cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
928
Views
0
Helpful
7
Replies

asa failover is it possible Ethernet cable to connect the appliances directly, without the need for an external switch in asa 5510

Anand Vp
Level 1
Level 1

asa failover is it possible Ethernet cable to connect the appliances directly, without the need for an external switch in asa 5510 pls help me ont his  ...

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

Sure, a direct Ethernet cable between the two units' designated failover interfaces works fine. Cisco recommends via a switch but it's not required.

View solution in original post

7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

Sure, a direct Ethernet cable between the two units' designated failover interfaces works fine. Cisco recommends via a switch but it's not required.

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Anand,

Yes, you can use a ethernet cable to connect both devices, you can find that cisco recommends a switch but this because it makes the troubleshooting so much easier when you are having an issue regarding the failover interface.

Hope this helps, any other question just let me know.

Julio

Rate helpful posts!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Anand Vp
Level 1
Level 1

Thank you ..i  configured the asa ..its working fine ..one is in  active and otherone is standby ... pls  let me know ..

FW1:

sh failover
Failover On
Failover unit Primary
Failover LAN Interface: failover Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 110 maximum
Version: Ours 8.2(5), Mate 8.2(5)
Last Failover at: 09:09:46 UTC Jan 19 2012
        This host: Primary - Active
                Active time: 1283 (sec)
                slot 0: ASA5510 hw/sw rev (2.0/8.2(5)) status (Up Sys)
                  Interface inside (10.90.140.2): Normal (Waiting)
                  Interface management (192.168.1.2): No Link (Waiting)
                slot 1: empty
        Other host: Secondary - Standby Ready
                Active time: 1818 (sec)
                slot 0: ASA5510 hw/sw rev (2.0/8.2(5)) status (Up Sys)
                  Interface inside (0.0.0.0): Normal (Waiting)
                  Interface management (0.0.0.0): No Link (Waiting)
                slot 1: empty

Stateful Failover Logical Update Statistics
        Link : Unconfigured.

FW2:

sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: failover Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 110 maximum
Version: Ours 8.2(5), Mate 8.2(5)
Last Failover at: 09:09:38 UTC Jan 19 2012
        This host: Secondary - Standby Ready
                Active time: 1818 (sec)
                slot 0: ASA5510 hw/sw rev (2.0/8.2(5)) status (Up Sys)
                  Interface inside (0.0.0.0): Normal (Waiting)
                  Interface management (0.0.0.0): No Link (Waiting)
                slot 1: empty
        Other host: Primary - Active
                Active time: 1437 (sec)
                slot 0: ASA5510 hw/sw rev (2.0/8.2(5)) status (Up Sys)
                  Interface inside (10.90.140.2): Normal (Waiting)
                  Interface management (192.168.1.2): No Link (Waiting)
                slot 1: empty

Stateful Failover Logical Update Statistics
        Link : Unconfigured.


------------------------------------------------------------------------------------------

Dhiv.....

Hello Anand,

yeap, the failover cluster is up and running, as you can see on the inside interface the state is normal (waiting) that means the hello packets for the failover monitoring are not being exchanged just fYI.

Regards,

Julio

Do rate helpful posts!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Anand Vp
Level 1
Level 1

in this configuration 2 asa hostname are  showing same even i change also ...then one more qus how much time it will take to failover ..is there we can change the time..thanks a lot

Anand

In a failover pair the ASAs share a single configuration file and it is normal that both devices will share the same host name.

If you have given them different names then would I be correct in understanding that you went into the standby ASA and made a config change to its name? (if you made a change on the primary ASA it should sync the config to the backup and bring the names back to the same) If you have done this I would assume that it is a temporary change. At some point there will be an event which causes the primary ASA to sync the config files and when that happens it should make the host names the same again.

In my experience the failover is very quick. I assume that the timing may vary some depending on how the failover is initiated. We have tested failover using the software command and that failover is very fast. We have tested failover by failing power on the primary ASA and that failover is also very fast. If the failure were a based on an interface failure then I assume that the timing of the failover would depend on how long it took to recognize and react to the interface failure - and there is some flexibility in those timers.

HTH

Rick

HTH

Rick

Hello Anand,

Just to add to what Richard has mentioned, the failover polltime ( how often does the Failover pair exchanges the hello packets to check if the other unit is active) is one second, you can configure a sub-second failover (polltime : less than one second) to make it even faster, of course that will means more traffic being sent on each interface being monitored.

Just for you to know.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: