Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1069
Views
0
Helpful
7
Replies

ASA - Direct redundant connection to Active/Standby cluster

Go to solution
Eric Snijders
Level 1
Level 1

‎10-18-2018 11:50 PM - edited ‎02-21-2020 08:22 AM

Hi all!

 

I think my question is pretty simple, but i haven't done this before, and ASA in GNS3 still has some bugs so i'm having a hard time trying to emulate this.

 

Consider the following configuration:

c9X0K0x

 

 

So Gi0/6 between the Active and the Standby is the Failover link.
Now i want both firewalls to have a uplink to FW01, which should be redundant.

 

I think a "redundant interface" is the thing i need, but is this going to work the way i think it is? If i configure a redundant interface on FW01, and on FW02 the Gi0/0 interface is the "active" interface towards FW01, what will happen if a failover occurs? Will the Gi0/1 interface on the Standby automatically becomes active? Because that is exactly what i'm looking for.

 

Thanks in advance, and have a very nice day!

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎10-19-2018 12:35 AM

No, this is not how redundant interfaces work. FW01 has no clue which ASA is active.

You need a switch between FW01 and FW02. Let's assume you want more redundancy and use two independent switches (not a stack). Then you can configure redundant interfaces on FW01 to these two switches.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Karsten Iwen
VIP
VIP

‎10-19-2018 12:35 AM

No, this is not how redundant interfaces work. FW01 has no clue which ASA is active.

You need a switch between FW01 and FW02. Let's assume you want more redundancy and use two independent switches (not a stack). Then you can configure redundant interfaces on FW01 to these two switches.

0 Helpful

Go to solution
Eric Snijders
Level 1
Level 1
In response to Karsten Iwen

‎10-19-2018 12:52 AM

Hi Karsten,

 

Thanks for the info and the fast reply.

So if i get this straight, this is the way to go:

610PHnk

 

In this case SW01 is a stack so should connect Gi0/0 from FW02_act to the first stack member, and Gi0/0 of FW02_stby to the second stackmember, right?

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Eric Snijders

‎10-19-2018 12:58 AM

You have multiple options here. I would connect FW01 with an EtherChannel to both stack members. For FW02, you can connect FW02-primary to the first switch and FW02-secondary to the second switch. Or you can connect both ASAs with two interfaces each to both switches for even more redundancy but also increased complexity.

0 Helpful

Go to solution
Eric Snijders
Level 1
Level 1
In response to Karsten Iwen

‎10-19-2018 01:05 AM

Thanks again Karsten!
I think we only have 1 physical port left on FW01 so i guess i'll just connect that one to SW01 pretty simple. For FW02 i can at least bring in some redundancy.

 

Thanks again and have a very nice day!

0 Helpful

Go to solution
tangney@northwestern.edu
Level 1
Level 1
In response to Karsten Iwen

‎12-04-2018 12:07 PM

Hi Karsten,

 

Is it preferred to configure EtherChannel or redundant interfaces from FW1 to the switch?

 

Thank you,

 

Tamara

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to tangney@northwestern.edu

‎12-04-2018 12:32 PM

If the switch is one logical device, I would prefer to use EtherChannels. Only if you have two switches and these devices are independent (no stack, VSS or something like that) then I use redundant interfaces.

0 Helpful

Go to solution
tangney@northwestern.edu
Level 1
Level 1
In response to Karsten Iwen

‎12-04-2018 01:12 PM

Thank you!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card