Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3053
Views
0
Helpful
3
Replies

Cisco ASA Heartbeart Failover (Direct Connection)

Go to solution
Ramraj Sivagnanam Sivajanam
Level 4
Level 4

‎04-03-2011 09:09 PM - edited ‎03-11-2019 01:16 PM

Hi There

I need some advice please. Currently, my customer has 2 units of Cisco PIX 515E running on Active/Standby mode. As for the heartbeat link, there are 2 dedicated switches placed in between both the Cisco PIX 515E i.e. FW1 --> SW1 --> SW2 --> FW2.

My customer will be changing both the Cisco PIX 515E to Cisco ASA 5510. Now, they are asking me, since they will be using Cisco ASA 5510 eventually, can the heartbeat link be a direct UTP cross cable or must the 2 switches in between still exist?

I remember I have tested this before, few years back, in the event I were to pull out the UTP cross cable that's connecting both the Cisco ASA 5510 Firewalls directly (without any switches in between), the Active/Standby mode still works fine. It doesn't go bad whereby both the Cisco ASA 5510 suddenly becomes Active/Active, and causes network issue.

Can someone confirm this please? Are switches required for the heartbeat link in a Cisco ASA environment or can a direct UTP cross cable connection be adequate.

Regards,

Ram

Warm regards,
Ramraj Sivagnanam Sivajanam
Labels:
Preview file
41 KB
Preview file
41 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Ramraj Sivagnanam Sivajanam

‎04-03-2011 10:12 PM

Best practise would be to use a switch because it would be easier for troubleshooting purposes when you investigate failure, as the switch port will tell you that there is an interface failure.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎04-03-2011 10:03 PM

You can use any of the 2 methods, as there is no issue with any of them.

Here is the URL for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1077551

Please also note:

The  adaptive security appliance supports Auto-MDI/MDIX on its copper  Ethernet ports, so you can either use a crossover cable or a  straight-through cable. If you use a straight-through cable, the  interface automatically detects the cable and swaps one of the  transmit/receive pairs to MDIX.

Hope that helps.

0 Helpful

Go to solution
Ramraj Sivagnanam Sivajanam
Level 4
Level 4
In response to Jennifer Halim

‎04-03-2011 10:06 PM

Hi Jennifer

Thank you so much for your kind feedback, as always. I understand that both method works. In fact, I just saw this statement in this URL as well http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/failover.html

However, which one of these method is classified as Cisco's best practise? both methods are Cisco's best practise or the method with the switch in between both the Firewall's heartbeat link?

Regards,

Ram

Warm regards,
Ramraj Sivagnanam Sivajanam
0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Ramraj Sivagnanam Sivajanam

‎04-03-2011 10:12 PM

Best practise would be to use a switch because it would be easier for troubleshooting purposes when you investigate failure, as the switch port will tell you that there is an interface failure.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card