Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1532
Views
0
Helpful
5
Replies

ASA 5520 Failover with SLA

ross_rulz
Level 1
Level 1

‎07-20-2011 08:53 PM - edited ‎03-11-2019 02:01 PM

Hi guys,

Is it possible to setup 2 x Cisco ASA 5520 that are in an Active/Standby failover using sla monitoring?

For example ASA1 outside interface connects to an upstream switch and you setup sla monitor with icmp echo to ping that switch. The switch goes down and you need the other ASA2 to become the Active ASA. Can the sla monitor be automatically integrated with the failover commands for this to happen?

Any help would be appreciated.

Thanks,

Ross. 

Labels:
0 Helpful
5 Replies 5

varrao
Level 10
Level 10

‎07-20-2011 09:36 PM

Hi Ross,

you would need to configure active/standby failover, and this is possible if you have the following setup:

                            Switch

                         /         \

                        /           \

                       /             \

                      /               \

                     / Inside      Inside

                    /                   \

                   /                     \

                  /                       \

                ASA1----------------------ASA2

                  |     Failover Link     |

                  |                           |

                  |                           |

                  |Outside                |outside

                  |                           |

                  |                           |

                 Switch                  Switch

                   \                      /

                    \                    /

                     \                  /

                      \                /

                       \              /

                        Internet Router

  This would be the failover behavior, now if the Switch connected to your active device goes down, the ASA would failover and all internet traffic would start going through the second ASA.

For more ideas, you can refer to this doc:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030products_configuration_example09186a00807dac5f.shtml#acti

Hope this helps,

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

ross_rulz
Level 1
Level 1
In response to varrao

‎07-20-2011 09:48 PM

Hi Varun,

Thanks for for reply. But our setup will not be using the oustide interface as part of the failover between the 2 ASA's. Thats why I'm asking if you can tie sla monitor with icmp echo to automatically failover to the other ASA.

Thanks,

Ross.

0 Helpful

varrao
Level 10
Level 10
In response to ross_rulz

‎07-20-2011 09:53 PM

Hi Ross,

If the outside interface is not a part of the failover, the firewalls would not be able to detect, whether trhe outside interface is down or not, and that might be difficult to trigger a failover of devices.

-Varun

Thanks,
Varun Rao
0 Helpful

ross_rulz
Level 1
Level 1
In response to varrao

‎07-20-2011 10:12 PM

Hi Varun,

Thanks for that. How would failover work if the 2 ASA's outside interfaces are plugged into the same switch with failover configured and that switch goes down? Would the active failover to the standby?

Thanks,

Ross.

0 Helpful

varrao
Level 10
Level 10
In response to ross_rulz

‎07-20-2011 10:39 PM

Hi Ross,

If the outside interfaces are configured on the same switch, and if only the interface on the switch which is connected to the active device, goes down, then the failover woudl happen, but if the whole switch goes down completely then both devices would go in failed state, so there would be no internet connectivity.

If you have the outside interface of the two firewalls connected on different switches , then if one switch goes down then there would not be any network down situation. But just make sure the two outside interface are in the same vlan and the switchports are trunked.

Hope this helps,

Varun

Thanks,
Varun Rao
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card