08-17-2010 12:07 PM - edited 03-11-2019 11:27 AM
I want to use and dedicate the Management interfaces on 2 ASAs to enable failover. I'm wondering if I can make the interfaces both the failover interface and stateful interface. Looking at some examples, the 2 tend to be different interfaces, some logical and some physical. If I have a failover interface named failover,
ASA(config)#failover lan interface failover Management0/0
ASA(config)#failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2
Can I also use the same interface for the stateful?
ASA(config)#failover link failover Management0/0
ASA(config)#failover int ip state 10.1.0.1 255.255.255.0 standby 10.1.0.2
or would the previous failover interface be overwritten?
thank you,
Bill
Solved! Go to Solution.
08-17-2010 12:40 PM
Hi Bill,
You can share the interface if you'd like. This is mentioned in the ASA Configuration Guide under the "Stateful Failover Link" section:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1077551
If you are using LAN-based failover, you can share the failover link.
You didn't mention what model ASA you have, but keep in mind that if you have a 5580, the management interface's speed isn't sufficient enough for stateful failover, per the same link above:
Use the following failover interface speed guidelines for the adaptive security appliances:
•Cisco ASA 5510
–Stateful link speed can be 100 Mbps, even though the data interface can operate at 1 Gigabit due to the CPU speed limitation.
•Cisco ASA 5520/5540/5550
–Stateful link speed should match the fastest data link.
•Cisco ASA 5580
–Use only non-management 1 Gigabit ports for the stateful link because management ports have lower performance and cannot meet the performance requirement for stateful failover.
Hope that helps.
-Mike
08-17-2010 12:40 PM
Hi Bill,
You can share the interface if you'd like. This is mentioned in the ASA Configuration Guide under the "Stateful Failover Link" section:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1077551
If you are using LAN-based failover, you can share the failover link.
You didn't mention what model ASA you have, but keep in mind that if you have a 5580, the management interface's speed isn't sufficient enough for stateful failover, per the same link above:
Use the following failover interface speed guidelines for the adaptive security appliances:
•Cisco ASA 5510
–Stateful link speed can be 100 Mbps, even though the data interface can operate at 1 Gigabit due to the CPU speed limitation.
•Cisco ASA 5520/5540/5550
–Stateful link speed should match the fastest data link.
•Cisco ASA 5580
–Use only non-management 1 Gigabit ports for the stateful link because management ports have lower performance and cannot meet the performance requirement for stateful failover.
Hope that helps.
-Mike
08-17-2010 01:45 PM
It's a 5510, so it looks good. Thank you Mike.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide