ASA5250 - Failover Interface

Unanswered Question
Jan 28th, 2009
User Badges:

hey all, we have dual ASA5520 setup for failover on a dedicated interface (directly connected with a straight cable).

they will need to be located on two separate parts of the network temporarily. any way we can use a dedicated vlan to allow the failover interfaces to communicate?

i know it is not recommended but will only be temporary.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Robert Ho Wed, 01/28/2009 - 19:03
User Badges:

It looks like the switch connected to the failover interfaces is used only for that purpose. In our setup, the failover will be interconnected through several switches in our core but only on one vlan.

eddie.mitchell@... Wed, 01/28/2009 - 19:29
User Badges:
  • Silver, 250 points or more

As long as the VLAN is dedicated for failover traffic only, I think you should be fine.

The only other issue in your case that I can possibly think of would be the potential for increased latency by having the failover communication traversing several physical switches to reach the other unit.

According to the PIX/ASA v7.0 command reference, "For optimum performance when using long distance LAN failover, the latency for the failover link should be less than 10 milliseconds and no more than 250 milliseconds. If latency is more than 10 milliseconds, some performance degradation occurs due to retransmission of failover messages."

I don't think it should be an issue, but you never know. ;)


This Discussion