04-03-2011 09:09 PM - edited 03-11-2019 01:16 PM
Hi There
I need some advice please. Currently, my customer has 2 units of Cisco PIX 515E running on Active/Standby mode. As for the heartbeat link, there are 2 dedicated switches placed in between both the Cisco PIX 515E i.e. FW1 --> SW1 --> SW2 --> FW2.
My customer will be changing both the Cisco PIX 515E to Cisco ASA 5510. Now, they are asking me, since they will be using Cisco ASA 5510 eventually, can the heartbeat link be a direct UTP cross cable or must the 2 switches in between still exist?
I remember I have tested this before, few years back, in the event I were to pull out the UTP cross cable that's connecting both the Cisco ASA 5510 Firewalls directly (without any switches in between), the Active/Standby mode still works fine. It doesn't go bad whereby both the Cisco ASA 5510 suddenly becomes Active/Active, and causes network issue.
Can someone confirm this please? Are switches required for the heartbeat link in a Cisco ASA environment or can a direct UTP cross cable connection be adequate.
Regards,
Ram
Solved! Go to Solution.
04-03-2011 10:12 PM
Best practise would be to use a switch because it would be easier for troubleshooting purposes when you investigate failure, as the switch port will tell you that there is an interface failure.
04-03-2011 10:03 PM
You can use any of the 2 methods, as there is no issue with any of them.
Here is the URL for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1077551
Please also note:
The adaptive security appliance supports Auto-MDI/MDIX on its copper Ethernet ports, so you can either use a crossover cable or a straight-through cable. If you use a straight-through cable, the interface automatically detects the cable and swaps one of the transmit/receive pairs to MDIX.
Hope that helps.
04-03-2011 10:06 PM
Hi Jennifer
Thank you so much for your kind feedback, as always. I understand that both method works. In fact, I just saw this statement in this URL as well http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/failover.html
However, which one of these method is classified as Cisco's best practise? both methods are Cisco's best practise or the method with the switch in between both the Firewall's heartbeat link?
Regards,
Ram
04-03-2011 10:12 PM
Best practise would be to use a switch because it would be easier for troubleshooting purposes when you investigate failure, as the switch port will tell you that there is an interface failure.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide