Hi

Everything is the same, same box same RAM, same OS.

Is there anything on the CLI I shoudl look out for when inplement failover with sub interfaces? or will it work excatley the same was as with phsysical interfaces

It works exactly the same as physical interfaces.

But 2 things to note here:

>> If you try to use a sub interface as a failover interface, its gonna give you an error:

"Can not configure failover interface on a shared physical interface"

This is because you can only use an unused Ethernet interface on the device as the failover link; and you cannot specify an interface that is currently configured with a name. The LAN failover link interface is not configured as a normal networking interface. It exists for failover communication only. This interface should only be used for the LAN failover link (and optionally for the stateful failover link)

>>Also, note that monitoring of physical interfaces is enabled by default; monitoring of logical interfaces is disabled by default.So if you want to monitor your sub interface, you will have to explicitly configure it using the command: monitor-interface

http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/m_711.html#wp1636148

What i mean is:

If gi0/1 is the physical interface

ciscoasa1(config)# int g0/1

ciscoasa1(config-if)# exit
ciscoasa1(config)# int  g0/1.1

ciscoasa1(config-subif)# vlan 10
ciscoasa1(config-subif)#  exit
ciscoasa1(config)# failover link failover GigabitEthernet0/1.1

INFO: Non-failover interface config is cleared on GigabitEthernet0/1 and its  sub-interfaces

This works fine..... the physical interface is not being used for anything else.

But, if u configure a name for the physical interface:

ciscoasa1(config)# int g0/1
ciscoasa1(config-if)# nameif  test
INFO: Security level for "test" set to 0 by  default.
ciscoasa1(config-if)# exit

ciscoasa1(config)# int  g0/1.1

ciscoasa1(config-subif)# vlan 10
ciscoasa1(config-subif)#  exit
ciscoasa1(config)# failover link  failover GigabitEthernet0/1.1
ERROR: Can not configure failover interface on  a shared physical interface

Message was edited by: Manisha Mandekar

You mentioned you are using a physical interface for failover.

Failover should work fine if you use sub-interfaces  for data.

The recommendation is that if you use the failover interface for state as well then, make sure it is as fast as the fastest data interface.

This means that when you use gig interfaces for inside and outside try NOT TO use a fast ethernet port for failover and state.

Refer our failover guide link here: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1077627

sampel failover config act/standby here:http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_examples.html#wp1028629

-KS

Hi All

What I will have is one interface for failover (failover interface)

Than sub interfaces for passing data with a standby address on the sub interfaces. This is not part of the same failover interface.

That is what I thought. Thanks for confirming.

Happy failover configuring

-KS

my config will look like this

interface Ethernet0/1
description trunk port

no shutdown
!
interface Ethernet0/1.1
description LAN
vlan 1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0 standby 10.10.10.2 no shutdown
!
interface Ethernet0/1.2
description DMZ

vlan 2
nameif DMZ
security-level 50
ip address 10.10.11.1 255.255.255.0 standby 10.10.11.2

no shutdown

interface Ethernet0/2
no shutdown

failover
failover lan unit primary
failover lan interface failover Ethernet0/0
failover key cisco123

failover link failover Ethernet0/0
failover interface ip failover 10.10.12.1 255.255.255.252 standby 10.10.12.2

is this correct?

thats what I had before and it failed.....

I'm trying it again within the hour and I'll post my findings, coz it is very very strange

thanks guys for your help

as I suspected it was noty a firewall issue. It was with the swiytching side.

thanks again