Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA LAN BASED ACTIVE/STANDBY STATEFUL FAILOVER

Hi, I would like to know what kind of performance problems could I have if I configure two ASAs 5520 doing Active/Standby Failover using the same LAN interface for the failover link/stateful llink.

That?s because I need to use two outside interfaces.

4 REPLIES
Bronze

Re: ASA LAN BASED ACTIVE/STANDBY STATEFUL FAILOVER

The problem is that the firewall uses this interface to send state of connections to the standby, so every traffic in the firewall is replicated to the standby and in case it's going through your lan there must be some delay in this transmition. you can use management interface for this link!

New Member

Re: ASA LAN BASED ACTIVE/STANDBY STATEFUL FAILOVER

thankyou, What I want to do is connecto two ASA 5520 doing stateful failover Active/Stanby but I want to use only one Ethernet Interface.

Is there a problem of doing that??

Bronze

Re: ASA LAN BASED ACTIVE/STANDBY STATEFUL FAILOVER

The problem I see if the two units are connected through the inside lan is that:

If the active unit fails and the secondary unit did not received all the states because of the delay of the connection some connections can be dropped because the packedt that left the "primary unit" now comes back to the secondary (who is active) if the secondary did not received the satate of this connection it will drop this packets.

Plus the data exchanged between the units will be concurrent with the traffic that your firewall has to send to hosts who are communicating through the firewall what can make the connections slower dependinf of your traffic

New Member

Re: ASA LAN BASED ACTIVE/STANDBY STATEFUL FAILOVER

Thankyou, I?m not thinking using the LAN inside connection also for failover, what do you think if I use a single "dedicated" link to do failover - stateful. My question is because in the documentation they use two links: one for failover and another for stateful. That means that if I?m using ASAs 5520 I will loose 2 of the five interfaces just for the failover.

144
Views
0
Helpful
4
Replies