ASA LAN BASED ACTIVE/STANDBY STATEFUL FAILOVER

Unanswered Question
May 25th, 2007
User Badges:

Hi, I would like to know what kind of performance problems could I have if I configure two ASAs 5520 doing Active/Standby Failover using the same LAN interface for the failover link/stateful llink.

That?s because I need to use two outside interfaces.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
guibarati Fri, 05/25/2007 - 11:45
User Badges:
  • Bronze, 100 points or more

The problem is that the firewall uses this interface to send state of connections to the standby, so every traffic in the firewall is replicated to the standby and in case it's going through your lan there must be some delay in this transmition. you can use management interface for this link!

osierra Fri, 05/25/2007 - 12:27
User Badges:

thankyou, What I want to do is connecto two ASA 5520 doing stateful failover Active/Stanby but I want to use only one Ethernet Interface.

Is there a problem of doing that??

guibarati Fri, 05/25/2007 - 12:35
User Badges:
  • Bronze, 100 points or more

The problem I see if the two units are connected through the inside lan is that:

If the active unit fails and the secondary unit did not received all the states because of the delay of the connection some connections can be dropped because the packedt that left the "primary unit" now comes back to the secondary (who is active) if the secondary did not received the satate of this connection it will drop this packets.


Plus the data exchanged between the units will be concurrent with the traffic that your firewall has to send to hosts who are communicating through the firewall what can make the connections slower dependinf of your traffic

osierra Fri, 05/25/2007 - 13:43
User Badges:

Thankyou, I?m not thinking using the LAN inside connection also for failover, what do you think if I use a single "dedicated" link to do failover - stateful. My question is because in the documentation they use two links: one for failover and another for stateful. That means that if I?m using ASAs 5520 I will loose 2 of the five interfaces just for the failover.


Actions

This Discussion