It's not recommended for troubleshooting reasons. The thought is, if your failover link goes down, there is no way to tell which side has a bad port. Recommended solution would be to connect to two switches. That being said, the number of times I've seen an ASA fail due to a bad port is zero over the last 5 years. VPN and other software failures are much more common. The direct cable method is supported by TAC, as is the combination of failover and state interfaces.
Sent from handheld
On Jan 13, 2012, at 8:38 AM, "George J. Sanchez" <marco207p_at_gmail.com> wrote:
> Joe, I've also read this whitepaper and the ASA cisco press books that say the same thing, however this not true. I've tested this many times and had other engineers test the same setup with positive Results. With that being said TAC may not support the setup, but to this day I've never had a customer comeback and indicate any problems with this design.
>
> Regards,
> Joe Sanchez
>
> On Jan 12, 2012, at 6:26 PM, "Joseph L. Brunner" <joe_at_affirmedsystems.com> wrote:
>
>>> I need help with this one. I have a customer asking me to connect two pairs of ASAs directly, without any switch in the middle. I never saw something like this and >after a few hours playing with this setup, I'm almost giving up.
>>
>> This is why the CCDE exists... to vet bullsh*t designs from people that really should not be designing... If you read the Cisco white paper on failover it clearly says the design of failover is to use a switch to avoid "both interfaces down the firewalls fo interface".
>>
>> I have done "all routed asa's" but used load balancers in between also running ospf...
>>
>> Good luck.. bad design... probably not the results you want if you do figure it out anyway...
>>
>> -Joe
>>
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Antonio Soares
>> Sent: Thursday, January 12, 2012 6:53 PM
>> To: 'Cisco certification'
>> Subject: ASA Failover Design Issue
>>
>> Hello group,
>>
>> I need help with this one. I have a customer asking me to connect two pairs of ASAs directly, without any switch in the middle. I never saw something like this and after a few hours playing with this setup, I'm almost giving up.
>>
>> Please check here the diagram:
>>
>> http://www.ccie18473.net/failover.jpg
>>
>> I'm running OSPF between the two pairs of ASAs in order to get maximum redundancy. Suppose that initially FW-1 and FW-3 are active. The first problem I see is that only one OSPF adjacency is up, between the active ASAs. I understand that this happens because OSPF is inactive on the standby ASAs. Ok, the setup is broken because is FW-1 goes down, I would need to wait for the new OSPF adjacency between FW-2 and FW-3. Another issue I see is that if I play a little with "failover active" and "no failover active", this becomes completely broken: the ASAs start moving from active to standby without any pattern. I think this is because the ASAs in each pair don't see each other. Ok, this seems to be completely against the basic ASA Failover design. Each firewall must see its peer on the data interfaces.
>>
>> Can somebody tell me if this is possible to achieve ? The customer keeps telling me that there are other vendors that do this without any issues...
>>
>> Thanks.
>>
>> Regards,
>>
>> Antonio Soares, CCIE #18473 (R&S/SP)
>> amsoares_at_netcabo.pt
>> http://www.ccie18473.net
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Fri Jan 13 2012 - 13:52:03 ART
This archive was generated by hypermail 2.2.0 : Thu Feb 02 2012 - 11:52:51 ART
