05-24-2010 02:55 AM - edited 03-11-2019 10:49 AM
Hi pkampana / halijenn / all
I want to know if i configure the management interface of asa 5510 as failover link , the cpu utilization will go up or not . As per the thread below , the more connection replication, the more traffic for the failover link, the more load for the failover link.However the conenction replication happens via stateful failover link , not via the failover link , please correct me if i am wrong . hence please let me know if cpu utilzation is of a much concern over here or not .
https://supportforums.cisco.com/message/3077391#3077391
Also i want to know if the management interface is used as failover link , will i be able to manage the Firewall with those IPs configured for faillover ?
Solved! Go to Solution.
05-25-2010 06:21 AM
The CPU utilization will not be of concern. However, from your statement "(consider heavy traffic is traversing across ASA and lot of connection entries are being made)", I assume that you were talking about the failover stateful link. To answer that particular question, yes, you would need to use the fastest speed interface for failover stateful link.
There are 2 interfaces that are required for failover:
1) Failover link - this is to check the failover status on each device - keepalive
2) Stateful failover link - this is to replicate all the connection and xlate table
Sometimes people use 1 interface for both failover and stateful failover link. If you only use 1 interface, then you would need to use the fastest interface (because of the state replications).
If you are using 2 interfaces for each function, ie: 1 for failover link, and the other for stateful failover link, then only the stateful failover link needs to be the fastest interface. With the failover link, you can use the management interface which is a 10/100 interface.
If you use the management interface for failover link, I would recommend that you do not use it for management as well. As there is a possibility that a failover keepalive might be lost when you are managing the firewall, especially if you backup a config for example, or transfering image for an upgrade, etc.
Hope that answers your question.
05-24-2010 04:48 AM
Yes, you can use the management interface as the failover link. For the stateful failover link, it is recommended to use the fastest speed interface.
It is recommended not to use the failover interface to manage the ASA as well. This is to ensure that the failover keepalive is not lost while you use the same link to manage the ASA firewall. I would recommend that you use other ASA interfaces for management purposes.
05-24-2010 06:01 AM
Hi
My question are not yet answered
Will the cpu utilzation is of a much concern over here or not when management interface is used as failover link (consider heavy traffic is traversing across ASA and lot of connection entries are being made)
When management interface is used as failover link , will i be able to manage the Firewall with those IPs configured for failover ?
05-25-2010 06:21 AM
The CPU utilization will not be of concern. However, from your statement "(consider heavy traffic is traversing across ASA and lot of connection entries are being made)", I assume that you were talking about the failover stateful link. To answer that particular question, yes, you would need to use the fastest speed interface for failover stateful link.
There are 2 interfaces that are required for failover:
1) Failover link - this is to check the failover status on each device - keepalive
2) Stateful failover link - this is to replicate all the connection and xlate table
Sometimes people use 1 interface for both failover and stateful failover link. If you only use 1 interface, then you would need to use the fastest interface (because of the state replications).
If you are using 2 interfaces for each function, ie: 1 for failover link, and the other for stateful failover link, then only the stateful failover link needs to be the fastest interface. With the failover link, you can use the management interface which is a 10/100 interface.
If you use the management interface for failover link, I would recommend that you do not use it for management as well. As there is a possibility that a failover keepalive might be lost when you are managing the firewall, especially if you backup a config for example, or transfering image for an upgrade, etc.
Hope that answers your question.
05-25-2010 03:53 PM
hi halijenn
thanks a lot ! I know that it is not recommended to configure the management interface as the failover link and use it for managing the box as well due to the said reasons above ; however at least this is possible ? right ?
05-25-2010 03:55 PM
Sure it is possible.
Only not recommended.
Federico.
05-25-2010 07:03 PM
hi Ankur,
I just quickly lab it for you, and no, it is not possible to use the failover link for management.
Reason is as soon as you configure the failover link, it will clear out all the interface configuration.
Here is the example that I have just tested out:
failover lan interface fail GigabitEthernet0/3
failover interface ip fail 192.168.0.1 255.255.255.0 standby 192.168.0.2
So basically gig0/3 has been configured for failover link.
Then I just tried to configure "ssh" for that interface, and as advised, there is no option to manage that failover interface as it has been cleared when you configure the above 2 lines:
ASA(config)# ssh 0 0 ?
configure mode commands/options:
Current available interface(s):
dmz Name of interface GigabitEthernet0/2
inside Name of interface GigabitEthernet0/1
outside Name of interface GigabitEthernet0/0
No option for gig0/3 the failover link, and gig0/3 is pretty much empty:
sh run int g0/3
interface GigabitEthernet0/3
description LAN Failover Interface
Hope that confirms your question.
05-26-2010 04:07 AM
thanks halijenn !! thats excellent explanation !!
05-26-2010 06:48 AM
Thought you were asking if can use the management interface
for failover.
That's why I said its possible but not recommended.
However halijeen has already answered the question.
Sorry for the misinterpretation.
Federico.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: