ASA LAN BASED ACTIVE/STANDBY STATEFUL FAILOVER

osierra · ‎05-25-2007

Hi, I would like to know what kind of performance problems could I have if I configure two ASAs 5520 doing Active/Standby Failover using the same LAN interface for the failover link/stateful llink.

That?s because I need to use two outside interfaces.

guibarati · ‎05-25-2007

The problem is that the firewall uses this interface to send state of connections to the standby, so every traffic in the firewall is replicated to the standby and in case it's going through your lan there must be some delay in this transmition. you can use management interface for this link!

osierra · ‎05-25-2007

thankyou, What I want to do is connecto two ASA 5520 doing stateful failover Active/Stanby but I want to use only one Ethernet Interface.

Is there a problem of doing that??

guibarati · ‎05-25-2007

The problem I see if the two units are connected through the inside lan is that:

If the active unit fails and the secondary unit did not received all the states because of the delay of the connection some connections can be dropped because the packedt that left the "primary unit" now comes back to the secondary (who is active) if the secondary did not received the satate of this connection it will drop this packets.

Plus the data exchanged between the units will be concurrent with the traffic that your firewall has to send to hosts who are communicating through the firewall what can make the connections slower dependinf of your traffic

osierra · ‎05-25-2007

Thankyou, I?m not thinking using the LAN inside connection also for failover, what do you think if I use a single "dedicated" link to do failover - stateful. My question is because in the documentation they use two links: one for failover and another for stateful. That means that if I?m using ASAs 5520 I will loose 2 of the five interfaces just for the failover.