Re: ASA5500 HA

mohammedrafiq · ‎02-25-2011

Hi,

We will like to achive HA between two datacentres.Please see an attached topology diagram.Our ASA will be connected through Pair of Nexus, and if the WAN link broke between two datacentres, how will ASA will detect the failure because local link between ASA and local swich will be always up.

Regards,

sean_evershed · ‎02-25-2011

Hi, Do you mean an active/standby failover pair of ASAs? If so this topology may not work since the recommnedation is that they should have a LAN based failover connection. See the reference below:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1051745

The failover link for the two firewalls should also be on the same VLAN.

mohammedrafiq · ‎02-25-2011

Hi Sean,

I forgot to mention that both links betwwen datacentres are layer2, and we can extend VLAN.

Regards,

mirober2 · ‎02-25-2011

Hi Mohammed,

In addition to monitoring the state of the interface (i.e. up or down), ASAs in a failover pair also exchange hello messages. Therefore, even though the link to the local switch is up, the mate will never receive the hello packet and the unit who sent it will never receive a response. This exchange is how the ASAs know they've been cut off from their mate.

This link contains more details about how the ASAs do their health monitoring:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_overview.html#wp1079010

You may also want to review the recommended scenarios for connecting the failover links:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_overview.html#wp1096444

Hope that helps.

-Mike