Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5655
Views
0
Helpful
17
Replies

ASA Failover question

Go to solution
jvardhan29
Level 1
Level 1

‎12-27-2010 12:52 AM - edited ‎03-11-2019 12:27 PM

hi

1) if the AIP-SSM module is installed within the ASA firewall pair then for ASA failover to happen only the AIP-SSM hardware type needs to be same (i.e both should have say AIP-SSM-10) as mentioned in the below document or the software image also needs to  be same ?

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

2) during the failover when the hello packets are sent from the failover interface of the ASA (say Primary) to the peer device (say secondary) are these hello packets initiated from the failover interface of one firewall or are these hello packets sent by the data interfaces to ther failover interafce (Gig0/3 of active) and then passed over to peer failover link(Gig0/3 of standby)  .I am curious to know if the data interfaces hello packets of active are sent directly to the data interface of standby (without any failover interafce in between ?)

eg:

failover interafce - Gig0/3

data interface - Gig0/1,0/2

Labels:
0 Helpful
17 Replies 17

Go to solution
fadlouni
Level 1
Level 1
In response to jvardhan29

‎01-05-2011 07:44 AM

Hi.

for point 1, yes, i believe pseudo standby would be the status.

for points 2/3, well probably Development didn't have crossover situation in mind as it's not recommended. but technically, the behaviour would depend on the situation.

if both crossover and a data interface fail, then a comparison is done and the one with more active links will take over. if only crossover fails, and later data fails, nothing will happen, etc..

but anyway, due to all the explanations provided by Poonguzhali and me about what to expect in all the different scenarios you proposed, we can already see it's a mess when you have crosscable as failover interface.

so for troubleshootability purposes, and simplifying things, just avoid crossover and use a switch in between.

Regards,

Fadi.

0 Helpful

Go to solution
jvardhan29
Level 1
Level 1
In response to fadlouni

‎01-12-2011 03:18 AM

hi fadi ,

thanks for answering , i was out away for few days . i understood the previous statement and thanks for the same  ! one last question which is related to your previous statment


2) sorry , but my question was more related to the benefit of the switch being used for FO interfaces


Fadi: so as an example, asa1 failover connected to fasteth1/1 on switch, asa2  failover connected to fasteth1/2 on switch. if asa1 failover interface goes down, only fasteth1/1 on switch goes down. however fasteth1/2 is still up and so failover of asa2 is up. then failover will happen after the enchancement bug fix (asa2 has more healthier interfaces).


Jayesh: so that means when we consider the healthier interfaces the failover link is also considered as one of them ?

0 Helpful

Go to solution
fadlouni
Level 1
Level 1
In response to jvardhan29

‎01-12-2011 03:40 AM

yes. it's considered in the healthy list.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card