https://community.cisco.com/t5/network-security/asa-active-standby-failover-cabling/m-p/1426212#M731553 <HTML><HEAD></HEAD><BODY><P>OK. Quite an interesting discussion. So as I understand 2 switches is the best solution and two cables is the cheaper choice.</P><P></P><P>I have the other question. We want to connect both ASAs to our inside network trought switch.</P><P>Is it possible to double switch on inside site of ASAs so to have failover not only over ASAs but with switchs too.</P><P>Maybe better question should stands if ASAa understand soanning tree?</P><P></P><P>BR</P><P>gg</P></BODY></HTML> Tue, 26 Jan 2010 21:21:38 GMT gabrielgr 2010-01-26T21:21:38Z https://community.cisco.com/t5/network-security/asa-active-standby-failover-cabling/m-p/1426206#M731547 <P>Hi all,</P><P>Iv read a many about failover cabling so pls. give me advice for next:</P><P></P><P>We have two boxes of ASAa so no connector for serial cable as in PIX was and we want to configure these ASAs in stateful failover:</P><P></P><P>Cisco says <SPAN class="content"><STRONG>... </STRONG>Instead of using a crossover Ethernet cable to directly link the &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;units, Cisco recommends that you use a dedicated switch between the primary and &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;secondary units.</SPAN></P><P></P><P>But someone says you can conect both ASAs with two crossover cables for failover and statefulity</P><P></P><P></P><P>What is right?</P><P></P><P>BR</P><P>gg</P> Mon, 11 Mar 2019 17:01:00 GMT https://community.cisco.com/t5/network-security/asa-active-standby-failover-cabling/m-p/1426206#M731547 gabrielgr 2019-03-11T17:01:00Z https://community.cisco.com/t5/network-security/asa-active-standby-failover-cabling/m-p/1426207#M731548 <HTML><HEAD></HEAD><BODY><P>We connected two PIX firewalls to switches but that was because the PIX's were 500m apart (The switches were then connected to each other by fibre).</P><P></P><P>However, if your ASA's are near each other I can't see why it would be any better or any worse to use crossover ethernet cables for the failover and stateful failover connections.</P><P></P><P>Connecting to a switch would be fine too, but crossover cables would be cheaper.</P><P></P><P>Pete</P></BODY></HTML> Mon, 25 Jan 2010 13:49:14 GMT https://community.cisco.com/t5/network-security/asa-active-standby-failover-cabling/m-p/1426207#M731548 peter.mainwaring 2010-01-25T13:49:14Z https://community.cisco.com/t5/network-security/asa-active-standby-failover-cabling/m-p/1426208#M731549 <HTML><HEAD></HEAD><BODY><P>Always use a switch and not a cross over cable.&nbsp; The reason being, what if the port on one unit goes bad? Due to the fact that the two ends are connected via the cross over cable both ends may show down.</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1051745">http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1051745</A></P><P></P><P></P><P><SPAN class="content">When you use a crossover cable for the LAN failover link, if the LAN interface fails, the link is brought down on both peers. This condition may hamper troubleshooting efforts because you cannot easily determine which interface failed and caused the link to come down. </SPAN></P><P></P><P>-KS</P></BODY></HTML> Mon, 25 Jan 2010 14:15:34 GMT https://community.cisco.com/t5/network-security/asa-active-standby-failover-cabling/m-p/1426208#M731549 Kureli Sankar 2010-01-25T14:15:34Z https://community.cisco.com/t5/network-security/asa-active-standby-failover-cabling/m-p/1426209#M731550 <HTML><HEAD></HEAD><BODY><P>That is true, but what if the switch failed? You would be in the same position.</P><P></P><P>I wouldn't argue against using a switch though. I suppose you pay your money and take your choice.</P><P></P><P>Pete</P></BODY></HTML> Mon, 25 Jan 2010 15:33:35 GMT https://community.cisco.com/t5/network-security/asa-active-standby-failover-cabling/m-p/1426209#M731550 peter.mainwaring 2010-01-25T15:33:35Z https://community.cisco.com/t5/network-security/asa-active-standby-failover-cabling/m-p/1426210#M731551 <HTML><HEAD></HEAD><BODY><P>Two switches <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN></P><P>Usually people have two switches. Primary unit is plugged into one and the secondary is plugged into the other.</P><P></P><P>-KS</P></BODY></HTML> Mon, 25 Jan 2010 16:08:35 GMT https://community.cisco.com/t5/network-security/asa-active-standby-failover-cabling/m-p/1426210#M731551 Kureli Sankar 2010-01-25T16:08:35Z https://community.cisco.com/t5/network-security/asa-active-standby-failover-cabling/m-p/1426211#M731552 <HTML><HEAD></HEAD><BODY><P>OK - I wouldn't argue against using two switches either.</P><P></P><P>That does lead back to the point I made about cost though - i.e. there is a big difference between two crossover cables and two switches (with 6 patch cables - 3 for failover and 3 for stateful failover).</P><P></P><P>You pay more of your money and take your choice.<SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN></P><P></P><P>Seriously though, I agree - two switches would be the best solution.</P><P></P><P>Pete</P></BODY></HTML> Mon, 25 Jan 2010 16:28:17 GMT https://community.cisco.com/t5/network-security/asa-active-standby-failover-cabling/m-p/1426211#M731552 peter.mainwaring 2010-01-25T16:28:17Z https://community.cisco.com/t5/network-security/asa-active-standby-failover-cabling/m-p/1426212#M731553 <HTML><HEAD></HEAD><BODY><P>OK. Quite an interesting discussion. So as I understand 2 switches is the best solution and two cables is the cheaper choice.</P><P></P><P>I have the other question. We want to connect both ASAs to our inside network trought switch.</P><P>Is it possible to double switch on inside site of ASAs so to have failover not only over ASAs but with switchs too.</P><P>Maybe better question should stands if ASAa understand soanning tree?</P><P></P><P>BR</P><P>gg</P></BODY></HTML> Tue, 26 Jan 2010 21:21:38 GMT https://community.cisco.com/t5/network-security/asa-active-standby-failover-cabling/m-p/1426212#M731553 gabrielgr 2010-01-26T21:21:38Z https://community.cisco.com/t5/network-security/asa-active-standby-failover-cabling/m-p/1426213#M731554 <HTML><HEAD></HEAD><BODY><P>Gabriel,</P><P></P><P>It will depend entirely on which ASA model you have, how your pair is configured, i.e. active/active with multiple contexts, transparent vs routed, etc.&nbsp; In the simplest configuration, you absolutely can use two switches and the ASA pair for a redundant configuration.&nbsp; You could use two switches, either trunked, or stacked (as in Cat3750/60's).&nbsp;&nbsp; Create a vlan, or use an existing vlan already assigned to your inside network, assign the vlan to a switch port on each switch, and plug your primary ASA into one switch and the secondary into the other.&nbsp; As the switches are trunking, you don't need to worry about the ASA's supporting spanning-tree.&nbsp; however, you can set up an ASA interface as a trunking port, with version 7.2 and higher (I think.)&nbsp; See the configuration guide for details:</P><P></P><P><A href="http://www.ciscosystems.ch/en/US/docs/security/asa/asa82/configuration/guide/intrface.html">http://www.ciscosystems.ch/en/US/docs/security/asa/asa82/configuration/guide/intrface.html</A></P></BODY></HTML> Tue, 26 Jan 2010 22:45:28 GMT https://community.cisco.com/t5/network-security/asa-active-standby-failover-cabling/m-p/1426213#M731554 swim_or_die 2010-01-26T22:45:28Z