Lan failover interface

mj11 — Mon, 11 Mar 2019 20:23:29 GMT

Hi All

I have 2 ASA's in A/S and just wondering about the Lan failover link and if this could be used to carry vlan information if I made this a Trunk interface.

I can enter the following information on the physical interface with no problems:

ASA-1(config)# interface eth 0/3
ASA-1(config-if)# switchport trunk allowed vlan 2-3,100

But I get the following error on when making this interface a trunk

ASA-1(config-if)# switchport mode trunk
ERROR: Interface is in use by failover. Remove failover configuration first

here is the configuration:

interface Vlan1
nameif inside
security-level 100
ip address 172.20.101.241 255.255.255.0 standby 172.20.101.242
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.6.10 255.255.255.0 standby 192.168.6.11
!
interface Vlan3
description LAN Failover Interface
!
interface Vlan100
no nameif
no security-level
no ip address
management-only
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 100
!
interface Ethernet0/3
switchport access vlan 3
switchport trunk allowed vlan 2-3,100
boot system disk0:/asa821-k8.bin
!

failover
failover lan unit primary
failover lan interface LANfailover Vlan3
failover interface ip LANfailover 10.100.100.1 255.255.255.0 standby 10.100.100.2

Any help much appreciated.

Regards MJ

Re: Lan failover interface

brquinn — Wed, 20 Apr 2011 03:20:05 GMT

You can configure a sub-interface for failover, but you cannot configure any other sub-interfaces for data. Even if you could configure it, it wouldn't be a good idea because a spike in traffic could cause missed hellos and unwanted failover events. Here is an example from my lab...

ciscoasa(config-subif)# sh run fail
no failover
failover lan unit primary
failover lan interface link GigabitEthernet3/0.1
ciscoasa(config-subif)#

ciscoasa(config-subif)# sh run int
...
interface GigabitEthernet3/0
!
interface GigabitEthernet3/0.1
description LAN Failover Interface
vlan 100
!

...

ciscoasa(config-subif)# int gi 3/0.2
ciscoasa(config-subif)# vlan 200
ciscoasa(config-subif)# nameif test
ERROR: Interface is in use by failover
INFO: Use failover command to configure interface name
ciscoasa(config-subif)#

The only thing you can do is configure both your failover lan and failover state links on the same physical interface. Per the Config Guide, this will result in an error.

******* WARNING ***** WARNING ******* WARNING ****** WARNING  *********

  Sharing Stateful failover interface with regular data interface is not

  a recommended configuration due to performance and security concerns.

******* WARNING ***** WARNING ******* WARNING ****** WARNING  *********

Bottom line: If you have the available interfaces, it is is best to give up 2 physical interfaces for failover.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1077598

Thanks,

Brendan

topic Lan failover interface in Network Security

Lan failover interface

Re: Lan failover interface