Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2474
Views
0
Helpful
3
Replies

ASA 5520 - Failover on sub-interface

gianrocco
Level 1
Level 1

‎12-07-2009 03:51 AM - edited ‎03-11-2019 09:46 AM

Hi All,

I'm tryng to configure Active/Stanby failover on two ASA-5520, regular and statefull, on two sub-interfaces, but I receive the same ERROR:

"Can not configure failover interface on a shared physical interface"

It is possible? and how can I resolve?

Regards

Labels:
0 Helpful
3 Replies 3

andre.ortega
Spotlight
Spotlight

‎12-07-2009 05:16 AM

You cant use a sub-interface.

LAN-Based Failover Link

You can use any unused Ethernet interface on the device as the failover link; however, you cannot specify an interface that is currently configured with a name. The LAN failover link interface is not configured as a normal networking interface. It exists for failover communication only. This interface should only be used for the LAN failover link (and optionally for the stateful failover link).

Regards.

0 Helpful

Stuart Hare
Level 1
Level 1

‎12-07-2009 08:23 AM

Hi

You can configure Failover on sub-interfaces as long as the physical interface is dedicated to failover.

I.e. you can have 2 vlans one for lan based failover and one for state.

If you are using the same physical interface for any other vlans i.e. inside or outside interfaces then this is not allowed.

HTH

Stu

0 Helpful

Rafal Sobecki
Level 1
Level 1
In response to Stuart Hare

‎09-03-2015 03:18 AM

Hi

I know this thread is old but did not find a more relevant one for my question and could not find any specific guidelines on cisco.com abt. using one dedicated interface for both failover and state vs. creating two subinterfaces - one for failover and the other for state.

In my setup, EtherChannel (Gi0/4 + Gi0/5) is dedicated for both failover and state and two L2 catalyst stacks connected in series sit between the ASAs:

ASA1=STACK1=STACK2=ASA2

In this setup STACK ports facing the ASAs are regular access ports (with a dedicated VLAN present in the 802.1q trunk between the stacks)

Alternatively, I can imagine breaking down the EtherChannel interfaces into subinterfaces on the ASAs and converting the ASA=STACK links from access into trunks.

But in the end, are there any practical advantages which would justify the configuration/management slight overhead?

Regards,

Rafal

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card