ASA Redundancy

Unanswered Question
Jul 26th, 2010

I'd like to hear some comments from people that have used the redundant interface feature on the ASA. Has there been any noticeable benefit in failover times?

Or can the failover polltimes be tuned so that this feature is unnecessary and is not worth the cost of burning so many ports on the firewall?

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rmfalconer Mon, 08/09/2010 - 10:22

Nitin,

I am talking about using the redundant interface feature on the ASA and unit redundancy VS. using only unit redundancy.

The redundant interface feature fails over a bit quicker but at the cost of burning ports and additional complexity.

In my testing, with adjusted polling timers, I didn't find that the difference in failover times between the 2 methods seemed to justify using the redundant interface feature.

I was hoping that there are some people out there that have done it both ways and have some thoughts on it.

Thanks.

Nitin Agarwal Tue, 08/10/2010 - 07:24

Hi,

Well these are two different scenerios. Interface redundancy is at a single ASA level. If the unit fails then there is no point in keeping a redundant link.

On the other hand if you consider failover between two ASAs then yes you make sure that if one unit fails the other takes over.

I agree that the failover between two units is slower than that of the interface as all the connection states need to be replicated on thge second unit.

Are you using statefull failover?

what is teh poll time you tested with.

Regards,

Nitin Agarwal

Actions

This Discussion

Related Content