Solved: ASA Failover Connection--why need a dedicated switch

Gongyuan Yao · ‎10-23-2009

In Cisco doc (ID 77809), PIX/ASA: Active/Standby Failover Configuration Example, LAN-Based Active/Standby Failover Config, it states that: "Instead of using a crossover Ethernet cable to directly link the units, Cisco recommends that you use a dedicated switch between the primary and secondary units".

Please any one can let me know more about the reasoning behind it.

Also if we do not use "dedicated switch", instead, we use vlan in switch for this purpos. The config likes: primary ASA <--> primary switch <-->secondary switch <--> secondary ASA.

Tese two switches are distribution switches.

Can you see any problem?

Thanks.

Collin Clark · ‎10-23-2009

Each interface should connect to a switch port so that the link status is always up to one firewall interface if the other firewall interface fails. Otherwise, both units sense a link-down condition and assume that their own interfaces have a failure. You don't need a dedicated switch, you can use your distributions switches.

View solution in original post

Collin Clark · ‎10-23-2009

Each interface should connect to a switch port so that the link status is always up to one firewall interface if the other firewall interface fails. Otherwise, both units sense a link-down condition and assume that their own interfaces have a failure. You don't need a dedicated switch, you can use your distributions switches.