We have 2 x Cisco ASA 5516-X firewalls in an active/passive implementation. The ISP has provided dual-homed ethernet links which use VRRP. Each ISP link terminates into the outside interface of each firewall. Currently the ISP links are unable to exchange VRRP hello packets. A solution to this is to introduce switches between the firewalls and the ISP links. Other than this approach, is there a way to allow the VRRP process to work with the existing setup i.e. without introducing additional switches? There are no spare interfaces on the firewalls currently.
Diagram attached for reference.
Thanks for the response. At the moment the firewall config is set to monitor a number of interfaces, including the outside interfaces. But this is just the interface state.
What you've suggested did cross my mind, however I wasn't sure whether or not it's normal practice to terminate a WAN link on an inside switch, even on a separate VLAN. This isn't something I've seen before. Plus it'd mean using 4 "expensive" 10Gb ports and these aren't high density switches.
You need layer 2 connectivity. Yes you could do what has been suggested if you didnt want to purchased additional hardware. However it generally isn't recommended, normally you'd expect 2 switches on the outside of the network, between the firewalls and routers. These don't need to be high spec.