I have following scenario, where i am getting 1G copper Cat6 cable from ISP and directly terminated on my Cisco ASA firewall on Gi0/8 interface and i have configured failover now my in failover output it is monitoring status (waiting) because they are coming from distinct router of ISP, how do i solve this issue without introducing any L2 switch between ISP and my ASA?
I can't ping outside interface of ASA-2 public IP from ASA-1 i am sure because of that i am seeing status waiting but is there any other work around? I do have many 1G interface free on ASA, can i create special VLAN and route traffic between or something?
asa-1/sec/act# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: FailoverLink Redundant1 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 3 of 1049 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.6(3)1, Mate 9.6(3)1
Serial Number: Ours AAAAAA, Mate BBBBBB
Last Failover at: 00:41:50 UTC Mar 9 2018
This host: Secondary - Active
Active time: 504599 (sec)
slot 0: ASA5585-SSP-20 hw/sw rev (2.0/9.6(3)1) status (Up Sys)
Interface management (10.x.x.118): Normal (Monitored)
Interface outside (74.xx.xx.110): Normal (Waiting)
Interface inside (74.xx.xx.10): Normal (Monitored)
slot 1: empty
Other host: Primary - Failed
Active time: 12 (sec)
slot 0: ASA5585-SSP-20 hw/sw rev (1.3/9.6(3)1) status (Up Sys)
Interface management (10.x.x.119): Normal (Monitored)
Interface outside (74.xx.xx.109): Failed (Waiting)
Interface inside (74.xx.xx.11): Normal (Monitored)
slot 1: empty
ASA-2
asa-2/pri/stby# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FailoverLink Redundant1 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 3 of 1049 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.6(3)1, Mate 9.6(3)1
Serial Number: Ours BBBBBB, Mate AAAAA
Last Failover at: 00:42:40 UTC Mar 9 2018
This host: Primary - Standby Ready
Active time: 12 (sec)
slot 0: ASA5585-SSP-20 hw/sw rev (1.3/9.6(3)1) status (Up Sys)
Interface management (10.x.x.119): Normal (Monitored)
Interface outside (74.xx.xx.109): Normal (Waiting)
Interface inside (74.xx.xx.11): Normal (Monitored)
slot 1: empty
Other host: Secondary - Active
Active time: 506081 (sec)
slot 0: ASA5585-SSP-20 hw/sw rev (2.0/9.6(3)1) status (Up Sys)
Interface management (10.x.x.118): Normal (Monitored)
Interface outside (74.xx.xx.110): Normal (Waiting)
Interface inside (74.xx.xx.10): Normal (Monitored)
slot 1: empty
Interface configuration:
first i configured failover and then i run this command in this case it will set .109 ip on standby ASA-2 right?
!
interface GigabitEthernet0/0
description 1G_HANDOFF
nameif outside
security-level 0
ip address 74.xx.xx.110 255.255.255.248 standby 74.xx.xx.109
!
Failover config:
asa-1/sec/act# sh run failover
failover
failover lan unit primary
failover lan interface FailoverLink Redundant1
failover polltime unit msec 200 holdtime msec 800
failover polltime interface msec 500 holdtime 5
failover link FailoverLink Redundant1
failover interface ip FailoverLink 192.168.100.1 255.255.255.0 standby 192.168.100.2
Best Answer
To solve this issue, you need at least a L2 switch in between.
If you would like to run dual ISPs, you can use another main/physical interface and terminate it on that L2 switch too, then separate L2 traffic between ISPs with different VLANs on L2 switch (ports on L2 switch connecting to Firewalls are access ports).
Another way to run dual ISPs is to create two sub-interfaces under main interface G0/0. Ports on L2 switch connecting to Firewalls now are trunk ports (with VLANs to separate L2 traffic between two ISPs).