cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
485
Views
0
Helpful
1
Replies

Cisco ASA failover question

aslaiciunaite
Level 1
Level 1

Hello all,

I have a question about the following Cisco ASA failover scenario. Let's say, it's a very simple lab scenery:

ASA1 (active) -> failover link GE 0/0 IP 10.10.10.1 -> interface 3 [switch1] interface 4 <- failover link GE 0/0 IP 10.10.10.2 <- ASA2 (standby)

ASA1 (active) -> inside interface GE 0/1.10 IP 192.168.50.254 -> interface 20 [switch2] interface 21 <- inside interfase GE 0/1.10 IP 10.168.50.253 (standby) <- ASA2

So, the idea is that failover link of ASA devices connect through switch1, inside interfaces connect to switch2. Inside interface is a subinterface actually and it is monitored for failover. What happens, if someone misconfigures port 20 on switch2 and layer3 connectivity goes down? Let's say, there's a wrong VLAN now on port 20. Will ASA sense this and failover to standby device? Or will it be ignorant about this as it's own interface is healthy?

Thank you for your thoughts in advance!

1 Reply 1

Rodrigo Gurriti
Level 3
Level 3

ASAs keep track of their monitored interface using a Cisco protocol. If the interface is UP but they cannot reach each other they will send a message (snmp or syslog) and inform you that there is a problem with the interface communication.

You can see the error here:

show failover

Interface outside (192.168.0.1): Normal

  Interface inside (10.3.0.1): Normal

  Interface dmz (192.168.1.1): Normal (Not-Monitored)  ----> Not monitored

  Interface dmz2 (192.168.2.1): Normal (Waiting) --> interface is not communicating with peer.


For more info:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s7.html#pgfId-1634344

Note: There will be no failover on this situation.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: