10-18-2018 11:50 PM - edited 02-21-2020 08:22 AM
Hi all!
I think my question is pretty simple, but i haven't done this before, and ASA in GNS3 still has some bugs so i'm having a hard time trying to emulate this.
Consider the following configuration:
So Gi0/6 between the Active and the Standby is the Failover link.
Now i want both firewalls to have a uplink to FW01, which should be redundant.
I think a "redundant interface" is the thing i need, but is this going to work the way i think it is? If i configure a redundant interface on FW01, and on FW02 the Gi0/0 interface is the "active" interface towards FW01, what will happen if a failover occurs? Will the Gi0/1 interface on the Standby automatically becomes active? Because that is exactly what i'm looking for.
Thanks in advance, and have a very nice day!
Solved! Go to Solution.
10-19-2018 12:35 AM
No, this is not how redundant interfaces work. FW01 has no clue which ASA is active.
You need a switch between FW01 and FW02. Let's assume you want more redundancy and use two independent switches (not a stack). Then you can configure redundant interfaces on FW01 to these two switches.
10-19-2018 12:35 AM
No, this is not how redundant interfaces work. FW01 has no clue which ASA is active.
You need a switch between FW01 and FW02. Let's assume you want more redundancy and use two independent switches (not a stack). Then you can configure redundant interfaces on FW01 to these two switches.
10-19-2018 12:52 AM
Hi Karsten,
Thanks for the info and the fast reply.
So if i get this straight, this is the way to go:
In this case SW01 is a stack so should connect Gi0/0 from FW02_act to the first stack member, and Gi0/0 of FW02_stby to the second stackmember, right?
10-19-2018 12:58 AM
You have multiple options here. I would connect FW01 with an EtherChannel to both stack members. For FW02, you can connect FW02-primary to the first switch and FW02-secondary to the second switch. Or you can connect both ASAs with two interfaces each to both switches for even more redundancy but also increased complexity.
10-19-2018 01:05 AM
Thanks again Karsten!
I think we only have 1 physical port left on FW01 so i guess i'll just connect that one to SW01 pretty simple. For FW02 i can at least bring in some redundancy.
Thanks again and have a very nice day!
12-04-2018 12:07 PM
Hi Karsten,
Is it preferred to configure EtherChannel or redundant interfaces from FW1 to the switch?
Thank you,
Tamara
12-04-2018 12:32 PM
If the switch is one logical device, I would prefer to use EtherChannels. Only if you have two switches and these devices are independent (no stack, VSS or something like that) then I use redundant interfaces.
12-04-2018 01:12 PM
Thank you!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide