Cisco ASA Series Cli Configuration Manual page 104

Configuring the Switch for ASA Failover
Assigning VLANs to the Secondary ASA Services Module
Because both units require the same access to the inside and outside networks, you must assign the same
VLANs to both ASASMs on the switch(es). See the
ASA Services Module" section on page
Adding a Trunk Between a Primary Switch and Secondary Switch
If you are using inter-switch failover, then you should configure an 802.1Q VLAN trunk between the
two switches to carry the failover and state links. The trunk should have QoS enabled so that failover
VLAN packets, which have a CoS value of 5 (higher priority), are treated with higher priority in these
ports.
To configure the EtherChannel and trunk, see the documentation for your switch.
Ensuring Compatibility with Transparent Firewall Mode
To avoid loops when you use failover in transparent mode, use switch software that supports BPDU
forwarding. Do not enable LoopGuard globally on the switch if the ASASM is in transparent mode.
LoopGuard is automatically applied to the internal EtherChannel between the switch and the ASASM,
so after a failover and a failback, LoopGuard causes the secondary unit to be disconnected because the
EtherChannel goes into the err-disable state.
Enabling Autostate Messaging for Rapid Link Failure Detection
The supervisor engine can send autostate messages to the ASASM about the status of physical interfaces
associated with ASASM VLANs. For example, when all physical interfaces associated with a VLAN go
down, the autostate message tells the ASASM that the VLAN is down. This information lets the ASASM
declare the VLAN as down, bypassing the interface monitoring tests normally required for determining
which side suffered a link failure. Autostate messaging provides a dramatic improvement in the time the
ASASM takes to detect a link failure (a few milliseconds as compared to up to 45 seconds without
autostate support).
The switch supervisor sends an autostate message to the ASASM when:
•
•
Detailed Steps
Command
firewall autostate
Example:
Router(config)# firewall autostate
Cisco ASA Series ASDM Configuration Guide
1-10
The last interface belonging to a VLAN goes down.
The first interface belonging to a VLAN comes up.
Chapter 1 Configuring the Switch for Use with the ASA Services Module
"Assigning VLANs to the Secondary
1-10.
Purpose
Enables autostate messaging in Cisco IOS software.
Autostate messaging is disabled by default.