Thks kishore....,

Definately i will be using HSRP at L3 swiches for my end users.

For internet traffic from L3-swicthes i want to use dynamic routing protocol

But the issue is this scenarios i have tested in demo lab,,,, but the failover is happening but i am not able to ping asa ips after failover and eigrp is flapping continuosly...

kindly help

See , i wll brief  u more

In normal scenarios , traffic flow is

core switch 1 ----primary ASA-------wan router 1-----internet

Now suppose e.g outside interface of primary asa got down, failover happnes

The secondary ASA becomes primary and config are in syn that i m sure.

now after faiolver ,traffic flow is

core switch 1 ----- core switch 2---- secondary asa---wanrouter 2---- wan router1-------internet

but i am not even able to ping seconadry asa(which is now primary) from core switch 2.

And i am  using separate /30 subnet mask in each segment . Also no using any vlans anywhere.

Shekhar,

core switch 1 ----- core switch 2---- secondary asa---wanrouter 2---- wan router1-------internet

The traffic will not go from wanrouter2 --wanrouter1 unless they are direclty connected or using a L2 switch which is not in your diagram.

but i am not even able to ping seconadry asa(which is now primary) from core switch 2.
And i am  using separate /30 subnet mask in each segment . Also no using any vlans anywhere.

When you ping the ASA from core switch 2 what source ip address are you using?

do a sh ip cef on the core switch 2. Do you see any result? what outgoing interface does the core switch 2 show? you can paste results here

What is the GW address on the core switch 2?

Also you said no vlans anywhere . what do you mean? The link between the ASA and coreswitch cant be /30 if you want them to use keepalives to talk to each other

Hope these questions help you a bit more.

Actually

1) wan routers are also conncted back 2 back. I forgot to show in the diag.

2)Source ip is the ip configured on the routed port od core-swithc which is going to secdry asa. ,outgoing interface used by core-switch 2 is interface going to secomdary ASA. Gateway address is inside interface ip of Cisco ASA which after failover secondary asa is holding.

3)sh ip cef . this result i will share with u after some time.

4)not understood ur /30 concept

Hi shekar.

4)not understood ur /30 concept

What I meant here was you cannot use routed ports between the ASA and the core switch if you want Active/Stanby for the ASA.. The port on the switch needs to be a Layer 2 port. If you used routed port then ASA didn't failover ,its just the routing that failed over. The easiest way to check is to type " sh failover state" on the ASA and you can see it.

Hope this helps, let me know if want more info.

Kishore

No Kishore,

After failover, I have verified with " sh failover state" , secondary unit is properly taking the primary role.The config. are in sync.

But the only point is I am not able to ping .

Also one more thing , before faiolver EIGRP neigboship is up b/w core-sw1 & primary asa and traffic is moving properly.

And there is no eigrp neignbshp b/w core-sw2 & secndry asa. This is the way it should work.

Now , after failover,,

Eigrp neigbourship  b/w core-sw1 & primary is going down, and eigrp neignbshp b/w core-sw2 & secndry asa is up

Thts means faiolver is happening properly.

But eigrp is flapping evry  2-3 seconds , and i am not getting even a single ping respnse b/w core-sw2 & secndry asa.

Also i am not able to ping b/w core-sw1 & primary asa

Shekhar,

Does your network look something like this? I mean R1 and R2 are the core switches.

I assume its like the one above as in your original diagram you didnt show the links properly..  

Anyway, in short its not going to work. Let me explain you why.

1. Say you are using 192.168.1.1/30 on the core swith1  interface and 192.168.1.2/30(mac address aa:aa:aa:aa:aa) on the ASA1.  The eigrp neighbor relationship is formed and life is good because they  are on the same subnet and the ASA is active

2. Now same on the right hand side say you are using  172.16.1.1/30 on coreswitch 2 interface and 172.16.1.2/30 on the ASA2  interface .It doesnt form neighbor relationship because its standby.

When the link between ASA1 and WANrouter1 fails the failover happens and now the ASA2 will become primary.

Now when the ASA2 becomes primary it will swap the mac addresses  and IP as well with ASA1 so now ASA2 ip address becomes 192.168.1.2/30  and mac address becomes aa:aa:aa:aa:aa. . Now, core sw2 doenst know this  ip address/macaddress  as they are not on the same subnet, hence it  keeps failing. For eigrp neighbor to form they have to be on the same  subnet. When the failove rhappens the ASA2 will have ip address of  192.168.1.2 and the core swit2 will have an ip address of 172.16.1.2. So  this wil never work

you can test by typing "sh ip address" on the ASA2 after the failover and see what ip addresse you can see

HTH

Kishore