From: Sheahan, John (John.Sheahan@priceline.com)
Date: Tue Mar 28 2006 - 14:21:17 GMT-3
Yes. Here is the quote from the Cisco's site:
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/con
fig/failover.htm#wp1051178
Interface Monitoring
You can monitor up to 250 interfaces divided between all contexts. You
should monitor important interfaces, for example, you might configure
one context to monitor a shared interface (because the interface is
shared, all contexts benefit from the monitoring).
When a unit does not receive hello messages on a monitored interface, it
runs the following tests:
1. Link Up/Down test-A test of the interface status. If the Link Up/Down
test indicates that the interface is operational, then the security
appliance performs network tests. The purpose of these tests is to
generate network traffic to determine which (if either) unit has failed.
At the start of each test, each unit clears its received packet count
for its interfaces. At the conclusion of each test, each unit looks to
see if it has received any traffic. If it has, the interface is
considered operational. If one unit receives traffic for a test and the
other unit does not, the unit that received no traffic is considered
failed. If neither unit has received traffic, then the next test is
used.
2. Network Activity test-A received network activity test. The unit
counts all received packets for up to 5 seconds. If any packets are
received at any time during this interval, the interface is considered
operational and testing stops. If no traffic is received, the ARP test
begins.
3. ARP test-A reading of the unit ARP cache for the 2 most recently
acquired entries. One at a time, the unit sends ARP requests to these
machines, attempting to stimulate network traffic. After each request,
the unit counts all received traffic for up to 5 seconds. If traffic is
received, the interface is considered operational. If no traffic is
received, an ARP request is sent to the next machine. If at the end of
the list no traffic has been received, the ping test begins.
4. Broadcast Ping test-A ping test that consists of sending out a
broadcast ping request. The unit then counts all received packets for up
to 5 seconds. If any packets are received at any time during this
interval, the interface is considered operational and testing stops.
If all network tests fail for an interface, but this interface on the
other unit continues to successfully pass traffic, then the interface is
considered to be failed. If the threshold for failed interfaces is met,
then a failover occurs. If the other unit interface also fails all the
network tests, then both interfaces go into the "Unknown" state and do
not count towards the failover limit.
An interface becomes operational again if it receives any traffic. A
failed security appliance returns to standby mode if the interface
failure threshold is no longer met.
------------------------------------------------------------------------
--------
Note If a failed unit does not recover and you believe it should not be
failed, you can reset the state by entering the failover reset command.
If the failover condition persists, however, the unit will fail again.
------------------------------------------------------------------------
--------
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Stefan Grey
Sent: Tuesday, March 28, 2006 12:00 PM
To: ccielab@groupstudy.com
Subject: ASA failover
Hi,
Does ASA support failover of multiple interfaces??
Say ASA1 and ASA2 are connected by multiple interfaces to the 3 routers.
ASA1 is active and is connected to the 3 routers. If it fails than ASA2
will
be active and its 3 connections to this 3 routers will become active???
I just couldn't find it anywhere :(
This archive was generated by hypermail 2.1.4 : Sat Apr 01 2006 - 10:07:40 GMT-3