Re: ASA active/standby failover cabling.

gabrielgr · ‎01-25-2010

Hi all,

Iv read a many about failover cabling so pls. give me advice for next:

We have two boxes of ASAa so no connector for serial cable as in PIX was and we want to configure these ASAs in stateful failover:

Cisco says ... Instead of using a crossover Ethernet cable to directly link the units, Cisco recommends that you use a dedicated switch between the primary and secondary units.

But someone says you can conect both ASAs with two crossover cables for failover and statefulity

What is right?

BR

gg

peter.mainwaring · ‎01-25-2010

We connected two PIX firewalls to switches but that was because the PIX's were 500m apart (The switches were then connected to each other by fibre).

However, if your ASA's are near each other I can't see why it would be any better or any worse to use crossover ethernet cables for the failover and stateful failover connections.

Connecting to a switch would be fine too, but crossover cables would be cheaper.

Pete

Kureli Sankar · ‎01-25-2010

Always use a switch and not a cross over cable. The reason being, what if the port on one unit goes bad? Due to the fact that the two ends are connected via the cross over cable both ends may show down.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1051745

When you use a crossover cable for the LAN failover link, if the LAN interface fails, the link is brought down on both peers. This condition may hamper troubleshooting efforts because you cannot easily determine which interface failed and caused the link to come down.

-KS

peter.mainwaring · ‎01-25-2010

That is true, but what if the switch failed? You would be in the same position.

I wouldn't argue against using a switch though. I suppose you pay your money and take your choice.

Pete

Kureli Sankar · ‎01-25-2010

Two switches

Usually people have two switches. Primary unit is plugged into one and the secondary is plugged into the other.

-KS

peter.mainwaring · ‎01-25-2010

OK - I wouldn't argue against using two switches either.

That does lead back to the point I made about cost though - i.e. there is a big difference between two crossover cables and two switches (with 6 patch cables - 3 for failover and 3 for stateful failover).

You pay more of your money and take your choice.

Seriously though, I agree - two switches would be the best solution.

Pete

gabrielgr · ‎01-26-2010

OK. Quite an interesting discussion. So as I understand 2 switches is the best solution and two cables is the cheaper choice.

I have the other question. We want to connect both ASAs to our inside network trought switch.

Is it possible to double switch on inside site of ASAs so to have failover not only over ASAs but with switchs too.

Maybe better question should stands if ASAa understand soanning tree?

BR

gg

swim_or_die · ‎01-26-2010

Gabriel,

It will depend entirely on which ASA model you have, how your pair is configured, i.e. active/active with multiple contexts, transparent vs routed, etc. In the simplest configuration, you absolutely can use two switches and the ASA pair for a redundant configuration. You could use two switches, either trunked, or stacked (as in Cat3750/60's). Create a vlan, or use an existing vlan already assigned to your inside network, assign the vlan to a switch port on each switch, and plug your primary ASA into one switch and the secondary into the other. As the switches are trunking, you don't need to worry about the ASA's supporting spanning-tree. however, you can set up an ASA interface as a trunking port, with version 7.2 and higher (I think.) See the configuration guide for details:

http://www.ciscosystems.ch/en/US/docs/security/asa/asa82/configuration/guide/intrface.html