Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
3707
Views
5
Helpful
2
Replies

Pros and Cons about ASA failover on two geographic location

rmrahman0302
Level 1
Level 1

ā€Ž04-19-2011 03:40 PM - edited ā€Ž03-11-2019 01:23 PM

Hi,

One of my client is looking for to deploy ASA failover between two geographic locations. Currently main office consists of the network with Edge Router--ASA---Core Switch----Servers and Users. They have another location (location B) which is  connected to the main office via fibre (layer2,1 GB uplink) and that location has few servers. We want to deploy another ASA as a failover to the active ASA. If we want to put the new ASA at the location B, my question, is this setup will work or any issues down the line if we want to deploy data center to data center failover? Any expert opinion will be appreciated.

Thanks.

Labels:
0 Helpful
2 Replies 2

hobbe
Level 7
Level 7

ā€Ž04-19-2011 11:43 PM

Active-failover scenario

If you only have one line between them I would recomend against it.

you could end up with a broken link and two asa fighting over control over packets.

we have had several problems with that when links between sites have gone down and left the two asa stranded and can not se eachother, then both tries to send packets to the other side and things just go belly up with massive disturbances.

I would say minimum 2 physical different paths (1 fƶr controltraffic/heartbeat and 1 for data traffic), and optimum would be one path per interface.

Vlan is NOT a physical path.

A cold standby is ok though.

There are many different solutions you can start the coldstandby from a distance with.

if you have atleast 2 different physical paths its a very nice thing to have active/failover setup.

IF the ASA is to be placed very near eachother then there are many other things like powerspikes and localised problems like fire,flood and so on that needs more to be taken into consideration. and maybe a cold standby is a better option there.

Good luck

HTH

sean_evershed
Level 7
Level 7
In response to hobbe

ā€Ž04-20-2011 07:37 AM

Will the 1G link be dedicated to ASA failover connectivity? If not note the latencey recommendation from the following link:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1052476

"For optimum performance when using long distance LAN failover, the  latency for the failover link should be less than 10 milliseconds and no  more than 250 milliseconds. If latency is more than 10 milliseconds,  some performance degradation occurs due to retransmission of failover  messages."

See also the link below discussing the design challenges of splitting firewalls between two data centres:

http://blog.ioshints.info/2011/04/distributed-firewalls-how-badly-do-you.html

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card