04-26-2017 07:04 AM - edited 03-12-2019 02:16 AM
Hello, Can an ASA 5515-x and 5525-x firewall be configured as failover pairs? I read they must be identical platforms? Anyone have an explanation?
Thank you!
Brett
04-26-2017 07:45 AM
What you read is correct, the platforms must match.
04-26-2017 08:28 AM
Thanks Collin!
I have another question, is it possible to set these firewalls up in pairs using HSRP and OSPF to create a redundant inter-site link? There will be a pair of 5515-x/5525-x at location A linking to an additional set of 5515-x/5525-x at Location B. I would like all traffic to be traversing between locations using the 5525-x pairs over a VPN, however, if one of the primary firewalls fail or the link between them is down, I would like the set of 5515-x firewalls to carry traffic and revert back once the original failure is corrected.
04-26-2017 08:45 AM
HSRP is not supported on the ASA. You could do some IPSLA/tracking to achieve the failover. Could you do a 5515 pair at one site and 5525 at another or are you concerned about the throughput in the 5515?
04-26-2017 09:04 AM
Is IPSLA best to be configured to point to the remote firewall for tracking state?
Is OSPF a better option for the fact that this would provide firewall and link redundancy--i.e. primary can route through secondary if primary link fails? If so, I am using VPN's to connect the 2 sets of firewalls. Would OSPF need to be setup to directed unicats vs multicast for neighbor communications over VPN?
Thanks Collin!
04-27-2017 09:53 AM
There is the rub. The ASA's will not establish a (routing) peering relationship across the VPN tunnel. You'll have to create a GRE tunnel between a router at each site and then peer across that. The VPN tunnel is just a transport. Routing across VPN tunnels with redundancy can be a PIA. IGP really doesn't matter.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide