Joe,
are you saying that your ASA pairs are not connected to a common
broadcast domain on their interfaces ??? I'm not talking about the FT
link, but the real traffic interfaces...
-Carlos
George J. Sanchez @ 13/01/2012 10:29 -0300 dixit:
> I been doing this setup fir years and have tested the active passive failover with no problems. If you want a sample config let me know..
>
> Regards,
> Joe Sanchez
>
> On Jan 12, 2012, at 5:52 PM, "Antonio Soares" <amsoares_at_netcabo.pt> wrote:
>
>> Hello group,
>>
>> I need help with this one. I have a customer asking me to connect two pairs
>> of ASAs directly, without any switch in the middle. I never saw something
>> like this and after a few hours playing with this setup, I'm almost giving
>> up.
>>
>> Please check here the diagram:
>>
>> http://www.ccie18473.net/failover.jpg
>>
>> I'm running OSPF between the two pairs of ASAs in order to get maximum
>> redundancy. Suppose that initially FW-1 and FW-3 are active. The first
>> problem I see is that only one OSPF adjacency is up, between the active
>> ASAs. I understand that this happens because OSPF is inactive on the standby
>> ASAs. Ok, the setup is broken because is FW-1 goes down, I would need to
>> wait for the new OSPF adjacency between FW-2 and FW-3. Another issue I see
>> is that if I play a little with "failover active" and "no failover active",
>> this becomes completely broken: the ASAs start moving from active to standby
>> without any pattern. I think this is because the ASAs in each pair don't see
>> each other. Ok, this seems to be completely against the basic ASA Failover
>> design. Each firewall must see its peer on the data interfaces.
>>
>> Can somebody tell me if this is possible to achieve ? The customer keeps
>> telling me that there are other vendors that do this without any issues...
>>
>> Thanks.
>>
>> Regards,
>>
>> Antonio Soares, CCIE #18473 (R&S/SP)
>> amsoares_at_netcabo.pt
>> http://www.ccie18473.net
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
-- Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina Blogs and organic groups at http://www.ccie.netReceived on Fri Jan 13 2012 - 12:01:24 ART
This archive was generated by hypermail 2.2.0 : Thu Feb 02 2012 - 11:52:51 ART
