Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1296
Views
0
Helpful
5
Replies

Redundant Interface - port failure definition

Lwarner
Level 1
Level 1

‎05-05-2019 11:45 AM - edited ‎05-05-2019 12:12 PM

In the ASA 5515-x and similar, what defines a port failure on a redundant interface and triggers fail over from active to passive port?

 

For context, we have a single 5515-x and our colo provides 2 WAN ports in our cabinet. My goal is to allow for the colo doing maintenance on one of the ports.

Labels:
0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎05-06-2019 03:43 AM

Depends on your network, where you terminated these 2 interfaces

 

look at the below guide to confiure redundent interface.

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/interface_start.html#53791

https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/general/asa-97-general-config/interface-echannel.pdf

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Lwarner
Level 1
Level 1
In response to balaji.bandi

‎05-06-2019 08:09 AM

I have read all the documentation, but it still does not answer my question. What defines "failure?"

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Lwarner

‎05-06-2019 09:24 AM

You need identify the failure depends on reachability of next hop and failover traffic to other interface.

 

That is what i have asked in the post  how your FW connected that interface to ISP ? we need to network diagram to understand.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Lwarner
Level 1
Level 1
In response to balaji.bandi

‎05-06-2019 10:20 AM

The port fail over must be governed by some logic, which I am trying to determine. It can not dependent on my topology.

 

I currently do not have anything connected.

 

Our data center provides a redundant WAN drop with 2 ports, and I have no idea what's on the other end - they won't tell me anything other than "it's the same IP address on both ports" which leads me to believe that it's simply HSRP.

 

I have a single ASA. If I connect two interfaces as redundant ports, what triggers the fail over? Is it a dead link? Is it some internal detection of physical port failure by the ASA? Failure to reach next hop?

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Lwarner

‎05-06-2019 12:44 PM

in your CASE ASA do not trigger failover automatically, we need to deploy logic using IP SLA to track the link and if the local port down, or destination IP not reachable, we need to route the traffic to other interface.

 

Other question ? how is your ASA terminating WAN side, they are 2 different Router or Switches.

if they are termniating switch you can do port bundle ? this what i have asked in orginal post.

 

we need to know your environment to suggest be, we can not visualise what is deployed there.(henge HLD or topology required here)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card