Management interface for failover link

Answered Question
May 24th, 2010

Hi pkampana / halijenn / all


I want to know if i configure the management interface of asa 5510 as failover link , the cpu utilization will go up or not . As per the thread below , the more connection replication, the more traffic for the failover link, the more load for the failover link.However the conenction replication happens via stateful failover link , not via the failover link , please correct me if i am wrong . hence please let me know if cpu utilzation is of a much concern over here or not .


https://supportforums.cisco.com/message/3077391#3077391


Also i want to know if the management interface is used as failover link , will i be able to manage the Firewall with those IPs configured for faillover ?

Correct Answer by Jennifer Halim about 6 years 9 months ago

The CPU utilization will not be of concern. However, from your statement "(consider heavy traffic is traversing across ASA and lot of connection  entries are being made)", I assume that you were talking about the failover stateful link. To answer that particular question, yes, you would need to use the fastest speed interface for failover stateful link.


There are 2 interfaces that are required for failover:

1) Failover link - this is to check the failover status on each device - keepalive

2) Stateful failover link - this is to replicate all the connection and xlate table


Sometimes people use 1 interface for both failover and stateful failover link. If you only use 1 interface, then you would need to use the fastest interface (because of the state replications).


If you are using 2 interfaces for each function, ie: 1 for failover link, and the other for stateful failover link, then only the stateful failover link needs to be the fastest interface. With the failover link, you can use the management interface which is a 10/100 interface.


If you use the management interface for failover link, I would recommend that you do not use it for management as well. As there is a possibility that a failover keepalive might be lost when you are managing the firewall, especially if you backup a config for example, or transfering image for an upgrade, etc.


Hope that answers your question.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Mon, 05/24/2010 - 04:48

Yes, you can use the management interface as the failover link. For the stateful failover link, it is recommended to use the fastest speed interface.

It is recommended not to use the failover interface to manage the ASA as well. This is to ensure that the failover keepalive is not lost while you use the same link to manage the ASA firewall. I would recommend that you use other ASA interfaces for management purposes.

ankurs2008 Mon, 05/24/2010 - 06:01

Hi


My question are not yet answered


Will the cpu utilzation is of a much concern over here or not when management interface is used as failover link (consider heavy traffic is traversing across ASA and lot of connection entries are being made)


When management interface is used as failover link , will i be able to manage the Firewall with those IPs configured for failover ?

Correct Answer
Jennifer Halim Tue, 05/25/2010 - 06:21

The CPU utilization will not be of concern. However, from your statement "(consider heavy traffic is traversing across ASA and lot of connection  entries are being made)", I assume that you were talking about the failover stateful link. To answer that particular question, yes, you would need to use the fastest speed interface for failover stateful link.


There are 2 interfaces that are required for failover:

1) Failover link - this is to check the failover status on each device - keepalive

2) Stateful failover link - this is to replicate all the connection and xlate table


Sometimes people use 1 interface for both failover and stateful failover link. If you only use 1 interface, then you would need to use the fastest interface (because of the state replications).


If you are using 2 interfaces for each function, ie: 1 for failover link, and the other for stateful failover link, then only the stateful failover link needs to be the fastest interface. With the failover link, you can use the management interface which is a 10/100 interface.


If you use the management interface for failover link, I would recommend that you do not use it for management as well. As there is a possibility that a failover keepalive might be lost when you are managing the firewall, especially if you backup a config for example, or transfering image for an upgrade, etc.


Hope that answers your question.

ankurs2008 Tue, 05/25/2010 - 15:53

hi halijenn


thanks a lot ! I know that it is not recommended to configure the management interface as the failover link and use it for managing the box as well due to the said reasons above ; however at least this is possible ? right ?

Jennifer Halim Tue, 05/25/2010 - 19:03

hi Ankur,


I just quickly lab it for you, and no, it is not possible to use the failover link for management.

Reason is as soon as you configure the failover link, it will clear out all the interface configuration.


Here is the example that I have just tested out:

failover lan interface fail GigabitEthernet0/3
failover interface ip fail 192.168.0.1 255.255.255.0 standby 192.168.0.2


So basically gig0/3 has been configured for failover link.


Then I just tried to configure "ssh" for that interface, and as advised, there is no option to manage that failover interface as it has been cleared when you configure the above 2 lines:


ASA(config)# ssh 0 0 ?
configure mode commands/options:
Current available interface(s):
  dmz      Name of interface GigabitEthernet0/2
  inside   Name of interface GigabitEthernet0/1
  outside  Name of interface GigabitEthernet0/0


No option for gig0/3 the failover link, and gig0/3 is pretty much empty:

sh run int g0/3

interface GigabitEthernet0/3
description LAN Failover Interface


Hope that confirms your question.

Federico Coto F... Wed, 05/26/2010 - 06:48

Thought you were asking if can use the management interface
for failover.
That's why I said its possible but not recommended.
However halijeen has already answered the question.
Sorry for the misinterpretation.

Federico.

Actions

This Discussion