https://community.cisco.com/t5/network-security/asa-failover-dmz-question/m-p/3899660#M25069 <P>Hello there ,</P><P>&nbsp;</P><P>It seems as though your lab setup could have a flaw , would you be able to share your physical cross connects lab diagram as well as your logical diagram vlans etc..&nbsp; ? there could be many reasons your servers did not communicate correctly with the firewall when firewalls switched to the standby.</P><P>&nbsp;</P><P>Below is a URL with a straight forward A/S deployment , go over this link, if you are introducing two switches in your design you need to keep in mind that if Active FW connects to one switch and the&nbsp; Standby&nbsp; to another switch both switches must be connected and they have to be able to be aware of&nbsp; VLANs you have allocated for each of the firewall interfaces you have configured them with - proper cross connects and proper VLAN assignments in the switches is key to for proper fail-over events and systems to continue their communications&nbsp;</P><P><A href="https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91336-pix-activeactive-config.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91336-pix-activeactive-config.html</A></P><P>&nbsp;</P><P>Additionally I have attached an basic site cross-connect diagram to help you with the physical aspect.&nbsp; Again, if you do have configurations of your switches and firewall we could sanity check to see where is the flaw.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 30 Jul 2019 01:51:19 GMT JORGE RODRIGUEZ 2019-07-30T01:51:19Z https://community.cisco.com/t5/network-security/asa-failover-dmz-question/m-p/3897528#M25068 <P>Hello,</P><P>I set lab environment I have two Firewalls in active/standby state and in DMZ area one DMZ switch (with DMZ servers connect on DMZ swicth ) that connect to active firewall When secondary Firewall became active dmz serves does not work I want set that DMZ servers works all time when standby became active do you have some solution for that?<BR />Also if i want to connect on two firewalls active/standby two DMZ switches, one DMZ switch to connect to primary asa one to secondary asa and on both switches to connect DMZ servers redundantly , do you have some solution for that, some configuration ?</P><P>The reason for second question in real situation I will have two servers in dmz that have to works in same time and physically separate and I need that servers works all the time in dmz that connect to switches that connect to pair Farewell active/standby.</P> Thu, 25 Jul 2019 11:44:44 GMT https://community.cisco.com/t5/network-security/asa-failover-dmz-question/m-p/3897528#M25068 Mjokovic88 2019-07-25T11:44:44Z https://community.cisco.com/t5/network-security/asa-failover-dmz-question/m-p/3899660#M25069 <P>Hello there ,</P><P>&nbsp;</P><P>It seems as though your lab setup could have a flaw , would you be able to share your physical cross connects lab diagram as well as your logical diagram vlans etc..&nbsp; ? there could be many reasons your servers did not communicate correctly with the firewall when firewalls switched to the standby.</P><P>&nbsp;</P><P>Below is a URL with a straight forward A/S deployment , go over this link, if you are introducing two switches in your design you need to keep in mind that if Active FW connects to one switch and the&nbsp; Standby&nbsp; to another switch both switches must be connected and they have to be able to be aware of&nbsp; VLANs you have allocated for each of the firewall interfaces you have configured them with - proper cross connects and proper VLAN assignments in the switches is key to for proper fail-over events and systems to continue their communications&nbsp;</P><P><A href="https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91336-pix-activeactive-config.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91336-pix-activeactive-config.html</A></P><P>&nbsp;</P><P>Additionally I have attached an basic site cross-connect diagram to help you with the physical aspect.&nbsp; Again, if you do have configurations of your switches and firewall we could sanity check to see where is the flaw.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 30 Jul 2019 01:51:19 GMT https://community.cisco.com/t5/network-security/asa-failover-dmz-question/m-p/3899660#M25069 JORGE RODRIGUEZ 2019-07-30T01:51:19Z