cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
283
Views
0
Helpful
3
Replies
Highlighted
Beginner

FirePower 4150 / ASA code / Failover

Hello

It's all about failover.
We are running a couple of FirePower 4150 appliances at two different locations. They are not in cluster mode.
On top we run ASA code in Multiple Context Mode and with 20 Transparent Contexts. Active/Standby.

Setup:
Port-Channel 1 is used for Zone Traffic Inside and Outside (Subinterfaces, ie. Po1.2048 and Po1.3048)
Port-Channel 2 is used for Failover (2 Subinterfaces STATE and LAN)
Port-Channel 3 is used for Management Access

If I run "show failover" I see: "admin Interface management (10.9.200.34): Normal (Monitored)".
No other interface is monitored.
I guess it would make sense to monitor Port-Channel 1 as well.

Questions:
1. The FirePower appliance does not communicate to its mate, so Port-Channel 1 must be monitored on the ASA (Subinterface). Correct?
2. Does it make sense to monitor more than 1 Subinterface of Port-Channel 1?
3. I often read, that only the Inside Interface should be monitored. Why not Outside as well? (on our ASA-5555 VPN Gateways we do so.)
4. Does it even make sense to monitor Port-Channels for failover, as they provide redundancy anyway?

Any input is highly appreciated. Many Thanks.
Thomas

3 REPLIES 3
Highlighted
VIP Mentor

is the managment interface  part of - Port-Channel 3 is used for Management Access ?

BB
*** Rate All Helpful Responses ***
Highlighted
Beginner

The 1-Gbps Interface is only used to manage the Chassis.

Only the (virtual) ASA is managed through Port-Channel 3 (2 Ten-Gig Interfaces; little overkill).

 

Thomas

Highlighted
Frequent Contributor

Subinterfaces are not monitored by default but I recommend you enable it for both Po1 subinterfaces with the monitor-interface command.

Content for Community-Ad