Cisco ASA Failover – How to Achieve Switch Redundancy Between ASA Cluster Control Link

ciscocisco-asaetherchannelfailoverfirewall

I have two ASA 5525-X in cluster. Between them, for Cluster Control Link, I have Switch. When this switch fails, both CCL fail and both ASAs shut down cluster mode. (data interfaces are shut down). ASA in cluster doesnt support connecting to switch stack. What are my options, to achive switch redundancy?

Best Answer

The section in the documentation to which you refer says:

The ASA does not support connecting an EtherChannel to a switch stack. If the ASA EtherChannel is connected cross stack, and if the master switch is powered down, then the EtherChannel connected to the remaining switch will not come up.

There are a couple of diagrams which follow. The next diagram shows an EtherChannel among the ASA, and I think this text may apply to it:

The next diagram shows each ASA having a separate channel on the switch. This should work on a switch stack. With a stack of two switches, and one switch failing, the EtherChannel of each ASA will fail, but the connections to the switch which stays up should maintain connections between the ASAs:

I think you are really just looking to maintain the connections between the ASA in the event of a switch failure, and I'm pretty sure that the second diagram will work with a stack, but you should test it to be sure. I just don't see how an ASA could tell it is connected to a stack of switches as opposed to a switch chassis with separate boards.

Best Answer

Related Solutions

Cisco ASA site-to-site VPN failover

Two Cisco ASA 5525-X as Internet Gateways without Layer 2

Related Topic