HA mode with vwire

Showing results for 
Show  only  | Search instead for 
Did you mean: 

HA mode with vwire

L1 Bithead

Not sure it this is the right location for this question but here we go ...
I'm trying to replace 2 transparent ASA's in ACT/STDBY with 2 Palo's in the same setup vwire ACT/PAS. Current setup is the asa's are connected to 2 vpn servers in ACT/PAS config, the asa’s have a 3 interface BVI (2 inside interfaces one to each vpn server and 1 outside interface to upstream switch). The vpn servers built ipsec vpn tunnels THROUGH the asa’s to the other endpoint everything works fine. What I did but didn’t work fully was build 2 PAs in HA, for the 2 inside interfaces I put them into an AE grp and then put both the outside and AE interfaces into the same vwire instance this setup did not work as expected. Any assistance would be great .. tks


Cyber Elite
Cyber Elite

Hi @Wayne_Fealy ,


From reading your post, it sounds like you have 3 interfaces in transparent mode.  A VWire is for mapping interfaces1-to-1.


You want to create 3 x L2 interfaces, and put them into the same VLAN.  Put the interfaces in L2 zones, inside and outside (or you could do 3 zones to limit intrazone traffic between the 2 VPN servers).  Then your security policy rules will follow naturally.


Thank will work.





Help the community: Like helpful comments and mark solutions.
  • 1 replies
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!