ASA Failover

Answered Question
Aug 17th, 2010
User Badges:

I want to use and dedicate the Management interfaces on 2 ASAs to enable failover.  I'm wondering if I can make the interfaces both the failover interface and stateful interface.  Looking at some examples, the 2 tend to be different interfaces, some logical and some physical.  If I have a failover interface named failover,



ASA(config)#failover lan interface failover Management0/0

ASA(config)#failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2


Can I also use the same interface for the stateful?



ASA(config)#failover link failover Management0/0

ASA(config)#failover int ip state 10.1.0.1 255.255.255.0 standby 10.1.0.2


or would the previous failover interface be overwritten?


thank you,


Bill

Correct Answer by mirober2 about 6 years 9 months ago

Hi Bill,


You can share the interface if you'd like. This is mentioned in the ASA Configuration Guide under the "Stateful Failover Link" section:


http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1077551



If you are using LAN-based failover, you can share the failover link.


You didn't mention what model ASA you have, but keep in mind that if you have a 5580, the management interface's speed isn't sufficient enough for stateful failover, per the same link above:


Use the following failover interface speed guidelines for the adaptive security appliances:

Cisco ASA 5510

Stateful link speed can be 100 Mbps, even though the data interface can operate at 1 Gigabit due to the CPU speed limitation.

Cisco ASA 5520/5540/5550

Stateful link speed should match the fastest data link.

Cisco ASA 5580

Use only non-management 1 Gigabit ports for the stateful link because management ports have lower performance and cannot meet the performance requirement for stateful failover.


Hope that helps.


-Mike

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
mirober2 Tue, 08/17/2010 - 12:40
User Badges:
  • Cisco Employee,

Hi Bill,


You can share the interface if you'd like. This is mentioned in the ASA Configuration Guide under the "Stateful Failover Link" section:


http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1077551



If you are using LAN-based failover, you can share the failover link.


You didn't mention what model ASA you have, but keep in mind that if you have a 5580, the management interface's speed isn't sufficient enough for stateful failover, per the same link above:


Use the following failover interface speed guidelines for the adaptive security appliances:

Cisco ASA 5510

Stateful link speed can be 100 Mbps, even though the data interface can operate at 1 Gigabit due to the CPU speed limitation.

Cisco ASA 5520/5540/5550

Stateful link speed should match the fastest data link.

Cisco ASA 5580

Use only non-management 1 Gigabit ports for the stateful link because management ports have lower performance and cannot meet the performance requirement for stateful failover.


Hope that helps.


-Mike

Actions

This Discussion