cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
501
Views
5
Helpful
3
Replies

ASA Failover Questions...

mvsheik123
Level 7
Level 7

Hi All,

Iam trying to find practical answers for the below questions..

1. What is the advantage of configuring both Stateful and Regular (lanbased) failover between 2ASAs (Stateful is not enough?).

2.With Stateful configuration, will the Remote access VPN& Easy VPN cleints will experience any disconnects or its seemless (incase primary one fails).

3. What is the default failover time when the primary unit fails and anywhere we can set the timing..?

4. Also, with Regular failover, I observed MSExchange issues for Easy vpn users (Outlook loosing connectivity to Exchange server when primary fails and even after the secondary took over and RA VPN established. Any suggestions..?

Thank you

MS

3 Replies 3

JORGE RODRIGUEZ
Level 10
Level 10

1. See link for advantage and disadvantages when statful is not enable. IN regular failover active connections are dropped and they need to re-connect when standby becomes active.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml#statef

2. No,because when stateful is enable the active unit passes connection state to standby unit, if primary fails Ipsec connections continues without interuption when standby becomes active.

3. Issue in firewall "show failover" and note its output information, it wll show default pool times and holdtime default values in failover sync, to change you would probably very carefully play with failover pooltime values but under normal circumstances we use default values which are preferable.

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/ef_72.html#wp1760473

4. See answer 1. above, in regular failover connections will drop including Easy vpn users.

Go over this doc, has detail information on most of your questions and other informative hyperlinks.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml#act1

HTH

Jorge

Jorge Rodriguez

Hi Jorge,

Thank you...but for Q1: Do we need both to be enabled on ASA (Stateful & Regular)..? I believe stateful is enough. If both enabled any disadvantages when considering failover situation. any suggestions..?

Thank you

MS

Good question !! I must admit I had to read on this several times to understand the logic.. and if someone could perhaps comment will be great.

My understanding is that both are different, LAN base failover or regular failover monitors asa physical links inlcuding LAN base failover link, it does not monitor or passes stateful information to standby, so if one configures stateful without regular failover cannot be triggered because no physical interfaces are monitored (NO LAN Base failover configured), you can either use the same LAN base failover link to enable stateful failover, or have a dedicated physical link for stateful configuration separated from LAN based failover.

I think stateful failover alone will not be enough, you need both.

Rgds

Jorge

Jorge Rodriguez
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: