Solved: ASA Failover

WILLIAM STEGMAN · ‎08-17-2010

I want to use and dedicate the Management interfaces on 2 ASAs to enable failover. I'm wondering if I can make the interfaces both the failover interface and stateful interface. Looking at some examples, the 2 tend to be different interfaces, some logical and some physical. If I have a failover interface named failover,

ASA(config)#failover lan interface failover Management0/0

ASA(config)#failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2

Can I also use the same interface for the stateful?

ASA(config)#failover link failover Management0/0

ASA(config)#failover int ip state 10.1.0.1 255.255.255.0 standby 10.1.0.2

or would the previous failover interface be overwritten?

thank you,

Bill

mirober2 · ‎08-17-2010

Hi Bill,

You can share the interface if you'd like. This is mentioned in the ASA Configuration Guide under the "Stateful Failover Link" section:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1077551

If you are using LAN-based failover, you can share the failover link.

You didn't mention what model ASA you have, but keep in mind that if you have a 5580, the management interface's speed isn't sufficient enough for stateful failover, per the same link above:

Use the following failover interface speed guidelines for the adaptive security appliances:

•Cisco ASA 5510

–Stateful link speed can be 100 Mbps, even though the data interface can operate at 1 Gigabit due to the CPU speed limitation.

•Cisco ASA 5520/5540/5550

–Stateful link speed should match the fastest data link.

•Cisco ASA 5580

–Use only non-management 1 Gigabit ports for the stateful link because management ports have lower performance and cannot meet the performance requirement for stateful failover.

Hope that helps.

-Mike

View solution in original post

mirober2 · ‎08-17-2010