Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1634
Views
5
Helpful
1
Replies

Lan failover interface

mj11
Level 3
Level 3

‎04-19-2011 04:09 PM - edited ‎03-11-2019 01:23 PM

Hi All

I have 2 ASA's in A/S and just wondering about the Lan failover link and if this could be used to carry vlan information if I made this a Trunk interface.

I can enter the following information on the physical interface with no problems:

ASA-1(config)# interface eth 0/3
ASA-1(config-if)# switchport trunk allowed vlan 2-3,100

But I get the following error on when making this interface a trunk

ASA-1(config-if)# switchport mode trunk
ERROR: Interface is in use by failover. Remove failover configuration first

here is the configuration:

interface Vlan1
nameif inside
security-level 100
ip address 172.20.101.241 255.255.255.0 standby 172.20.101.242
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.6.10 255.255.255.0 standby 192.168.6.11
!
interface Vlan3
description LAN Failover Interface
!
interface Vlan100
no nameif
no security-level
no ip address
management-only
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 100
!
interface Ethernet0/3
switchport access vlan 3
switchport trunk allowed vlan 2-3,100
boot system disk0:/asa821-k8.bin
!

failover
failover lan unit primary
failover lan interface LANfailover Vlan3
failover interface ip LANfailover 10.100.100.1 255.255.255.0 standby 10.100.100.2

Any help much appreciated.

Regards MJ

Labels:
0 Helpful
1 Reply 1

brquinn
Level 1
Level 1

‎04-19-2011 08:20 PM

You can configure a sub-interface for failover, but you cannot configure any other sub-interfaces for data. Even if you could configure it, it wouldn't be a good idea because a spike in traffic could cause missed hellos and unwanted failover events. Here is an example from my lab...

ciscoasa(config-subif)# sh run fail
no failover
failover lan unit primary
failover lan interface link GigabitEthernet3/0.1
ciscoasa(config-subif)#

ciscoasa(config-subif)# sh run int      
...
interface GigabitEthernet3/0
!
interface GigabitEthernet3/0.1
description LAN Failover Interface
vlan 100
!

...

ciscoasa(config-subif)# int gi 3/0.2
ciscoasa(config-subif)# vlan 200
ciscoasa(config-subif)# nameif test
ERROR: Interface is in use by failover
INFO: Use failover command to configure interface name
ciscoasa(config-subif)#

The only thing you can do is configure both your failover lan and failover state links on the same physical interface. Per the Config Guide, this will result in an error.

******* WARNING ***** WARNING ******* WARNING ****** WARNING  *********
  Sharing Stateful failover interface with regular data interface is not
  a recommended configuration due to performance and security concerns.
******* WARNING ***** WARNING ******* WARNING ****** WARNING  *********

Bottom line: If you have the available interfaces, it is is best to give up 2 physical interfaces for failover.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1077598

Thanks,

Brendan

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card