topic Cisco ASA Heartbeart Failover (Direct Connection) in Network Security

Cisco ASA Heartbeart Failover (Direct Connection)

Ramraj Sivagnanam Sivajanam — Mon, 11 Mar 2019 20:16:15 GMT

Hi There

I need some advice please. Currently, my customer has 2 units of Cisco PIX 515E running on Active/Standby mode. As for the heartbeat link, there are 2 dedicated switches placed in between both the Cisco PIX 515E i.e. FW1 --> SW1 --> SW2 --> FW2.

My customer will be changing both the Cisco PIX 515E to Cisco ASA 5510. Now, they are asking me, since they will be using Cisco ASA 5510 eventually, can the heartbeat link be a direct UTP cross cable or must the 2 switches in between still exist?

I remember I have tested this before, few years back, in the event I were to pull out the UTP cross cable that's connecting both the Cisco ASA 5510 Firewalls directly (without any switches in between), the Active/Standby mode still works fine. It doesn't go bad whereby both the Cisco ASA 5510 suddenly becomes Active/Active, and causes network issue.

Can someone confirm this please? Are switches required for the heartbeat link in a Cisco ASA environment or can a direct UTP cross cable connection be adequate.

Regards,

Ram

Re: Cisco ASA Heartbeart Failover (Direct Connection)

Jennifer Halim — Mon, 04 Apr 2011 05:03:08 GMT

You can use any of the 2 methods, as there is no issue with any of them.

Here is the URL for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1077551

Please also note:

The adaptive security appliance supports Auto-MDI/MDIX on its copper Ethernet ports, so you can either use a crossover cable or a straight-through cable. If you use a straight-through cable, the interface automatically detects the cable and swaps one of the transmit/receive pairs to MDIX.

Hope that helps.

Re: Cisco ASA Heartbeart Failover (Direct Connection)

Ramraj Sivagnanam Sivajanam — Mon, 04 Apr 2011 05:06:58 GMT

Hi Jennifer

Thank you so much for your kind feedback, as always. I understand that both method works. In fact, I just saw this statement in this URL as well http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/failover.html

However, which one of these method is classified as Cisco's best practise? both methods are Cisco's best practise or the method with the switch in between both the Firewall's heartbeat link?

Regards,

Ram

Re: Cisco ASA Heartbeart Failover (Direct Connection)

Jennifer Halim — Mon, 04 Apr 2011 05:12:09 GMT

Best practise would be to use a switch because it would be easier for troubleshooting purposes when you investigate failure, as the switch port will tell you that there is an interface failure.