08-24-2020 01:39 PM
I have a n HA pair of ASA and will be implementing an HA pair of PANS between the Core and ASAs. I can send a topology if necessary. Currently have a Cisco 3750 layer 3 connected to two separate Cisco 2960s via a trunk link. The2960s are aslo inter-connected via a trunk link. The ASAs are connected to each 2960 via access port. The original idea was to implement the Palo Altos in A/P but it seems easier to implement A/A. Are there any gotchas for this scenario. I know it is best practice and recommended for Vwire A/A in a layer 3 topology only and to make sure spanning-tree is configured properly for layer 2. From what I have read you should not carry the Vwire vlan across the inter-switch trunk but wold this just be for the trunk between the 2960's or all of the trunk links? I would think the traffic would not pass if the vlan is not allowed between the 3750 and 2960 trunks.
08-25-2020 06:26 AM
the A/P scenario will be easier to troubleshoot in case there is ever a defect in the network connection, the primary member will also remain active if the ASA dies, being one less failover the sessions need to endure (if the ASA fails over in the A/A scenario, the sessions are handed over to the second ASAs, but also to the second PA. this increases the chances of having a hickup and will have an impact on the time it takes for sessions to transition)
08-25-2020 04:27 AM - edited 08-25-2020 04:28 AM
I'm imagining a triangle with 2 ASA's dangling from the bottom
you'll want to set the PAs between the ASAs and the switches
if you like, you could also add vwires on all the trunks but this might be overkill, it sorta depends where those switches connect to and where you need to have security in between
08-25-2020 05:59 AM
Here is the physical topology of the scenario. All switch connections south of the Palo are trunk ports with all of the vlans trunked. The link between the 2960s has all vlans trunked except for the primary vlan2 which is the main vlan for the network and to the ASA. I have also attached an A/P scenario adding additional switches north of the Palo connected to the ASA also. Trying to decide which scenario will work best.
08-25-2020 06:26 AM
the A/P scenario will be easier to troubleshoot in case there is ever a defect in the network connection, the primary member will also remain active if the ASA dies, being one less failover the sessions need to endure (if the ASA fails over in the A/A scenario, the sessions are handed over to the second ASAs, but also to the second PA. this increases the chances of having a hickup and will have an impact on the time it takes for sessions to transition)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
