Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
942
Views
0
Helpful
4
Replies

ASA Port redundancy question

Dustin Barnett
Level 1
Level 1

‎03-30-2012 08:57 AM - edited ‎03-11-2019 03:49 PM

We have a ASA 5510 with a hardware web filter device between the inside interface and our LAN switch. The web filter recently failed after hours and we had to physically remove the device to restore connectivity to the lan, so I'm trying to come up with a way to avoid having to be onsite if it fails again in the future.

Would setting up a port redundancy with one cable going to the filter, and one directly to the switch work? Not sure when a port is considered down, when the device failed the network status lights were still lit.

Or

A cable directly between the ASA and switch, with the interface on the ASA disabled until needed. With this option I was thinking someone could log in to the ASA from the outside interface and manually change the IP settings and name on the interface.

Thanks

Labels:
0 Helpful
4 Replies 4

Amit Rai
Level 1
Level 1

‎04-02-2012 12:31 PM

you should connect a cable between your switch and the ASA and configure the port failover on the switch so that when the port is unable to go out through the web filter it should failback to the port directly connected to the ASA

0 Helpful

Dustin Barnett
Level 1
Level 1
In response to Amit Rai

‎04-02-2012 05:20 PM

That sounds good. Do you know if I can configure the ASA to automatically use the new cable coming from the switch? I'm thinking I'll have to log in and reconfigure the interface name and IP address.

0 Helpful

Dennis Mink
VIP Alumni
VIP Alumni
In response to Dustin Barnett

‎04-02-2012 11:16 PM

Put the two ports at each end in a port channel and shut the port that has NOT got the web filter between the ASA and the switch. In a web filter fail scenario, open the redundant link. this way you dont have to play around with like HSRP, also the ASA's dont support spanning tree so there is no automated L2 fail over mechanism available.

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

sean_evershed
Level 7
Level 7
In response to Dennis Mink

‎04-03-2012 03:07 AM

Hi,

Another alternative is to remove the web filter from between the switch and the firewall.

Connect both the firewall and filter to the same switch.

Use WCCP to direct traffic to the filter.

This will minimise the impact of the web filter failure on your network.

See below a configuration example

https://supportforums.cisco.com/docs/DOC-12623

Don't forget to rate posts that are helpful.

Cheers

Sean

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card