Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA 5520 failover interfaces

I want to set up Active/Standby stateful failover. I only have 4 interfaces and 1 mgmt port. I have a outside, inside, and DMZ port configured. I want to use the last port for the stateful information and the MGMT port for the failover information. Is this the best (recommended) way to do this? Is there another way that would be better, possibly using the gig port for failover and stateful information?

Thanks!

Jake

1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Re: ASA 5520 failover interfaces

Personally I would use your last gig port to do both failover and pass state information. The main thing is that the state link is a least the same speed as your fasted interface that you need to replicate. This is how I normally setup my customers firewalls.

See reference.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1051759

3 REPLIES
Community Member

Re: ASA 5520 failover interfaces

Personally I would use your last gig port to do both failover and pass state information. The main thing is that the state link is a least the same speed as your fasted interface that you need to replicate. This is how I normally setup my customers firewalls.

See reference.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1051759

Community Member

Re: ASA 5520 failover interfaces

Wow, i didn't think anyone would get back to me on this!

I would like to use my MGMT port for my management network, but I have never used the same cable for both failover functions. I know the gig port will not even get close to getting saturated. Is that the main concern and why Cisco recomends not doing that? Have you seen it cause issues?

Community Member

Re: ASA 5520 failover interfaces

I would recommend that you use the MGMT(10/100) port for management.

It is recommended to have a dedicated interface for failover because the information is sent in clear text, and for performance reasons. It is ok though to share the 2 failover roles on one interface. The reason they recommend that the state link be the same speed as the fastest interface that you are replicating is so you won't miss anything in the event of a failover. If it is a very high use firewall, the connections need to be replicated as fast as they are happening on the other interfaces, so if something did casue a failover the connections will be there and ready to go on the standby device.

Long winded I know (I am tired), but does that make sense?

157
Views
5
Helpful
3
Replies
CreatePlease to create content