Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
622
Views
0
Helpful
1
Replies

Need to add a new segment on a live ASA5520 with a failover setup running

chunlee-zuji
Level 1
Level 1

‎07-11-2012 12:15 AM - edited ‎03-10-2019 05:43 AM

Hi ,

how do I add a new segment on my ASA5520 that is currently on a lan based active/standby failover. ?

Will it trigger the failover if I add another interface and will be just as simple as unshutting a normal interface and adding an IP with the same configuration as the other interfaces for failover .

all of my existing segment has a redundant switch and for the new segment that I will be creating is just a straight forward with only 1 switch on the segment.

fw-inside-1# show run int

!

interface GigabitEthernet0/0

description OUTSIDE Interface_1

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1

description APPS Interface_1

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

description DB Interface_1

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

description LAN/STATE Failover Interface

!

interface Management0/0

shutdown

nameif management

security-level 100

no ip address

management-only

!

interface GigabitEthernet1/0

description OUTSIDE Interface_2

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/1

description APPS Interface_2

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/2

description DB Interface_2

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/3           <<<<<<<<<<<<<<<<<< I will use this interface for the new segment.

shutdown

no nameif

no security-level

no ip address

!

interface Redundant1

member-interface GigabitEthernet0/0

member-interface GigabitEthernet1/0

nameif outside

security-level 0

ip address 10.50.5.10 255.255.255.0 standby 10.50.5.11

!

interface Redundant2

member-interface GigabitEthernet0/1

member-interface GigabitEthernet1/1

nameif apps

security-level 80

ip address 172.16.1.1 255.255.255.0 standby 172.16.1.2

!

interface Redundant3

member-interface GigabitEthernet0/2

member-interface GigabitEthernet1/2

nameif db

security-level 90

ip address 172.16.4.1 255.255.255.0 standby 172.16.4.2

fw-inside-1#

fw-inside-1# show run fail

failover

failover lan unit primary

failover lan interface Failover GigabitEthernet0/3

failover polltime unit 5 holdtime 15

failover link Failover GigabitEthernet0/3

failover interface ip Failover 10.0.0.1 255.255.255.252

fw-inside-1#

Since I will not be having a redundant switch on the new segment I will use the below config

interface GigabitEthernet1/3    

  no shut

  nameif

  security-level 75

  ip address 172.16.3.1 255.255.255.0 standby 172.16.3.2

Then I will connect cables..

Please let me know if you have any suggestions or links.

Regards

Labels:
0 Helpful
1 Reply 1

Karsten Iwen
VIP
VIP

‎07-13-2012 08:05 AM

You should first configure your interface, then cable both units and after that no shut it on the ASA. Additionally you can remove your new interface from failover-monitoring as a precaution if somerhing goes wrong.

Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card