ASA Failover Questions...

Unanswered Question
Jul 29th, 2008

Hi All,

Iam trying to find practical answers for the below questions..

1. What is the advantage of configuring both Stateful and Regular (lanbased) failover between 2ASAs (Stateful is not enough?).

2.With Stateful configuration, will the Remote access VPN& Easy VPN cleints will experience any disconnects or its seemless (incase primary one fails).

3. What is the default failover time when the primary unit fails and anywhere we can set the timing..?

4. Also, with Regular failover, I observed MSExchange issues for Easy vpn users (Outlook loosing connectivity to Exchange server when primary fails and even after the secondary took over and RA VPN established. Any suggestions..?

Thank you

MS

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
JORGE RODRIGUEZ Tue, 07/29/2008 - 20:25

1. See link for advantage and disadvantages when statful is not enable. IN regular failover active connections are dropped and they need to re-connect when standby becomes active.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml#statef

2. No,because when stateful is enable the active unit passes connection state to standby unit, if primary fails Ipsec connections continues without interuption when standby becomes active.

3. Issue in firewall "show failover" and note its output information, it wll show default pool times and holdtime default values in failover sync, to change you would probably very carefully play with failover pooltime values but under normal circumstances we use default values which are preferable.

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/ef_72.html#wp1760473

4. See answer 1. above, in regular failover connections will drop including Easy vpn users.

Go over this doc, has detail information on most of your questions and other informative hyperlinks.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml#act1

HTH

Jorge

mvsheik123 Wed, 07/30/2008 - 03:32

Hi Jorge,

Thank you...but for Q1: Do we need both to be enabled on ASA (Stateful & Regular)..? I believe stateful is enough. If both enabled any disadvantages when considering failover situation. any suggestions..?

Thank you

MS

JORGE RODRIGUEZ Wed, 07/30/2008 - 08:36

Good question !! I must admit I had to read on this several times to understand the logic.. and if someone could perhaps comment will be great.

My understanding is that both are different, LAN base failover or regular failover monitors asa physical links inlcuding LAN base failover link, it does not monitor or passes stateful information to standby, so if one configures stateful without regular failover cannot be triggered because no physical interfaces are monitored (NO LAN Base failover configured), you can either use the same LAN base failover link to enable stateful failover, or have a dedicated physical link for stateful configuration separated from LAN based failover.

I think stateful failover alone will not be enough, you need both.

Rgds

Jorge

Actions

This Discussion