I have 2 x Cisco 1140 Fws running in ASA mode. Active/Standby
2 x 9300s with a trunk between ten
Cisco have depreciated the Redundant interface on the 1140s
I have configured sub interfaces on one of the ports of FWs with 2 x vlans going from primary switch to active FW and
the same 2 x vlans on the standby FW going into the secondary switch so should one of the FWs or switches going down ( in this instance lets say one of the primary devices). Monitor interface on the FW will detect and failover.
with a port-channel scenario it will still be the same detection.
I want to have failover independent on the switches without having to rely on the monitor interface of the FWs and for them not to be the masters in this scenario..
is there a way for the switches to detect or do some failover.
I appreciate that there is no VSS or stack wise virtual on the 9300
Thanks in advance
Not sure I follow.
The firewalls have failover because they monitor the state of their interfaces and the switches have failover presumably because you are running HSRP or something like that ?
Are you asking if the switches can somehow detect if a firewall fails and use the standby firewall ?
If so why would you need this when the firewalls can detect this themselves and move the firewall VIP to the standby firewall ?
Hello @JamesSimpson34554 ,
>> I want to have failover independent on the switches without having to rely on the monitor interface of the FWs and for them not to be the masters in this scenario..
This is conceptually wrong the two Catalyst C9300 cannot be the decision makers they just provide per VLAN connectivity to both FP1140 units on (one or more LAN ports) that are working in Active/Standby failover.
The standby ASA listens for heartbeats from the master unit and receives information about the state of the sessions NAT and s on.
You should use dedicated links for failover and STATE and connect the ASA directly between themselves if this is not possible you should use dedicated VLANs that are carried= allowed over the inter switch L2 trunk.
If you want to be on the safe side you should consider to use a dedicated port-channel on the two switches to propagate the failover and STATE VLANs so that you can provide a fault tolerant path with dedicated resources separated from VLANs carring user traffic and without competition between the two types of communications control plane and data plane of ASA.
The decision about who is the master can be taken only the ASA units themselves.
Hope to help
I understand your topology but what I don't understand why you not want monitor the IN and Out of FW?
the failover link is detect the alive of other Peer, if the ASA not receive the hello message the ASA start failover process which in first step send message in all data interface between the two FW.
when you not monitor the IN/Out data interface in FW there is a big chance of split brain, where for any reason the active failed to send periodic hello message to standby, and you disable monitor then the standby will assume the active FW is failed and start failover process.
the monitor of data interface ensure that the active FW is failed not failover link is failed.
how SW know the the ASA failover between active and standby??
the FW standby will USE ALL IP ADDRESS OF PREVIOUS ACTVIE FW
this how failover, for user there is no traffic drop except the time the new active FW adjutancy with SW<<-
here the new active FW will inform SW that IP can reach now from different port (port connect old standby new active to SW2).