Hi i am trying to config active/standby over stateful on 5520 ASA. I currently have two core switches running HSRP with one ASA connected to one of them. Now i am trying to add a second ASA as a failover and wanting to connect the second ASA to the other core switch. Will this work or will both ASA have to connect to the same core switch?
What is the best way to connect the ASA for the failover? I was thinking of using a dedicated interface on the ASA and using a crossover cable. I also read to use a switch in between them besides easier troubleshooting, is there another benefit for using a switch?
you should connect the active to one core and the standby to the other core as long as they can both devices can communicate with each other. My understanding and from experience you should Ethernet connection that is dedicated to failover traffic. The connection between firewalls should be on an isolated VLAN, configured for full duplex and fast convergence so that the connection is highly available.
Don't use a crossover Ethernet cable to connect the two failover LAN interfaces if the firewalls are located close to each other. Instead, each interface should connect to a switch port so that the link status is always up to one firewall interface if the other firewall interface fails. Otherwise, both units sense a link-down condition and assume that their own interfaces have a failure.
You should also prepare the switch ports where the LAN-based failover interfaces connect so that failover communication can begin almost immediately. You should enable Spanning Tree Protocol PortFast and disable trunking and EtherChannel negotiation. You can use the following IOS software commands to configure the switch ports:
Switch# configure terminal
Switch(config)# interface type mod/num
! Enable PortFast for immediate traffic forwarding
Switch(config-if)# spanning-tree portfast
! Disable trunking by making it an access switch port
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...