Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1551
Views
0
Helpful
4
Replies

Connecting ASR to ASA???

mrbrianott
Level 1
Level 1

‎04-23-2015 05:18 AM - edited ‎03-07-2019 11:41 PM

Hello,

I have 1xASR 1004 and 2xASA 5585-x (Failover in Active/Standby). I'm not sure how I can succesfully connect these two devices directly. I tried a port-channel but the standby units link shows a 'susp' in the etherchannel stats on the ASR. When I do a failover the link is considered down and the ASR doesn't switch the 'bndl' link.

 

The connection from the ASA is a ten gig interface from each ASA directly connected to the ASR using 2 ten gig links. This is the "outside" interface of the ASA.

 

Any help with this would be greatly appreciated.

 

Edit: as pointed out (Thanks Jon) I ended up using a BDI interface. It isn't very pretty but it seems to work as intended.

 

ASR

---

bridge irb

bridge 1 protocol vlan-bridge

bridge 1 route ip

!

interface bdi 1

ip address 1.1.1.1

encapsulation dot1q VLANID

!

interface PHYSICAL

service instance 1 ethernet

encap dot1q VLANID

bridge-domain 1

 

on the ASA

I just created a subinterface on the physical interface so

interface tengig 0/1.$VLANID

VLAN $VLANID

ip address ...

nameif outside

 

worked!

 

 

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎04-23-2015 05:34 AM

I don't believe you can do this.

If the firewall pair is active/standby then you cannot create one etherchannel across both firewalls ie. each firewall would need a separate etherchannel.

See this link for details but essentially the ASAs have different system IDs so they cannot form a single etherchannel -

http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/general/asa-general-cli/interface-basic.html#pgfId-1886574

basically you need a switch or switches between your router and the firewalls.

If I have misunderstood then please clarify.

Jon

 

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame

‎04-23-2015 05:42 AM

Hi,

I am not familiar with how fail over works on Cisco ASA in active/standby mode, so feel free to ignore if you need to. Question, when you unplug the connection from the ASR to the active ASA, does the standby take over?

It maybe that the ASA does not fail over and that is why the link to standby ASA stays down.

HTH

0 Helpful

mrbrianott
Level 1
Level 1
In response to Reza Sharifi

‎04-23-2015 06:04 AM

I knew this but was really hoping someone might know an alternative to adding a switch between them.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to mrbrianott

‎04-23-2015 06:49 AM

-

0 Helpful
Customers Also Viewed These Support Documents