https://community.cisco.com/t5/network-security/asa-5520-failover-on-sub-interface/m-p/1347210#M777308 <P>Hi</P><P>I know this thread is old but did not find a more relevant one for my question and could not find any specific guidelines on cisco.com abt. using one dedicated interface for both failover and state&nbsp;vs. creating two subinterfaces&nbsp;- one for failover and the other for state.</P><P>In my setup, EtherChannel (Gi0/4 + Gi0/5) is dedicated for both failover and state and two L2 catalyst stacks connected in series sit between the ASAs:</P><P>ASA1=STACK1=STACK2=ASA2</P><P>In this setup STACK ports facing the ASAs are regular access ports (with a dedicated VLAN present in the 802.1q trunk between the stacks)</P><P>Alternatively, I can imagine&nbsp;breaking down the EtherChannel interfaces into subinterfaces on the ASAs and converting the ASA=STACK links from access into trunks.</P><P>But in the end, are there any practical advantages which would justify the configuration/management slight overhead?</P><P>Regards,</P><P>Rafal</P> Thu, 03 Sep 2015 10:18:59 GMT Rafal Sobecki 2015-09-03T10:18:59Z https://community.cisco.com/t5/network-security/asa-5520-failover-on-sub-interface/m-p/1347207#M777305 <P>Hi All,</P><P>I'm tryng to configure Active/Stanby failover on two ASA-5520, regular and statefull, on two sub-interfaces, but I receive the same ERROR:</P><P></P><P>"Can not configure failover interface on a shared physical interface"</P><P></P><P>It is possible? and how can I resolve?</P><P></P><P>Regards</P> Mon, 11 Mar 2019 16:46:08 GMT https://community.cisco.com/t5/network-security/asa-5520-failover-on-sub-interface/m-p/1347207#M777305 gianrocco 2019-03-11T16:46:08Z https://community.cisco.com/t5/network-security/asa-5520-failover-on-sub-interface/m-p/1347208#M777306 <HTML><HEAD></HEAD><BODY><P>You cant use a sub-interface.</P><P></P><P></P><H3 class="p_H_Head4">LAN-Based Failover Link</H3><A name="wp1184196"></A><A name="wpmkr1184195"></A><P class="pB1_Body1">You can use any <SPAN style="color: #ff0000;">unused</SPAN> Ethernet interface on the device as the failover link; however, you cannot specify an interface that is currently configured with a name. The LAN<SPAN style="color: #ff0000;"> failover link interface is not configured as a normal networking interfac</SPAN>e. It exists for failover communication only. <SPAN style="color: #ff0000;">This interface should only be used for the LAN failover link </SPAN>(and optionally for the stateful failover link).</P><P></P><P class="pB1_Body1"></P><P class="pB1_Body1">Regards.</P></BODY></HTML> Mon, 07 Dec 2009 13:16:21 GMT https://community.cisco.com/t5/network-security/asa-5520-failover-on-sub-interface/m-p/1347208#M777306 andre.ortega 2009-12-07T13:16:21Z https://community.cisco.com/t5/network-security/asa-5520-failover-on-sub-interface/m-p/1347209#M777307 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>You can configure Failover on sub-interfaces as long as the physical interface is dedicated to failover.</P><P>I.e. you can have 2 vlans one for lan based failover and one for state.</P><P></P><P>If you are using the same physical interface for any other vlans i.e. inside or outside interfaces then this is not allowed.</P><P></P><P>HTH</P><P>Stu</P></BODY></HTML> Mon, 07 Dec 2009 16:23:03 GMT https://community.cisco.com/t5/network-security/asa-5520-failover-on-sub-interface/m-p/1347209#M777307 Stuart Hare 2009-12-07T16:23:03Z https://community.cisco.com/t5/network-security/asa-5520-failover-on-sub-interface/m-p/1347210#M777308 <P>Hi</P><P>I know this thread is old but did not find a more relevant one for my question and could not find any specific guidelines on cisco.com abt. using one dedicated interface for both failover and state&nbsp;vs. creating two subinterfaces&nbsp;- one for failover and the other for state.</P><P>In my setup, EtherChannel (Gi0/4 + Gi0/5) is dedicated for both failover and state and two L2 catalyst stacks connected in series sit between the ASAs:</P><P>ASA1=STACK1=STACK2=ASA2</P><P>In this setup STACK ports facing the ASAs are regular access ports (with a dedicated VLAN present in the 802.1q trunk between the stacks)</P><P>Alternatively, I can imagine&nbsp;breaking down the EtherChannel interfaces into subinterfaces on the ASAs and converting the ASA=STACK links from access into trunks.</P><P>But in the end, are there any practical advantages which would justify the configuration/management slight overhead?</P><P>Regards,</P><P>Rafal</P> Thu, 03 Sep 2015 10:18:59 GMT https://community.cisco.com/t5/network-security/asa-5520-failover-on-sub-interface/m-p/1347210#M777308 Rafal Sobecki 2015-09-03T10:18:59Z