Redundant Failover link on ASA5500 Series?

Cisco recommends connecting failover link over L2 switch in thier document.
But if L2 switch fails, both ASA's failover I/F will down.
I wonder if there is any way to get redundancy for failover link, like etherchannel.
Or should I prepare two L2 switches to avoid both ASA's I/F down?
Any hints appriciated.

Even if both of the failover interfaces go down it wont affect the traffic flow. Also if the switch is being monitored this will get detected and can be solved easily. If you still want redundant failover links, using seperate switches will be good idea.

Similar Messages

  • ASA redundant failover links

    Hi,
    We are setting up a new ASA which is in multi context mode.  I was wondering if it is possible to setup redundant failover and state links?  I know that it is possible to run failover on one link and state on another, or both over the same link, but is it possible to have both failover and state running on 2 links?  For example, failover and state on ten1/0 as well as failover and state on ten1/1.
    Hope I have explained my question well enough.  If not I will try to explain better.
    thanks

    I would suggest to make a redundant logical link and attach two physical links to it. Than during failover link configuration specify your redundant link as a failover link. Not sure if it works but dont see any obstacles for this solution to fail..

  • Active/Standby Failover with pair of 5510s and redundant L2 links

    Hi
    I just got two ASA5510-SEC-BUN-K9 and I'm wondering is it possible to implement an Active/Standby Failover configuration (Routed mode) with two ASA5510 and redundant pair of switches from both inside and outside interfaces? In other words, I would like to have two L2 links from each ASA (in pair od ASAa) to each L2 switch (in pair of redundant L2 Switches). The configuration I would like to achive is just like one in Cisco Security Appliance Command Line Configuration Guide, page B-23, figure B-8, with only difference that I wouldn't go with multiple security contexts (I want Active/Standby failover).
    Thanks in advance
    Zoran Milenkovic

    Hello Zoran,
    Absolutely. You can have 2 ASAs configured in Active/Standby mode. For reference, here is a link which has a network connectivity diagram based on PIX, however, connectivity would still be same with ASAs-
    http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/failover.html#wp1053462
    The difference is that on ASA, you can only have LAN-Based failover, hence you'll need to use one additional interface on both ASAs for failover-link. You can connect these two failover-link interfaces directly using a cross cable.
    Apart from this, please refer to following link on how to go with configuration of Lan-based Active/Standby failover-
    http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1064158
    Also make sure that both ASAs have required hardware/software/license based on following link-
    http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1047269
    Hope this helps.
    Regards,
    Vibhor.

  • Failover link inteface redundant

    hola estoy tratando de configurar un asa active/standby pero a su vez tratanto de que la interface failover link sea una interface redudant segun la documentacio es posible pero al  configurar me indica que una interface compartida no es factible , no encuentro la configuracion correcta son dos ASA5525X version
    Cisco Adaptive Security Appliance Software Version 8.6(1)2
    Device Manager Version 7.0(2)

    Hola Julio
    claro no hay problema esta es la configuracion actual de mis interfaces y interfaces  redundantes quiero utilizar la interfaces G0/5 y G/6 como mi interface failover , no estoy seguro si funcionara?
    interface GigabitEthernet0/5
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/6
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/7
    description LAN/STATE Failover Interface
    interface Redundant1
    member-interface GigabitEthernet0/2
    member-interface GigabitEthernet0/1
    nameif inside
    security-level 100
    ip address 172.18.100.X 255.255.255.0 standby 172.18.100.X
    interface Redundant2
    member-interface GigabitEthernet0/0
    member-interface GigabitEthernet0/3
    nameif vpn-outside
    security-level 0
    ip address 10.245.245.x 255.255.255.0 standby 10.245.245.x
    interface Redundant3
    description Failover
    member-interface GigabitEthernet0/5
    member-interface GigabitEthernet0/6
    no nameif
    no security-level
    no ip address
    failover
    failover lan unit primary
    failover lan interface failover GigabitEthernet0/7
    failover polltime unit msec 500 holdtime 3
    failover key *****
    failover replication http
    failover link failover GigabitEthernet0/7
    failover interface ip failover 172.32.254.1 255.255.255.252 standby 172.32.254.2
    al configurar esta es la secuencia de error
    VPN5525X-VLP(config)# no failover lan interface failover GigabitEthernet0/7
    VPN5525X-VLP(config)# no failover link failover GigabitEthernet0/7
    VPN5525X-VLP(config)#  failover lan interface failover redunda
    VPN5525X-VLP(config)#  failover lan interface failover redundant3
    INFO: Non-failover interface config is cleared on Redundant3 and its sub-interfaces
    VPN5525X-VLP(config)# failover link failover Redunan
    VPN5525X-VLP(config)# failover link failover Redundant3
    VPN5525X-VLP(config)#
    VPN5525X-VLP(config)#
    VPN5525X-VLP(config)# exit
    VPN5525X-VLP# sh run fa
    ya esta configurado pero no estoy seguro si funcionara, Julio que asi configurado.
    VPN5525X-VLP# sh run failover
    failover
    failover lan unit primary
    failover lan interface failover Redundant3
    failover polltime unit msec 500 holdtime 3
    failover key *****
    failover replication http
    failover link failover Redundant3
    VPN5525X-VLP#

  • PO for LAN failover and stateful failover link?

    Hi.. We have 2 x ASA 5520s running ver 9.0. We plan to aggregate the 2 interfaces used for LAN failover and stateful failover into a lacp PO. So both the ASAs are connected to each other directly using these 2 interfaces and then we logically make it a one PO. We then assign the PO intface an ip. Is this supported?

    You can use any unused interface (physical, redundant, or EtherChannel) as the failover link. (Source)
    That said, It would be an uncommon implementation. I almost always see them on separate physical interfaces.

  • Active/Standby And failover link configuration mode

    Hi everyone,
    When config failover  link of ASA  in Active Standby mode.
    When we config failover int say gi0/1
    config t
    int gi0/1
    failover lan int gi0/1
    Need to confirm we do this from interface config mode  only or we can do this from global config also ????????
    Whe we assign IP to this int we do that from global config mode ????
    Regards
    Mahesh
    Message was edited by: mahesh parmar
    Message was edited by: mahesh parmar

    Hi,
    Actually the ASA lets you insert a lot of command what ever mode you are under.
    In the output you posted is a very important thing to notice
    configure mode commands/options:
      WORD  Specify the interface name
    As you can see, the output lists only one option and before that it mentions that this is a "configure mode" command
    So even if you entered the command under the interface configuration mode, it would still be entered as a global/configure command mode.
    Take the following thing for example
    I want to check what configuration options I have with the command "failover"
    So I enter the following to my ASA
    ASA(config)# failover ?
    configure mode commands/options:
      interface              Configure the IP address to be used for failover and/or
                                  stateful update information
      interface-policy    Set the policy for failover due to interface failures
      key                       Configure the failover shared secret or key
      lan                       Specify the unit as primary or secondary or configure the
                                   interface and vlan to be used for failover communication
      mac                      Specify the virtual mac address for a dynamic interface
      polltime                Configure failover poll interval
      timeout                 Specify the failover reconnect timeout value for
                                   asymmetrically routed sessions
    exec mode commands/options:
      active          Make this system to be the active unit of the failover pair
      exec            Execute command on the designated unit
      reload-standby  Force standby unit to reboot
      reset           Force a unit or failover group to an unfailed state
    As you can see, the ASA tells us that there are different additional command parameters after the "failover" command that can be used. Some of them can be used either in Exec or Configuration mode.
    - Jouni

  • Failover link in a C65K VSS with ASA-SM

    Hi
    Just experienced a coombined tcp flood/ udp flood attack, which caused both ASAs to go active :-(
    Active:
    01:56:05 ASA-SM1 : %ASA-1-105043: (Primary) Failover interface failed
    01:56:09 ASA-SM1 : %ASA-1-105042: (Primary) Failover interface OK
    01:56:32 ASA-SM1 : %ASA-1-103001: (Primary) No response from other firewall (reason code = 3).
    01:56:47 ASA-SM1 : %ASA-1-103001: (Primary) No response from other firewall (reason code = 4).
    The standby ASA said ' failover off' but a reload of the standby fixed the dual active problem:
    Standby:
    ASA-SM1# sh failo
    Failover Off
    Failover unit Secondary
    Failover LAN Interface: folink Vlan998 (up)
    Unit Poll frequency 1 seconds, holdtime 15 seconds
    Interface Poll frequency 5 seconds, holdtime 25 seconds
    Interface Policy 1
    ASA-SM1# sh failo state
                        State          Last Failure Reason      Date/Time
    This host  -   Secondary
                         Disabled       None
    Other host -   Primary
                        Not Detected   Comm Failure      01:55:59
    'Service-policy in' on the uplink interface (was 512/10 before):
    embryonic-conn-max 256 per-client-embryonic-max 5
    Questions:
    1. possible causes for the com  failure (memory exhaust ?) Any good commands for checking ?
    2. The failover link:
    In an ASA appliance setup it is recomended to etasblish a dedicated physical failover link between til ASAs - What about ASA-SM in a VSS setup - does it make sense to establish a f.ex physical 1G link for failover, and if yes: won't there be a loop issue with this and the fo vlan on the VSL link ?
    3. What is "interface policy 1" in the 'sh failo' command output ?
    Thanks
    Jesper

    Hello Adrian,
    Don't know if this is the cause of your issue, but I was thinking about scenario in which after your ISP interface is doing DOWN and UP your IP address is being changed.
    IOS itself is not deleting isakmp SA because the interface on which you have crypto map attached is down, so the SA will be still up on IOS. On ASA itself since you have default configuration you have DPD (dead peer detection) turned on probably after 10 seconds crypto sa will go down since no DPD reply received.
    IOS will continue to send encrypted traffic towards ASA, but for ASA tunnel is dead and it will ignore these packets (there should be something in logs), but router will never know it since it has DPDs turned off.
    It could also happen if you are getting the same IP address from you ISP, but Internet outages are longer than 30seconds.
    Solution would be to turn on DPDs on IOS:
    crypto isakmp keepalives TIME_IN_SECONDS periodic
    Defailts about DPDs:
    https://supportforums.cisco.com/docs/DOC-8554
    Regards,

  • Failover link

    Hello,
    On an ASA 5520 active, standby pair, what will result if the failover link or interface goes down or fails. Will both devices become active?
    If yes, how to prevent this. We want it in such a way that if such a situation happens, there should be only Active and the other one should be standby.
    Thanks in advance!

    If ASA units connected with cross over then no failover will take place.
    if using LAN based failover then you will end up with Active-Active and traffic will fail.
    Thanks
    Ajay

  • Series link and Smart Series

    Until Sky stop prefixing programmes with the moniker NEW:, series link and Smart Series will not work because the planner thinks they are another programme.  E.g. last night UNDER THE DOME restarted, and was set in my Smart series.  Unsurprisingly, it did not record as the programme was called NEW: UNDER THE DOME.,...... Not technical, you can keep on rebuilding your planners all day, but the solution is obvious, except to Sky, no surprise there......

    The 'new' issue (which was fixed I think in R010) never stopped programs recordings, it just mixed up the stacks if you had episodes both with 'New' and without. This has been fixed in the majority of cases.
    Your issue appears to be entirely different. Did the next episode (ie last night's Falling Skies) appear in the Scheduled Tab at all and fail to record or didn't it put it in after last week's episode?
    is correct in that it is up to the channels themselves what constitutes a series. For example, it is the BBC who has decided that the new Top Gear specials being shown are not part of the aborted series, so Sky boxes won't have picked them up automatically.

  • Redundant up-links distribution switches

    I am trying to understand some basic math involved in calculating redundant up-links for access switches to distribution switches. The ICND1 depicts a diagram showing 40 access switches with 2 distribution switches with 4 up-links to each of 40 access switches resulting in 160 links.
    It then goes on to say that If the design instead did not use distribution switches, to connect a single link between each pair of access switches would
    require 780 links.
    How was 780 calculated exactly?

    Hi,
    The 780 is calculated as (40 * 39) / 2.
    In general, this is a question asking about the number of links needed to interconnect N nodes with a single direct link between each pair of these devices. The formula is N * (N-1) / 2, and it follows a simple logic that on each of the N nodes, you need to connect N-1 links to reach the remaining devices, and because a link connects a pair of devices, adding each link always "deals with" a pair devices, hence the division by 2.
    Best regards,
    Peter

  • Redundant Wireless links

    i'm in the process of investigating on redundant wireless links. the case is, i have two wireless antennas each of them on different network and serving two different areas. is it possible to let one of the antennas to take over if the other one fails?

    The controllers i do not have much experience in so i had to go out researching via google and cisco's internal and forum search function. It first appears that the controller doesnt support hot standby for the APs themselves but rather increases the APs power around them.. However again this is just some brief research i did and may be incorrect. If you dont recieve an answer open up a tac and they will be able to tell you for sure.
    Sorry i wasnt more help.. If you end up using some ap's outside of the controller you can find the Hot standby setttings by using the GUI and clicking on "services" then the 2nd option is 'Hot Standby'.

  • ASA failover link over the etherchannel connected switches

    Hello,
    We have two ASA firewalls located in different locations.
    Firewalls are in Active/Standby modes.
    Failover links of firewalls are connected to two different switches.
    These switches are connected to each other with two dark fibers aggregated to Etherchannel (source-mac address mode)
    When one of fiber links fails and then immediately is connected again, secondary ASA is going to Active state and then to Standy state again.
    Please see the output bellow.
    The holddown timer is set to 15 seconds.
    What could be the cause of this state change?
    ciscoasa# sh failover history 
    ==========================================================================
    From State                 To State                   Reason
    ==========================================================================
    22:54:20 GET Apr 4 2014
    Standby Ready              Just Active                HELLO not heard from mate
    22:54:20 GET Apr 4 2014
    Just Active                Active Drain               HELLO not heard from mate
    22:54:20 GET Apr 4 2014
    Active Drain               Active Applying Config     HELLO not heard from mate
    22:54:20 GET Apr 4 2014
    Active Applying Config     Active Config Applied      HELLO not heard from mate
    22:54:20 GET Apr 4 2014
    Active Config Applied      Active                     HELLO not heard from mate
    22:54:42 GET Apr 4 2014
    Active                     Cold Standby               Failover state check
    22:54:43 GET Apr 4 2014
    Cold Standby               Sync Config                Failover state check
    22:55:36 GET Apr 4 2014
    Sync Config                Sync File System           Failover state check
    22:55:36 GET Apr 4 2014
    Sync File System           Bulk Sync                  Failover state check
    22:55:51 GET Apr 4 2014
    Bulk Sync                  Standby Ready              Failover state check

    Maybe spanning tree recalculation.  I know you said there was an etherchannel but I would make sure it is built properly.  Also run "Show spanning-tree detail" on the switches after you unplug/replug and check when the last topology change was.
     

  • WiSM redundancy/failover

    Cisco documents mentions only up to tertiary WLC. The thing is each WiSM has 2 WLC 4404 cards. We have 2 WiSM modules. How do we configure the WiSM modules for redundancy/failover? -Thanks

    If you have two WiSM's in one chassis then I would set it up like this... no need for a tertiary:
    WiSM 1 WLC 1 A
    WiSM 1 WLC 2 B
    WiSM 2 WLC 1 A
    WiSM 2 WLC 2 B
    Just break up the sections via floor, building or sections.
    ex.
    A = floors 1-3
    B = floors 4-6

  • Redundancy/failover testing

    My company is a relatively small enterprise (about 800 people scattered across 45-50 branches) and we are planning on setting up a periodic failover/redundancy testing schedule for our routers. Basically, we want to test the secondary WAN links at our branch offices and test our redundancy in our data centers.
    I'm sure there is plenty of documentation out there in regards to best practices, but what I find has more to do with a full DR test of a enterprise's systems, as opposed to a simple failover test of an office's WAN link.
    Does anyone have good suggestions for how often you should run these tests? My original thinking is to do this every quarter, but this would involve some travel for us and our resources are slim. The branch offices can be done remotely without any issue, but our DR site (which is actually used for some production traffic) would probably require one of our staff to be on site during a redundancy test.
    Thanks!

    Yep, that's what I did now.
    But keep in mind this is not really explained, even if crossing all the documentations.
    There is no document explaining what behaviour to expect in Jabber in case of redundancy of all the UC components.
    For the CUCM, it's not clear, and nothing is mentionned in case of MRA.
    IM&P is documented, but nothing for MRA.
    Expressays states about redundancy, but the behaviour to expect is not. Same for XMPP federation, no idea.
    UnityConnection as well, nothing is explained.

  • Want to configure BACKUP VPN in asa 5505 for failover link

    Hi,
    Current i'm having 2 isps one tata and another one reliance iwant to configure the backup vpn for reliance ip for same peer ip which tata vpn had configured
    i mandatory to configure same SA,ENCRPTION,IPSEC POLICY,KEY,LIFETIME...etc for failover vpn also.

    Hi michael,
    First of thanks for reply.
    Can we do it by public certificate or DNS entry e.g. both ISP Public ip address entry will be in DNS and user will hit particular DNS name. You r right that once link down so user will disconnect but when he will retry then he will connect via another link.
    Is it possible??
    Ashish

Maybe you are looking for

  • MM - PO - new output type

    Hi all, I'm looking for a way to give the user the possibility to mail/fax/print a PO. Printing is no problem, I linked the smartform to output type NEU and that works as a charm, but I don't get how to give the user the choice... SOmeone out there w

  • TS1702 how can i download my apps again if my card is locked really would like my apps back

    if anybody knows how i can get my apps back on my phone i would love to know cause the change card thing does not work and my debit card is locked and paypal locked up cause of payments since i got an app that i did not want it over drew me if theres

  • Backup - ASM vs regular cooked file system

    Use Oracle 11g on Linux. The disk system is ASM. For instance, the FRA is configured based on a ASM disk group +FRA (along withe multiplexed logs and control files).  This is one place for the backup and multiplexing. Now, I intend to place the multi

  • Using system functions

    Hello, can we assign system functions like "PRINT" -> which will print the documents  "SAVE"..etc. to push buttons in web dynpro applications?.. If that is possible please tell the documents regarding that. Thanks regards, Deepti

  • Access to the DPS cn=monitor tree

    I'd like to be able to access the cn=monitor tree of DPS without having to bind as the proxy manager. Is there a possible DPS setup to achieve this like using a pool without data source or creating a data source that point to the proxy itself ?