Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
720
Views
5
Helpful
2
Replies

Traffic over CISCO ASA 5516X HA Link

Go to solution
PNW Weer
Level 1
Level 1

‎09-19-2017 07:26 AM - edited ‎02-21-2020 06:19 AM

 

I am in a process of deploying  ASA 5516x HA cluster ( Active/Standby), I need to connect this cluster to another FW HA cluster ( not sure about the vendor) with another organisation.

 

I was given a network design physical connectivity as below,

 

Cisco ASA  primary -outside interface --->> Third party FW1 outside interface (primary)

Cisco ASA  secondary -outside interface ---->> Third party FW2 outside interface (secondary)

 

Third party FW 1 and FW2 also acting as a cluster. All the firewalls need to physically connect without using an intermediate switch.

Can this work , if  during the ASA failover? 

 

My understanding is that all the FWs needs to have a mesh connection or use intermediate switch and implement L2 domain in outside interfaces. 

 

Any suggestions please? 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Flavio Miranda
VIP
VIP

‎09-19-2017 07:58 PM

Hello,

 Physically direct connect is required in some kind of clusters as well. Or they just want to eliminate any point of failure between Firewall. 

 What I  find more interesting is that this setup suggest that they want to build a high redundant cluster of firewall but mixing up vendors. This is something I dont get it.

 Let´s imagine if Active ASA fail, Standby ASA takes over. On the other Side nothing has change and Active Third part Firewall is still Active. As per your design, this Active  Third part Firewall does not have physical connection with ASA standby and Active ASA is down.

  If that happen, communitacation between both organization will be broken. 

 

 

View solution in original post

2 Replies 2

Go to solution
Flavio Miranda
VIP
VIP

‎09-19-2017 07:58 PM

Hello,

 Physically direct connect is required in some kind of clusters as well. Or they just want to eliminate any point of failure between Firewall. 

 What I  find more interesting is that this setup suggest that they want to build a high redundant cluster of firewall but mixing up vendors. This is something I dont get it.

 Let´s imagine if Active ASA fail, Standby ASA takes over. On the other Side nothing has change and Active Third part Firewall is still Active. As per your design, this Active  Third part Firewall does not have physical connection with ASA standby and Active ASA is down.

  If that happen, communitacation between both organization will be broken. 

 

 

Go to solution
PNW Weer
Level 1
Level 1
In response to Flavio Miranda

‎09-20-2017 03:04 AM

Hi Flavio

 

Thank you for your response. I thought the same way and advised customer to make a cluster connection. I wanted verify my suggestion with other experts.

 

thank you again

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card