Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
3603
Views
5
Helpful
4
Replies

Two ASA 5510 (Active / Standby) connecting to two stack switches

Go to solution
dapo dimeji
Level 1
Level 1

ā€Ž11-16-2015 03:54 PM - edited ā€Ž03-11-2019 11:53 PM

Hello All,

I have a change in design with my ASA (Active / standby) connecting  two stand alone switches. I previously had the active ASA connected to Switch 1 and the standby connected to switch 2. The two switches were trunked via a physical cable.

Switch 1  had three interfaces connected to the Active ASA and Switch 2 had three interfaces connected to the standby ASA:

i.e Switch 1 Config

interface Vlan15
 ip address 12.170.15.2 255.255.255.0
 standby 25 ip 12.170.15.1
 standby 25 priority 120
 standby 25 preempt

interface Vlan17
 ip address 19.175.18.7 255.255.255.0
 standby 17 ip 25.175.18.1
 standby 17 priority 120
 standby 17 preempt

i.e Switch 2 Config

interface Vlan15
 ip address 12.170.15.3 255.255.255.0
 standby 25 ip 12.170.15.1

interface Vlan17
 ip address 19.175.18.8 255.255.255.0
 standby 17 ip 25.175.18.1

I have replaced the two switches with a 3750-x stack switch (two), as it is a stack switch I can only configure an IP Address per Vlan interface, so  Vlan 15 & 17 config of switch 1 remains on the stack switch. Now because my Primary ASA has two interface and the failover connected to Switch 1 of the stack switch and the Secondary ASA also has two interface and the failover connected to Switch 2 of the stack switch , I now have two different cross stack ports (i.e : Gig 1/0/1 & Gig2/0/1 and also Gig1/0/2 & Gig2/0/2) interfaces on the switch flapping.

Also the secondary ASA has assumed Active state although i have power cycled it, it still comes back up as Active. 

I would like to get some help if there is a better way of having both ASA ( Active / Standby) connected to the stack switch.

I appreciate your response.

Regards

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rolando Valenzuela
Level 4
Level 4

ā€Ž11-17-2015 11:48 AM

If you need multiples IPs on the same VLAN you can uses the secondary keyword (but using secondary IPs is not a best practice)

ie

interface Loopback99
ip address 10.10.10.1 255.255.255.255
ip address 10.10.10.2 255.255.255.255 secondary

Now, I dont understand why having just one IP is a problem, you need to send the the traffic to an specific IP, why it cannot be the same?

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Regarding the failover, have you tried to force it? On the active firewall you can do the following:


CiscoASA# no failover active

On the standby firewall you can do the following:

CiscoASA# failover active

Rolando Valenzuela.

View solution in original post

0 Helpful

Go to solution
Boris Uskov
Level 4
Level 4
In response to Rolando Valenzuela

ā€Ž11-18-2015 03:41 AM

Hello,

I think, you'd better avoid cross stack connections in your case. Please, see the attach.

With cross stack (left schema), if one of the switches fails, both ASAs will lose one interface.

Without cross stack (right schema), if one of the switches in the stack fails, only one ASA will loose all of its connections. The second ASA will have all interface in UP state and will assume the Active role (if it was Standby).

View solution in original post

Preview file
18 KB
4 Replies 4

Go to solution
Rolando Valenzuela
Level 4
Level 4

ā€Ž11-17-2015 11:48 AM

If you need multiples IPs on the same VLAN you can uses the secondary keyword (but using secondary IPs is not a best practice)

ie

interface Loopback99
ip address 10.10.10.1 255.255.255.255
ip address 10.10.10.2 255.255.255.255 secondary

Now, I dont understand why having just one IP is a problem, you need to send the the traffic to an specific IP, why it cannot be the same?

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Regarding the failover, have you tried to force it? On the active firewall you can do the following:


CiscoASA# no failover active

On the standby firewall you can do the following:

CiscoASA# failover active

Rolando Valenzuela.

0 Helpful

Go to solution
Boris Uskov
Level 4
Level 4
In response to Rolando Valenzuela

ā€Ž11-18-2015 03:41 AM

Hello,

I think, you'd better avoid cross stack connections in your case. Please, see the attach.

With cross stack (left schema), if one of the switches fails, both ASAs will lose one interface.

Without cross stack (right schema), if one of the switches in the stack fails, only one ASA will loose all of its connections. The second ASA will have all interface in UP state and will assume the Active role (if it was Standby).

Preview file
18 KB

Go to solution
Rolando Valenzuela
Level 4
Level 4
In response to Boris Uskov

ā€Ž11-18-2015 09:20 AM

Good point Boris!
When I read this thread, I imagined something like your right schema, but I never point it out!

Thanks for sharing!

Rolando Valenzuela.

0 Helpful

Go to solution
dapo dimeji
Level 1
Level 1
In response to Rolando Valenzuela

ā€Ž11-19-2015 01:49 AM

Thanks Guys your replies have been really helpful, I restarted both ASA's (Active / Standby) and made sure I powered up the Primary ASA first before the secondary. The primary is now running as Active and the secondary as Standby. I guess the seconday ASA might have gotten confused when i moved some cables around while connecting to the new installed stacked switch ( the order of operation might have be faulty).

Boris# I will look into changing the ASA connection to the switch from  cross Stack to non-Cross stack, as it is a better design if one of the stack switch fails.

Many thanks guys.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card