RE: ASA Failover Design Issue

George,

The problem is not with the FO interfaces, it's with the data interfaces.
Connecting directly the FO interfaces is supported and it works, we know
that is better to also have a switch here. But do you really have a working
design with the data interfaces directly connected ?

Regards,

Antonio Soares, CCIE #18473 (R&S/SP)
amsoares_at_netcabo.pt
http://www.ccie18473.net

-----Original Message-----
From: George J. Sanchez [mailto:marco207p_at_gmail.com]
Sent: sexta-feira, 13 de Janeiro de 2012 13:30
To: Antonio Soares
Cc: Cisco certification
Subject: Re: ASA Failover Design Issue

I been doing this setup fir years and have tested the active passive
failover with no problems. If you want a sample config let me know..

Regards,
 Joe Sanchez

On Jan 12, 2012, at 5:52 PM, "Antonio Soares" <amsoares_at_netcabo.pt> wrote:

> Hello group,
>
> I need help with this one. I have a customer asking me to connect two
pairs
> of ASAs directly, without any switch in the middle. I never saw something
> like this and after a few hours playing with this setup, I'm almost giving
> up.
>
> Please check here the diagram:
>
> http://www.ccie18473.net/failover.jpg
>
> I'm running OSPF between the two pairs of ASAs in order to get maximum
> redundancy. Suppose that initially FW-1 and FW-3 are active. The first
> problem I see is that only one OSPF adjacency is up, between the active
> ASAs. I understand that this happens because OSPF is inactive on the
standby
> ASAs. Ok, the setup is broken because is FW-1 goes down, I would need to
> wait for the new OSPF adjacency between FW-2 and FW-3. Another issue I see
> is that if I play a little with "failover active" and "no failover
active",
> this becomes completely broken: the ASAs start moving from active to
standby
> without any pattern. I think this is because the ASAs in each pair don't
see
> each other. Ok, this seems to be completely against the basic ASA Failover
> design. Each firewall must see its peer on the data interfaces.
>
> Can somebody tell me if this is possible to achieve ? The customer keeps
> telling me that there are other vendors that do this without any issues...
>
> Thanks.
>
> Regards,
>
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares_at_netcabo.pt
> http://www.ccie18473.net
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Jan 13 2012 - 15:18:26 ART