Cisco ASA failover

Network Pro · ‎11-01-2012

hi,

i am trying to setup a failover pair on Cisco asa 5520 - need a statefull failover

Do i need two ports dedicated to obtain the above - one for LAN based failover and one for statefull failver ? also do i need a switch in between to connect them ?

could you please help me with a config ?

Thanks

Karsten Iwen · ‎11-01-2012

You can combine both funtions (LAN-link and stateful link) on one ethernet-link. That is quite common and works well on a 5520. A crossover-cable is supported on the ASA for that functionality.

All you need is in the config-guide:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_active_standby.html

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Network Pro · ‎11-02-2012

Thanks Karsten. Just wondering is there any drawbacks by using just 1 link ? because we this is a vpn termination unit and essentially needs to be up 24/7

Karsten Iwen · ‎11-02-2012

For the 5520 there is no real drawback when you use one of the Gig-links for the FO-traffic (the 5510 supports a 100 MBit/s link for FO, but on the ASA you shouldn't use the m0/0-interface). Only on the high-end-systems it is imnportant to use a link that is fast enough to send all the state-changes to the standby-unit.

To increase the availability of this important link you could use the redundant-interface feature or even a port-channel for FO.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Network Pro · ‎11-02-2012

so does the failover link should be differennt from the statefull link (just for statefull info to pass through?)

Karsten Iwen · ‎11-02-2012

so does the failover link should be differennt from the statefull link (just for statefull info to pass through?)

no, the 5520 has no problems to provide both functions through one physical link.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Network Pro · ‎11-06-2012

thanks i will try this

Network Pro · ‎12-12-2012

Hi,

just a quick question. Do i need to use a seperate switch for the cables coming from the outside interface and inside interface (i mean a cable will be coming out of each firewall for hte outside interface and inside interface that will go into a switch, isnt it ? so do i need to use two seperate switches - one for inside pair and other for outside pair? or can i use hte same switch and vlan off. also i have dmz setup so i need a another switch for this dmz as well ?)

Thanks

Karsten Iwen · ‎12-12-2012

Technically, that can be done. Just use different VLANs for inside, outside and DMZ. But it's not a best practice to use the same switch for inside and outside. If your switch has a bug or misconfiguration, it is possible that you directly connect you inside network with the internet. The firewall would be bypassed in that case. So better use your existing switch for inside and buy an 8-port-switch or something like that for outside.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Network Pro · ‎12-12-2012

Thanks for hte quick reply karsten but for dmz do i need another one as well ?

Karsten Iwen · ‎12-12-2012

if you are paranoid, yes!

But many times that interface is shared on the outside- or inside-switch.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Network Pro · ‎12-12-2012

Thanks Karsten