10-29-2012 12:31 AM - edited 03-11-2019 05:15 PM
Hi All,
I have the attached setup in the network. all the ASA interfaces are being used for data traffic even management used ( not for management purpose). also we have a AIP-SSM-20 placed in asa 5510 which is configured and working fine.
Right now we are planning to have one more ASA for redundancy purpose. We are planning to replace 5510 with 5520. so we will be having two 5520 with one AIP-SSM-20.
Pl clarrify the below
1) ASA 5520 has only 4 interface and a management interface.--------------------------In this scenario if i assign all the interface with the above setup i am now left with no interface to configure failover and stateful.......how do i configure failover & stateful? what would be the best way to acheive this with ASA 5520?
2) What would be the best way to connect both ASA 5520 with 4503-1 & 2 for redundancy?
Thanks for your time and help
Solved! Go to Solution.
10-29-2012 06:59 AM
Hi,
You will need one interface on the ASAs for the Failover link.
The Statefull failover link can be on
Personally I have always used the same interface as the actual Failover interface. The ASAs have either been directly connected in the same datacenter or connected with fiber/ethernet between 2 different datacenters through some other devices.
You can Google for ASA 8.2 configuration guide (etc.) to find a PDF document that should have most if not all the information you need to configure Failover. I also suggest getting the Command Reference for the same software if you need to check the command format and some basic guidelines in using the command in question.
- Jouni
10-29-2012 01:18 AM
Hi,
If I'm not mistaken for failover to work you will need indentical hardware on the ASA. I would presume that this means addiotional modules also. Better confirm this though.
To my understanding since you are moving from ASA5510 to ASA5520 you will get GigabitEthernet ports to use instead of FastEthernet. You could always just combine some of your current interfaces to be on the same physical interface as a subinterface (Trunk). I presume the 4503 side also has GigabitEthernet ports available?
In a typical scenario each ASA would be connected to their own core device and directly connected to eachother for failover. I guess the both ASAs would be connected to the 4506-1
- Jouni
10-29-2012 03:07 AM
If I'm not mistaken for failover to work you will need indentical hardware on the ASA. I would presume that this means addiotional modules also. Better confirm this though.
I am not looking for failover on AIP SSM-20 module as we are not adding SSM module in secondary ASA.
To my understanding since you are moving from ASA5510 to ASA5520 you will get GigabitEthernet ports to use instead of FastEthernet. You could always just combine some of your current interfaces to be on the same physical interface as a subinterface (Trunk). I presume the 4503 side also has GigabitEthernet ports available?
Thanks for the info... Do u have any supporting docs or sample configs
In a typical scenario each ASA would be connected to their own core device and directly connected to eachother for failover. I guess the both ASAs would be connected to the 4506-1
I have noticed above note from Cisco. as per cisco each ASA would be connected to their own Core is not recommended. pl see it
Thanks
10-29-2012 03:20 AM
Hi,
Regarding the module. What I meant was that to my understanding when configuring a ASA failover pair, the devices need to be indentical when it comes to the hardware. I guess mainly this just means same ASA model and same RAM setup but from what I understand this would also mean extra modules for ASA models. I will have to check that.
Regarding connecting the ASAs. I think the Cisco document refers to the actual failover (LAN) interface. It shows that you should keep the failover separate from the links where the actual Data is transmitted. As I said I'd rather connect the Failover interfaces directly and keep them separate from rest of the actual network as the Cisco document shows (the way this is done ofcourse depends on the location of the devices (same space or separate datacenters)
- Jouni
10-29-2012 03:22 AM
Hi,
Heres information from Cisco ASA 8.4 configuration guide regarding Failover Hardware requirements
Hardware Requirements
The two units in a failover configuration must be the same model, have the same number and types of
interfaces, the same SSMs installed (if any), and the same RAM installed.
- Jouni
10-29-2012 03:30 AM
Hi,
Thanks
So failover/stateful interface should be connected each other directl and rest all are connections to their own Core SW.
We are planning to have either 7/2(3) or 8.2(5) on the ASA 5520. I think we need to purchase one more SSM--20 in order to make Failover between ASA 5520.
10-29-2012 06:59 AM
Hi,
You will need one interface on the ASAs for the Failover link.
The Statefull failover link can be on
Personally I have always used the same interface as the actual Failover interface. The ASAs have either been directly connected in the same datacenter or connected with fiber/ethernet between 2 different datacenters through some other devices.
You can Google for ASA 8.2 configuration guide (etc.) to find a PDF document that should have most if not all the information you need to configure Failover. I also suggest getting the Command Reference for the same software if you need to check the command format and some basic guidelines in using the command in question.
- Jouni
10-29-2012 10:45 PM
Thanks
Will refer 8.2 documentation and do it.
11-01-2012 12:16 AM
Hi,
Can we do failover between AIP-ssm-20 also?
Do u we need to configure different IPs on AIP-ssm-20? will the signature replicate each other ?
What would be the best way to have both AIP-ssm-20 in asa 5520?
Thanks
11-01-2012 02:42 AM
Hi,
I dont' really know about that.
I got the impression from earlier discussions on these forums that the ASA modules don't really have a failover between them. That it would be up to the admin to keep them both at indentical configurations so that when the actual ASA failover happens there is no differences in the configurations/operations of the device/module.
But you should probably wait for a confirmation from someone who knows better. I haven't really used any other modules on the ASAs other than the 4GigabitEthernet port module which only bring more physical ports to the ASA.
- Jouni
11-01-2012 02:56 AM
Yes, Jouni is absolutely correct. The AIP module doesn't have failover between them, they are acting as an independant module. Hence they would need to have different IP Address on each module, and signature won't replicate, so you would need to update the signature on both modules independantly.
11-01-2012 03:40 AM
Thanks both ..really appreciated.
In the meanwhile i have couple of other questions.
1) Since i have to migrate all the configuration to the new ASA 5520 units....I am wondering is there a possible way to copy the entire configurations including certificates from ASA 5510 to 5520....
Nat
Ipsec-tunnels
certificates ( ssl vpn authentication certificate from geotrust) e.t.c
Is there any way i can copy the entire configurations from 5510 to 5520 including the above?
thanks for your response
11-01-2012 04:13 AM
Yes, you can use ASDM to backup the whole config, including the certificates.
From ASDM --> Tools --> Backup Configurations.
Here is what you can backup:
11-01-2012 04:39 AM
Thanks for the response.
I dont see backup configurations option in the ASDM. i am having ASDM 5.2 with 7.2(3). .is there any other way to get it ?
So as you said it is possible to copy and paste the entire configuration from 5510 to 5520..is it right ?
11-01-2012 01:44 PM
that backup and restore feature from ASDM is only available from ASDM version 6.1 that supports ASA version 8.0.
Seems like you are using earlier version which doesn't support that feature.
You can copy and paste the configuration, but make sure that you don't copy and paste the encrypted password. If you have VPN configured, normally the pre-shared key is not displayed.
I would suggest that you copy the configuration section by section, not just copy the entire config and paste it. You can save a copy of the config to a tftp server in a text file, so at least you have a whole config.
To export the certificate, you can use the command: crypto ca export
To import the certificate, you can use the command: crypto ca import
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide