Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
767
Views
20
Helpful
6
Replies

Redundant Interface Connectivity

Sibin S S
Level 1
Level 1

‎12-25-2013 01:23 AM - edited ‎03-11-2019 08:21 PM

Hi,

I have two 5585X need to be connected to two Core switch(6509) which is not having the VSS feature in it.HSRP is running. My doubt is regarding the Redundant interface configuration.

Is it required that the two redundant interfaces of an ASA should be on the same Core switch or it can also be done as shown in figure below.

Firewall Installation.jpg

Thanks

Sibin SS.

Labels:
0 Helpful
6 Replies 6

Julio Carvajal
VIP Alumni
VIP Alumni

‎12-25-2013 08:21 PM

Hello Sibin,

Are you running any kind of failover on the ASA??

The thing is that if the primary interface on a redundant link on one of the ASAs goes down then the backup interface will come up. The problem lies on the fact that HSRP will need to be aware on that and switch to the other Catalyst box.

So If you enable tracking on those links I think you should be fine.

I hope I was clear enough (This desing problems are the worst to explain, so many things to say hehe)

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Sibin S S
Level 1
Level 1
In response to Julio Carvajal

‎12-27-2013 12:22 AM

Dear Julio,

Thanks for the reply

ASAs are in active/standby failover.

L3 interfaces are all VLAN interfaeces on Switch and Subinterfaces on ASAs.

Regards,

Sibin SS.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Julio Carvajal

‎12-27-2013 04:24 AM

Julio

The thing is that if the primary interface on a redundant link on one of the ASAs goes down then the backup interface will come up. The problem lies on the fact that HSRP will need to be aware on that and switch to the other Catalyst box.

Why does it need to do this ?

If the primary interface on the active ASA fails and it switches to the backup link HSRP does not have to change because there is a L2 path between the switches so instead of traffic going direct from the HSRP active to the active firewall it goes from the HSRP active to the other switch and then to the active firewall via the new active link.

Is there something i am mssing in terms of the ASA ?

Jon

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Jon Marshall

‎12-27-2013 05:13 AM

Hi Guys,

Nah, as I said before I did not know there was any kind of failover cluster on the network.

If there is failover as the customer just confirmed then no need to worry at all

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jon Marshall
Hall of Fame
Hall of Fame

‎12-27-2013 05:19 AM

Sibin

As far as i am aware there is no requirement for a redundant pair of interfaces to be connected to the same switch so your setup should work as you have described it.

Jon

Sibin S S
Level 1
Level 1
In response to Jon Marshall

‎12-28-2013 12:38 AM

Thankyou Jon and Julio for helping

Happy new Year!!

Warm Regards,

Sibin SS

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card