Hi there , We have procured 2 ASA 5585X units for Active / Standby setup . In the interim we will go with etherchannelling 1 Gig links to upstream 6513 swtiches (non VSS). Can I have this configuration for resiliency.
Etherchannel from ASA Primary - Switch 1 & Switch 2
Etherchannel from ASA Standby - Switch 1 & Switch 2
Etherchannel from ASA Primary - Switch 1
Etherchannel from ASA Standby - Switch 2
( Failover links between the Firewalls are already configured )
Currently I am reviewing which would be the best way to configure redundancies to upstream switches. Appreciate any suggestions
Since your 6513's are not in a VSS you cannot etherchannel/port-channel a firewall (or any device) split between your two chassis. The only way you can do this in the non-nexus line is to have them in a VSS. Your best bet is to etherchannel firewall 1 to switch1, and firewall 2 to switch 2.
You'll need to make sure that you you have the etherchannel interfaces trigger a failover if one of the switches should die...also be aware, even with a stateful link between firewalls, there will still be short delay between the failure and when traffic starts flowing normally through the secondary firewall.
The delay is not in the failover. The delay is in the traffic flowing through the 6513's now take a different path. I assume you are trunking your 6513's together, and thus that's how you're dual-homing devices to your 6500's and connecting them to same VLAN's?
I've run into this issue many times. Are there active SVI's on the switches, or are the active SVI's on the firewalls themselves (meaning, are you trunking the VLAN's to the firewalls)?
One way of handling this is to put your VLAN SVI's in HSRP between the 6513's, and then create routed links to your Firewalls (utilizing OSPF or EIGRP). That way your routes will change dynamically (almost instantly) with the failure of a switch or a firewall. This way your next hop is covered both directions.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :