ASA failover behind another ASA in failover

Emmanuel_Roberts · ‎12-03-2014

Hi all,

I have a very strange question and not sure if this is the right place but I'll try.

I currently have 2 ASA 5520 in Active/Standby failover in routed mode and working perfectly. I recently acquired 2 ASA 5525-X which I would like to temporally use behind the existing 5520s in transparent mode also in Active/Standby, as I would like to monitor the traffic. My problem is that although failover is configured for all of the devices and is working I can't seem to find a way to synchronize or enable failover when the first pair fails so the second pair follows the first.

I have played with the poll times on the second pair and used

failover polltime interface msec 500 holdtime 5

but that doesn't seem to make any difference.

Any suggestions?

Thank you,

M

Marvin Rhoads · ‎12-04-2014

You can't synchronize them for most failure scenarios.

If you put a switch between the routed pair and transparent pair, they won't need to be in sync.

Emmanuel_Roberts · ‎12-04-2014

Hi Marvin,

So if I understand this correctly, there is no way for the second pair to detect that the first pair has failed over unless there is a hardware failure. Just to add here that the firewalls are not doing any load balancing so there is only one active outside connection at any given time. So, unless I can force the second pair to detect the change I am actually stuck.

I would have thought that you could set the hold time on the interface to that affect but that doesn't work if the corresponding interface is alive but on standby.

Regards,