Solved: ASA - Direct redundant connection to Active/Standby cluster

Eric Snijders · ‎10-18-2018

Hi all!

I think my question is pretty simple, but i haven't done this before, and ASA in GNS3 still has some bugs so i'm having a hard time trying to emulate this.

Consider the following configuration:

So Gi0/6 between the Active and the Standby is the Failover link.
Now i want both firewalls to have a uplink to FW01, which should be redundant.

I think a "redundant interface" is the thing i need, but is this going to work the way i think it is? If i configure a redundant interface on FW01, and on FW02 the Gi0/0 interface is the "active" interface towards FW01, what will happen if a failover occurs? Will the Gi0/1 interface on the Standby automatically becomes active? Because that is exactly what i'm looking for.

Thanks in advance, and have a very nice day!

Karsten Iwen · ‎10-19-2018

No, this is not how redundant interfaces work. FW01 has no clue which ASA is active.

You need a switch between FW01 and FW02. Let's assume you want more redundancy and use two independent switches (not a stack). Then you can configure redundant interfaces on FW01 to these two switches.

View solution in original post

Karsten Iwen · ‎10-19-2018

No, this is not how redundant interfaces work. FW01 has no clue which ASA is active.

You need a switch between FW01 and FW02. Let's assume you want more redundancy and use two independent switches (not a stack). Then you can configure redundant interfaces on FW01 to these two switches.

Eric Snijders · ‎10-19-2018

Hi Karsten,

Thanks for the info and the fast reply.

So if i get this straight, this is the way to go:

In this case SW01 is a stack so should connect Gi0/0 from FW02_act to the first stack member, and Gi0/0 of FW02_stby to the second stackmember, right?

Karsten Iwen · ‎10-19-2018

You have multiple options here. I would connect FW01 with an EtherChannel to both stack members. For FW02, you can connect FW02-primary to the first switch and FW02-secondary to the second switch. Or you can connect both ASAs with two interfaces each to both switches for even more redundancy but also increased complexity.

Eric Snijders · ‎10-19-2018

Thanks again Karsten!
I think we only have 1 physical port left on FW01 so i guess i'll just connect that one to SW01 pretty simple. For FW02 i can at least bring in some redundancy.

Thanks again and have a very nice day!

tangney@northwestern.edu · ‎12-04-2018

Hi Karsten,

Is it preferred to configure EtherChannel or redundant interfaces from FW1 to the switch?

Thank you,

Tamara

Karsten Iwen · ‎12-04-2018

If the switch is one logical device, I would prefer to use EtherChannels. Only if you have two switches and these devices are independent (no stack, VSS or something like that) then I use redundant interfaces.

tangney@northwestern.edu · ‎12-04-2018

Thank you!