I need to establish a statefull failover link between 2 ASA in two seperate rooms. but I have to go through a firewall for this link.
I know that the easiest way to do so is to have a layer 2 link. but this is a very particular situation where I am asked to do differently with a firewall in the middle.
My question is : what are the protocols and ports that I shall allow on the middle firewall in order to allow HA flows (for the statefull failover link) between primary and secondary ASAs ?
My failover is active/passive.
Thanks in advance.
Looks like you want put business in Risk , if the ASA next room why not arrange Fibre or CAT cable depends on requirement, rather going via any Layer3 FW to inspect manythings which is not recommended setup, you end up changing again back to suggested setup for cisco TACt to support ?
Failover LinkThe two units in a failover pair constantly communicate over a failover link to determine the operating status of each unit. The following information is communicated over the failover link:•The unit state (active or standby)•Hello messages (keep-alives)•Network link status•MAC address exchange•Configuration replication and synchronization
here is the guide lines : ( OLD one tjheroy is same, nothing changed as of now majorly in terms of HA).
Thank you for your fast response,
in fact, I am aware of the risk of the suggested architecture with a firewall in the middle. and I also acknowledge all the message that flow between the nodes (unit state, hello messages …).
However, it does not answer my question: which protocols and ports shall I open on my middle firewall in order to get my stateful failover link up and running ?
Thanks in advance.
The follow is documented and supported:-
Connect the failover link in one of the following two ways:
•Using a switch, with no other device on the same network segment (broadcast domain or VLAN) as the failover interfaces of the ASA.
•Using a crossover Ethernet cable to connect the appliances directly, without the need for an external switch.
I don't think many people have configured failover as you intend to do, it is not one of the above recommended methods, so it won't be supported. I suggest you lab this and run a packet capture to determine this for yourself or implement one of the methods above.