Re: ASA Failover Design Issue

I been doing this setup fir years and have tested the active passive failover with no problems. If you want a sample config let me know..

Regards,
 Joe Sanchez

On Jan 12, 2012, at 5:52 PM, "Antonio Soares" <amsoares_at_netcabo.pt> wrote:

> Hello group,
>
> I need help with this one. I have a customer asking me to connect two pairs
> of ASAs directly, without any switch in the middle. I never saw something
> like this and after a few hours playing with this setup, I'm almost giving
> up.
>
> Please check here the diagram:
>
> http://www.ccie18473.net/failover.jpg
>
> I'm running OSPF between the two pairs of ASAs in order to get maximum
> redundancy. Suppose that initially FW-1 and FW-3 are active. The first
> problem I see is that only one OSPF adjacency is up, between the active
> ASAs. I understand that this happens because OSPF is inactive on the standby
> ASAs. Ok, the setup is broken because is FW-1 goes down, I would need to
> wait for the new OSPF adjacency between FW-2 and FW-3. Another issue I see
> is that if I play a little with "failover active" and "no failover active",
> this becomes completely broken: the ASAs start moving from active to standby
> without any pattern. I think this is because the ASAs in each pair don't see
> each other. Ok, this seems to be completely against the basic ASA Failover
> design. Each firewall must see its peer on the data interfaces.
>
> Can somebody tell me if this is possible to achieve ? The customer keeps
> telling me that there are other vendors that do this without any issues...
>
> Thanks.
>
> Regards,
>
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares_at_netcabo.pt
> http://www.ccie18473.net
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Jan 13 2012 - 07:29:46 ART