520 Failover implementation

houjil
Level 1
Level 1

‎12-02-2013 03:37 AM - edited ‎03-11-2019 08:11 PM

Hi all,

I'am preparing a failover implementation of our ASA 5520, we have two builduing A and B, between them i have onlly one fibre cable available : i will connecte with it a 3750 on each side, and i will use a UTP cable to connect the ASA on a dedicated physical interface.

the goal of this scenario is offering the maximum redundancy betweend equipement  with just the exsistanet equipements, for exemple : if devices on buidl A fail then traffic will pass trough Building B and so on, (except for the WAN routers).

I reorgnised the actual configurations on all equipement, and i got the optimesed schema in the picture bellow :

failover schema.png

i have two link between the CDR (4500) and the ASA :

  1. the first link is a trunk link, it is dedicatd to the opertaionnal flow (project, visio ..).
  2. the other pysical link is dedicated to the failover : (1sub interface for the FOLINK vlan 200, and another subinterface for the failover state vlan 201).

here is a part of the configuration on the firts ASA:

  • first ASA -

failover

failover lan unit primary

failover lan interface FOLINK GigabitEthernet2.1

failover polltime unit 1 holdtime 3

failover link FOSTATE GigabitEthernet2.2

failover interface ip FOLINK 192.168.1.1 255.255.255.0 standby 192.168.1.2

failover interface ip FOSTATE 192.168.2.1 255.255.255.0 standby 192.168.2.2

interface GigabitEthernet2.2

description STATE Failover Interface

vlan 201

ASASecondary(config)# sh run int g2.1

!

interface GigabitEthernet2.1

description LAN Failover Interface

vlan 200

  • second ASA :

failover

failover lan unit secondary

failover lan interface FOLINK GigabitEthernet2.1

failover polltime unit 1 holdtime 3

failover link FOSTATE GigabitEthernet2.2

failover interface ip FOLINK 192.168.1.1 255.255.255.0 standby 192.168.1.2

failover interface ip FOSTATE 192.168.2.1 255.255.255.0 standby 192.168.2.2

interface GigabitEthernet2.2

description STATE Failover Interface

vlan 201

ASAProduction(config)# sh run int g2.1

!

interface GigabitEthernet2.1

description LAN Failover Interface

vlan 200

Problem :

  • With these configurations I can ping the statefull link from both sides. but i can ping the FOLINK, when I change the switch by a direct cable i got a successful ping for the FOlink and the STATEFULL link!!

Questions:

  1. can you please have a look at this implementation and tell me if is correct what I did or if I need to add other things?
  2. Is there any command configuration that I missed while configuring the Failover?
  3. is the switch betweend the two ASA will permit or not the the failover implementation?

thank you in advance.

Regards

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎12-02-2013 10:10 AM

Hello,

  1. can you please have a look at this implementation and tell me if is correct what I did or if I need to add other things?

It looks good, I mean I guess you will use HSRP on the internal L3 domain for more redundancy right?

  1. Is there any command configuration that I missed while configuring the Failover?

No, the configuration is good.

  1. is the switch betweend the two ASA will permit or not the the failover implementation?

Yes, Cisco actually recommends to use a switch between the failover units, what you need to make sure is that the traffic will go through the switch. Check the Vlan setup on the switch and the access-port definition bud.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

houjil
Level 1
Level 1
In response to Julio Carvajal

‎12-03-2013 02:04 AM

Hi Julio and thanks for the answer,

After more reflexion, I changed the scenario to the new bellow; I decided to place the two asa in the same building since I have a problem with insufficient cables.

So, for the new scenario, I used port channels on both sides of switches connected successively to the ASAs, I have just a direct question:

Will the scenario work on just with the failover configuration or should I need to add HSRP config as you said? I guess I don’t need it, but I need a confirmation to avoid surprises while deploying.

The goal also for this implementation is to assume redundancy and load balancing firewall, is this schema will offer these goals.

Thanks you all in advance for your answers.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to houjil

‎12-03-2013 08:42 AM

Hello Hicham,

I mean this will certanly work but the thing is you will now have a single point of failure at the Core level.

If The Switch that connects to the ASA goes down bum the entire network is down. I liked the previous scenario before.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card