04-01-2008 07:00 AM - edited 03-11-2019 05:25 AM
hello
we have 2 5550 ASAs in active-standby mode - please see attached diagram.
the ASAs LAN Failover, Stateful Failover and Inside interfaces all physically connect into Cisco catalyst 6500s.
we're about to test the resiliance of our network design by powering of one of our 6500s. If ASA A was active and 6500 A was powered off, what would happen regarding failover?
The inside (monitored) interface and the LAN failover interface on ASA A both patch into 6500 A which has been powered off. does failover to ASA B happen because a monitored interface (inside) is down or is there no failover because a failover link (LAN Failover) failed during operation?
any insight appreciated
andy
04-01-2008 07:46 AM
Hey its so funny that I am actually doing the same thing now and we posted a similar scenario.
Anyway the way it works is it will monitor the interfaces you specify. If one of your interfaces detects a link down (and it is specified as an interface that you are monitoring on the firewall) It will automatically force the secondary asa to become active.
04-01-2008 07:52 AM
thanks for the reply. the problem is that if the 6500 connected to the primary ASA loses power then the primary ASA Inside, LAN Failover and State Failover interfaces will all go down at the same time.
so the question is does failover occur because the primary ASA inside interface goes down or is there no failover because the LAN Failover interface went down during operation?
thanks
andy
04-01-2008 09:34 AM
Hey can show me what your config looks like for the active and secondary asa's I'm still having trouble with the failover times.
Thanks
04-01-2008 07:48 AM
Let me know how long your failover takes because right now my failover takes about a minute to recover sourcing a ping from the inside to any internet site.
A ping to the firewall shows about 2-4 dropped pings before the secondary becomes active. I am not sure if this is normal behavior. But since you are doing a similar test, let me know what your results are.
04-01-2008 07:56 AM
we've already conducted some testing by manually failing over the ASAs and we aren't dropping any packets. do you have Stateful Failover configured for your ASAs?
andy
04-01-2008 07:58 AM
Yes I do have stateful configured however I do not have any of the interfaces terminated onto a secondary switch. I just have straight cables connecting the firewalls. I guess it would make more sense to create a seperate vlan on the switch for this purpose. I guess I'll have to do that instead to see how that works out.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide