cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1734
Views
0
Helpful
8
Replies

Management interface for failover link

ankurs2008
Level 1
Level 1

Hi pkampana / halijenn / all

I want to know if i configure the management interface of asa 5510 as failover link , the cpu utilization will go up or not . As per the thread below , the more connection replication, the more traffic for the failover link, the more load for the failover link.However the conenction replication happens via stateful failover link , not via the failover link , please correct me if i am wrong . hence please let me know if cpu utilzation is of a much concern over here or not .

https://supportforums.cisco.com/message/3077391#3077391

Also i want to know if the management interface is used as failover link , will i be able to manage the Firewall with those IPs configured for faillover ?

1 Accepted Solution

Accepted Solutions

The CPU utilization will not be of concern. However, from your statement "(consider heavy traffic is traversing across ASA and lot of connection  entries are being made)", I assume that you were talking about the failover stateful link. To answer that particular question, yes, you would need to use the fastest speed interface for failover stateful link.

There are 2 interfaces that are required for failover:

1) Failover link - this is to check the failover status on each device - keepalive

2) Stateful failover link - this is to replicate all the connection and xlate table

Sometimes people use 1 interface for both failover and stateful failover link. If you only use 1 interface, then you would need to use the fastest interface (because of the state replications).

If you are using 2 interfaces for each function, ie: 1 for failover link, and the other for stateful failover link, then only the stateful failover link needs to be the fastest interface. With the failover link, you can use the management interface which is a 10/100 interface.

If you use the management interface for failover link, I would recommend that you do not use it for management as well. As there is a possibility that a failover keepalive might be lost when you are managing the firewall, especially if you backup a config for example, or transfering image for an upgrade, etc.

Hope that answers your question.

View solution in original post

8 Replies 8

Jennifer Halim
Cisco Employee
Cisco Employee

Yes, you can use the management interface as the failover link. For the stateful failover link, it is recommended to use the fastest speed interface.

It is recommended not to use the failover interface to manage the ASA as well. This is to ensure that the failover keepalive is not lost while you use the same link to manage the ASA firewall. I would recommend that you use other ASA interfaces for management purposes.

Hi

My question are not yet answered

Will the cpu utilzation is of a much concern over here or not when management interface is used as failover link (consider heavy traffic is traversing across ASA and lot of connection entries are being made)

When management interface is used as failover link , will i be able to manage the Firewall with those IPs configured for failover ?

The CPU utilization will not be of concern. However, from your statement "(consider heavy traffic is traversing across ASA and lot of connection  entries are being made)", I assume that you were talking about the failover stateful link. To answer that particular question, yes, you would need to use the fastest speed interface for failover stateful link.

There are 2 interfaces that are required for failover:

1) Failover link - this is to check the failover status on each device - keepalive

2) Stateful failover link - this is to replicate all the connection and xlate table

Sometimes people use 1 interface for both failover and stateful failover link. If you only use 1 interface, then you would need to use the fastest interface (because of the state replications).

If you are using 2 interfaces for each function, ie: 1 for failover link, and the other for stateful failover link, then only the stateful failover link needs to be the fastest interface. With the failover link, you can use the management interface which is a 10/100 interface.

If you use the management interface for failover link, I would recommend that you do not use it for management as well. As there is a possibility that a failover keepalive might be lost when you are managing the firewall, especially if you backup a config for example, or transfering image for an upgrade, etc.

Hope that answers your question.

hi halijenn

thanks a lot ! I know that it is not recommended to configure the management interface as the failover link and use it for managing the box as well due to the said reasons above ; however at least this is possible ? right ?

Sure it is possible.

Only not recommended.

Federico.

hi Ankur,

I just quickly lab it for you, and no, it is not possible to use the failover link for management.

Reason is as soon as you configure the failover link, it will clear out all the interface configuration.

Here is the example that I have just tested out:

failover lan interface fail GigabitEthernet0/3
failover interface ip fail 192.168.0.1 255.255.255.0 standby 192.168.0.2

So basically gig0/3 has been configured for failover link.

Then I just tried to configure "ssh" for that interface, and as advised, there is no option to manage that failover interface as it has been cleared when you configure the above 2 lines:

ASA(config)# ssh 0 0 ?
configure mode commands/options:
Current available interface(s):
  dmz      Name of interface GigabitEthernet0/2
  inside   Name of interface GigabitEthernet0/1
  outside  Name of interface GigabitEthernet0/0

No option for gig0/3 the failover link, and gig0/3 is pretty much empty:

sh run int g0/3

interface GigabitEthernet0/3
description LAN Failover Interface

Hope that confirms your question.

thanks halijenn !! thats excellent explanation !!

Thought you were asking if can use the management interface
for failover.
That's why I said its possible but not recommended.
However halijeen has already answered the question.
Sorry for the misinterpretation.

Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: