ASA 5580 Failover Using Sub-Interface

netsec · ‎11-24-2009

Hi All,

I have an ASA5580-20 with 2 port of 10Gig. I have configured the A/S failover usiasang suinterface in "interface TenGigabitEthernet7/1" interface. it work fine. but the problem I have is I can't assign any subinterface to any context. is that a bug?

interface TenGigabitEthernet7/1
!
interface TenGigabitEthernet7/1.94
description LAN Failover Interface
vlan 94
!
interface TenGigabitEthernet7/1.95
description STATE Failover Interface
vlan 95
!
interface TenGigabitEthernet7/1.100
vlan 100
!
interface TenGigabitEthernet7/1.200
vlan 200

fw(config)# context admin
fw(config-ctx)# allocate-interface TenGigabitEthernet7/1.100
ERROR: Interface TenGigabitEthernet7/1.100 cannot be allocated to context. Interface is being used by failover.

so according to this ERROR, I can use any sub interface for my traffic data, Am I wrong?

Best regards

Reda

netsec · ‎11-24-2009

I find the answer: http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/failover.html#wp1061397

============================================

Step 5 (Optional) To enable Stateful Failover, configure the Stateful Failover link.

a. Specify the interface to be used as Stateful Failover link.

hostname(config)# failover link if_name phy_if

Note If the Stateful Failover link uses the failover link or a data interface, then you only need to supply the if_name argument.

The if_name argument assigns a logical name to the interface specified by the phy_if argument. The phy_if argument can be the physical port name, such as Ethernet1, or a previously created subinterface, such as Ethernet0/2.3. This interface should not be used for any other purpose (except, optionally, the failover link).

============================================

is it a Cisco Bug?

So we're obliged to use Management port if we plan to order the ASA5580 with only 1 TenGig module .

Thank you for your feedback Cisco guys.

Panos Kampanakis · ‎11-24-2009

I would not suggest you to use a management interface as the failover link. The reason is that it is not optimized for traffic so if you have high connection rates it might not be able to pass the failover updates of state information.

The reason you see the problem there, as you probably figured, is that the failover is dedicated link, it cannot be used to pass failover info and real traffic at the same time.

I would suggest at lest 2 oprimized interfaces, one for traffic and subinterfaces and one for failover.

I hope it helps.

PK

netsec · ‎11-25-2009

Thank you for your answer.

In the ASA5580-20 I have:

- 2 * 10Gig LC

- 2 * 1gig Mgmt port.

So how can I configure FO without using one of these interafces? what are your recommendations?

Best Regards

Kureli Sankar · ‎11-25-2009

Here is a good rule of thumb. The failover link should be as fast as the fastest interface in the box. You can use this same

interface for state as well.

Think about this. You have 4 Gig interfaces and one management 100 mb interface. It is not a good idea to use the mgmt inteface for failover link and state to pump all the state updates for all Gig interfaces over this 100 MB link.