Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3435
Views
0
Helpful
3
Replies

Understanding Failover Link and State Link

amp512_nyph
Level 1
Level 1

‎08-17-2012 02:23 PM - edited ‎03-11-2019 04:43 PM

Whatt is the difference between failover link and state link in the context of Cisco FWSM? Why do I need both or what is the best practice? Thanks in advance. Just trying to understand.

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎08-17-2012 02:53 PM

Hello ,

The difference is that the stateful link is the one in charge of handling the replication of the connections across the FWSM ( Used for the stateful failover) so if by any chance the device goes down the connections already established do not go down.

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

amp512_nyph
Level 1
Level 1
In response to Julio Carvajal

‎08-18-2012 08:42 PM

Well I should have asked question different way. I have config for two pairs (one pair in one segment and another pair in another segment) and failover configuration is different in terms of one pair has two unique vlans being trunks across crossover cable - unique LAN failover vlan and state vlan while other pair only has one vlan for both purposes...

PAIR-1

failover

failover lan unit primary

failover lan interface failover Vlan100

failover polltime unit 15 holdtime 45

failover link failover Vlan100

failover interface ip failover 192.168.1.1 255.255.255.252 standby 192.168.1.2

PAIR-2

failover

failover lan unit primary

failover lan interface failover Vlan300

failover polltime unit 1 holdtime 3

failover polltime interface 3

failover interface-policy 1

failover link stateful Vlan301

failover interface ip failover 192.168.254.1 255.255.255.252 standby 192.168.254.2

failover interface ip stateful 192.168.254.5 255.255.255.252 standby 192.168.254.6

According Cisco's failover configuration document you should have two vlans trunked across two chassis (ASA or FWSMs on 6500s). I am trying to understand what type of traffic "lan interface failover" vlan 300 in above config and "link stateful" vlan 301 in above config carry across? What is the best practice? should have uniqe vlans or just one vlan for both purposes? Sorry for not being clear on my initial question.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to amp512_nyph

‎08-18-2012 11:14 PM

Hello Atrey,

Well it is 100 % recommeded to use 2 different vlans ( FWSM) or 2 different interfaces (ASA) for the failover link and the state link between 2 units, this because of the amount of data being transfered on both of this links,

Not all the time you have the oportunity to use 2 of them so that is why you can use only one, I have seen a lot of scenarios using just one and that works perfect but again if possible then use 2

Is just a desing preference or optimization

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card