06-29-2012
10:22 AM
- last edited on
02-13-2020
12:58 PM
by
Kelli Glass
With Prashanth Goutham R.
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the Configuring, Troubleshooting & Best Practices on Adaptive Security Appliances (ASA) & Firewall Services Module (FWSM) Failover with Prashanth Goutham.
Firewall Services Module (FWSM) is a high-performance stateful-inspection firewall that integrates into the Cisco® 6500 switch and 7600 router chassis. The FWSM monitors traffic flows using application inspection engines to provide a strong level of network security. Cisco ASA protects networks of all sizes with MultiScale performance and a comprehensive suite of highly integrated, market-leading security services.
Prashanth Goutham is an experienced support engineer with the High Touch Technical Support (HTTS) Security team, covering all Cisco security technologies. During his four years with Cisco, he has worked with Cisco's major customers, troubleshooting routing, LAN switching, and security technologies. He is also qualified as a GIAC Certified Incident Handler (GCIH) by the SANS Institute.
Remember to use the rating system to let Prashanth know if you have received an adequate response.
Prashanth might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community forum shortly after the event. This event lasts through July 13, 2012. Visit this forum often to view responses to your questions and the questions of other community members.
07-03-2012 09:13 PM
Hello Prashanth,
I have a quick question for you. Why it is recommended to have a switch in-between the Firewall pairs and not connect them directly though its going to work fine anyway?
thanks a lot,
- John
07-04-2012 12:10 AM
Hello John,
I believe you are talking about the Failover Lan Interface connectivity which can be of two types:
--- Back to Back.
--- With Intermediary Switch
I would say the second option is better as its easy to segment and isolate faults on a Production Network. Consider the below scenario:
Your firewalls are connected back to back with a crossover cable and you have a live firewall and you start experiencing failover related issues on your FO lan port. What would you do to determine if its a cable or a Firewall Interface issue and if an Interface issue which Interface? Cause if one Interface goes down it pulls down the Peer interface as well to line protocol down. This is tricky you would need to manually test all the components seperately using another directly connected device to see which component is faulty or replace all units to restore services.
In case of the second option we can clearly eliminate as the switch is inbetween. I think its also explained in the configuration guide here:
When you use a crossover cable for the LAN failover link, if the LAN interface fails, the link is brought down on both peers. This condition may hamper troubleshooting efforts because you cannot easily determine which interface failed and caused the link to come down.http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html
Hope that helps. Have a good day !
07-04-2012 09:43 PM
Thanks Prashanth for detailed info.
07-04-2012 10:20 AM
Hello Prashanth,
please can you check/confirm if using a Cisco ASA Active/Standby clustering enviroment the SELF SIGNED GENERATED certificate used for SSL VPN remote access are replicated or NOT on the STANDBY unit ?
On the following doc there's indicate "the ASA's Local/onboard CA-generated certificates (used for SSL VPN remote access) are not replicated but testing on lab with version 8.4.4 the result is different: the self signed certificate of the active asa is replicated on the standby.
https://supportforums.cisco.com/docs/DOC-12969
Q. Are digital certificates replicated in a Active/Standby configuration?
A. Yes. Third-party digital certificates (ie. from Entrust, Verisign, Microdoft,etc) that are installed on the Active ASA are replicated to the Standby ASA in an active/standby config.
However, the ASA's Local/onboard CA-generated certificates (used for SSL VPN remote access) are not replicated.