Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
428
Views
0
Helpful
1
Replies

Failover ASA's and ISP connection issue.

shinakuma123
Level 1
Level 1

‎07-10-2016 03:24 AM - edited ‎03-08-2019 06:34 AM

Hi All

I have a pair of Failover ASA5520's, with the following interfaces:
- Outside
- Inside
- WAN
- Management

Both the primary and secondary unit each have a physical connection to the other end device apart from the WAN interface.

The WAN interface on the primary ASA connects to a ISP NTU (which provides WAN connectivity), due to the ISP NTU only having 1 port for connection, there is no connection from the secondary ASA.

Thus, every time the ASA's failover we lose just the WAN connectivity. The ASA's have been randomly failing over, not regularly but its a cause of concern, a health check has ruled out a hardware issue, failover history and logs show no useful info either.

What I want to do is, put a Cisco 2960 switch in between the ISP NTU and the failover Pair, so both firewalls WAN interface will connect to the switch and the switch will connect to the ISP NTU.

The single point of failure will be the switch, but this will counteract the failover issue.

I need advice on the following:
- Currently the firewall WAN inteface is routed, one end is on 10.10.10.1 /24 and the other end of the WAN is 10.10.10.2 /24 both ends connect to a ISP NTU.
- With regards to config, is it best just to have it act as a dumb switch? ports to be configured as access on the native vlan, with spanning tree portfast.
- Will the introduction of the switch cause any latency / speed issue?

From everyones experience, any other concerns to warn of? or are there any better ways to counteract the failover issue?

Many thanks in advance

Labels:
0 Helpful
1 Reply 1

paul driver
VIP
VIP

‎07-10-2016 10:08 AM

Hello

Having a switch(s)  between the asa's and the ntu would provide the failover you have suggested and is best practice. 

You can just use L2 vlans for  segregating the inside/outside/dmz and failover link

One important thing is the failover link, A fast interface for this is required due to synchronisation of asa configuration, monitoring of interfaces translation tables etc going to traverse it , As a direct connection via crossovers isn't recommended.

vlan 101 - Lan, asa1 inside, asa2 inside
vlan 102 - ntu, asa1 outside, asa2 outside
vlan 103 - DMZ Lan, asa1dmz asa2 dmz
vlan 104 - asa1 failover , asa2 failover

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents