There is the rub. The ASA's

Brett Martin · ‎04-26-2017

Hello, Can an ASA 5515-x and 5525-x firewall be configured as failover pairs? I read they must be identical platforms? Anyone have an explanation?

Thank you!

Brett

Collin Clark · ‎04-26-2017

What you read is correct, the platforms must match.

Brett Martin · ‎04-26-2017

Thanks Collin!

I have another question, is it possible to set these firewalls up in pairs using HSRP and OSPF to create a redundant inter-site link? There will be a pair of 5515-x/5525-x at location A linking to an additional set of 5515-x/5525-x at Location B. I would like all traffic to be traversing between locations using the 5525-x pairs over a VPN, however, if one of the primary firewalls fail or the link between them is down, I would like the set of 5515-x firewalls to carry traffic and revert back once the original failure is corrected.

Collin Clark · ‎04-26-2017

HSRP is not supported on the ASA. You could do some IPSLA/tracking to achieve the failover. Could you do a 5515 pair at one site and 5525 at another or are you concerned about the throughput in the 5515?

Brett Martin · ‎04-26-2017

Is IPSLA best to be configured to point to the remote firewall for tracking state?

Is OSPF a better option for the fact that this would provide firewall and link redundancy--i.e. primary can route through secondary if primary link fails? If so, I am using VPN's to connect the 2 sets of firewalls. Would OSPF need to be setup to directed unicats vs multicast for neighbor communications over VPN?

Thanks Collin!

Collin Clark · ‎04-27-2017

There is the rub. The ASA's will not establish a (routing) peering relationship across the VPN tunnel. You'll have to create a GRE tunnel between a router at each site and then peer across that. The VPN tunnel is just a transport. Routing across VPN tunnels with redundancy can be a PIA. IGP really doesn't matter.

ASA Failover support