Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1498
Views
0
Helpful
3
Replies

Some questions about implementing ASA Active/Standby Failover

Go to solution
jgeorge
Level 1
Level 1

‎10-26-2011 02:44 PM

Some background info: I attached a simple version of my network. I haven't turned on failover yet as I have a few questions.  You can see two links coming out of the ASA and into the next switch. One is for the inside interface and the other is for the failover_over interface.

1) Since I am monitoring the outside interface, will failover happen if internet connecivity goes down but the interface stays up?

2) I have EIGRP on the outside interface, will this cause any problems with the Standby ASA. What I mean is that I know that when the ASA is in standby it has the standby IP address. Would the standby ASA try to form EIGRP neighbors?

Capture.PNG

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to jgeorge

‎10-27-2011 06:53 PM

I'm not sure if the standby ASA would form an EIGRP neighbor adjacency. The documentation appears to be silent on that aspect. I don't have a lab pair handy to try it. If you have a maintenance window opportunity, you could always pop in the configs and "show eigrp neighbor" from each unit and then revert.

Personally I wouldn't run a routing protocol on the ASAs. I'd prefer to just give the pair a static default route on the outside interface to an HSRP (or other FHRP) virtual IP on the ISP-connected routers (via an external switch). Similarly, the default gateway for the internal side would be the primary inside interface address of the ASA pair.

I'm assuming you left off the inter-ASA HA interface for drawing simplicity.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-26-2011 06:00 PM

Jason,

A HA ASA setup would typically have a shared external segment as well. Depending on your details, there are several reasons why what you have might cause problems. For example, the outside interface IP should be common - problematic with two independent ISPs. Have you taken a look at Cisco's example configurations? (See this link.)

0 Helpful

Go to solution
jgeorge
Level 1
Level 1
In response to Marvin Rhoads

‎10-27-2011 12:47 PM

I should have just drawn 1 ISP cloud I guess. The routers above the ASA have BGP running on them so the IP of the extneral interface can switch back and forth between either side and work fine. Will the standby ASA form EIGRP neighbors?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to jgeorge

‎10-27-2011 06:53 PM

I'm not sure if the standby ASA would form an EIGRP neighbor adjacency. The documentation appears to be silent on that aspect. I don't have a lab pair handy to try it. If you have a maintenance window opportunity, you could always pop in the configs and "show eigrp neighbor" from each unit and then revert.

Personally I wouldn't run a routing protocol on the ASAs. I'd prefer to just give the pair a static default route on the outside interface to an HSRP (or other FHRP) virtual IP on the ISP-connected routers (via an external switch). Similarly, the default gateway for the internal side would be the primary inside interface address of the ASA pair.

I'm assuming you left off the inter-ASA HA interface for drawing simplicity.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card