Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Firewalls Community

Rising star

Dual FTD and ASA HA Stack

Working on a design to essentially deploy a secondary 4110 with FTD and another 5555-X for VPN HA.  My current thought process is to simply use static routes from ASR down, and FTD up with SLAs since no dynamic routing is currently used within the stack.  Doing so would allow me to update the L2 WAN switches depicted in the diagram I believe without issue.  A few things I am trying to get a better grasp on:

-How would FTD react if traffic outbound left FTD1 E1/2.YY, I then upgrade WAN1 (goes down), ASR drops route per SLA to then use the path of ASR G0/3.YY-->WAN2-->FTD1? Is there an issue due to asynchronous routing here that I should be aware of?

-Inside traffic from core would just default to X.X.1.114 as depicted in diagram so I do not see any issues here from internal out, concur?

-Is a dedicated 10G connection between FTD1 and FTD2 sufficient for both failover and stateful link? Or is it best practice to use a single dedicated link for each?

-As mentioned no dynamic routing used currently in the stack so the thought is static routes with SLAs.  Unless there is an easier way for providing two paths out for the 4110s?

-Pretty sure the certificates from the ASA will replicate over to VPN2 ASA for VPN front-end, correct?

Just trying to have a solid grasp on the design thoughts as I plan to lab this out soon.

Any suggestions are appreciated!