Sorry, I must have misunderstood the original post. My apologies ...
On Fri, Jan 13, 2012 at 7:52 AM, Ryan West <rwest_at_zyedge.com> wrote:
> It's not recommended for troubleshooting reasons. The thought is, if your
> failover link goes down, there is no way to tell which side has a bad port.
> Recommended solution would be to connect to two switches. That being said,
> the number of times I've seen an ASA fail due to a bad port is zero over
> the last 5 years. VPN and other software failures are much more common.
> The direct cable method is supported by TAC, as is the combination of
> failover and state interfaces.
>
> Sent from handheld
>
> On Jan 13, 2012, at 8:38 AM, "George J. Sanchez" <marco207p_at_gmail.com>
> wrote:
>
> > Joe, I've also read this whitepaper and the ASA cisco press books that
> say the same thing, however this not true. I've tested this many times and
> had other engineers test the same setup with positive Results. With that
> being said TAC may not support the setup, but to this day I've never had a
> customer comeback and indicate any problems with this design.
> >
> > Regards,
> > Joe Sanchez
> >
> > On Jan 12, 2012, at 6:26 PM, "Joseph L. Brunner" <
> joe_at_affirmedsystems.com> wrote:
> >
> >>> I need help with this one. I have a customer asking me to connect two
> pairs of ASAs directly, without any switch in the middle. I never saw
> something like this and >after a few hours playing with this setup, I'm
> almost giving up.
> >>
> >> This is why the CCDE exists... to vet bullsh*t designs from people that
> really should not be designing... If you read the Cisco white paper on
> failover it clearly says the design of failover is to use a switch to avoid
> "both interfaces down the firewalls fo interface".
> >>
> >> I have done "all routed asa's" but used load balancers in between also
> running ospf...
> >>
> >> Good luck.. bad design... probably not the results you want if you do
> figure it out anyway...
> >>
> >> -Joe
> >>
> >>
> >> -----Original Message-----
> >> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
> Of Antonio Soares
> >> Sent: Thursday, January 12, 2012 6:53 PM
> >> To: 'Cisco certification'
> >> Subject: ASA Failover Design Issue
> >>
> >> Hello group,
> >>
> >> I need help with this one. I have a customer asking me to connect two
> pairs of ASAs directly, without any switch in the middle. I never saw
> something like this and after a few hours playing with this setup, I'm
> almost giving up.
> >>
> >> Please check here the diagram:
> >>
> >> http://www.ccie18473.net/failover.jpg
> >>
> >> I'm running OSPF between the two pairs of ASAs in order to get maximum
> redundancy. Suppose that initially FW-1 and FW-3 are active. The first
> problem I see is that only one OSPF adjacency is up, between the active
> ASAs. I understand that this happens because OSPF is inactive on the
> standby ASAs. Ok, the setup is broken because is FW-1 goes down, I would
> need to wait for the new OSPF adjacency between FW-2 and FW-3. Another
> issue I see is that if I play a little with "failover active" and "no
> failover active", this becomes completely broken: the ASAs start moving
> from active to standby without any pattern. I think this is because the
> ASAs in each pair don't see each other. Ok, this seems to be completely
> against the basic ASA Failover design. Each firewall must see its peer on
> the data interfaces.
> >>
> >> Can somebody tell me if this is possible to achieve ? The customer
> keeps telling me that there are other vendors that do this without any
> issues...
> >>
> >> Thanks.
> >>
> >> Regards,
> >>
> >> Antonio Soares, CCIE #18473 (R&S/SP)
> >> amsoares_at_netcabo.pt
> >> http://www.ccie18473.net
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Fri Jan 13 2012 - 20:39:36 ART
This archive was generated by hypermail 2.2.0 : Thu Feb 02 2012 - 11:52:51 ART
