Ahmad, it is recomended to have a stateful failover interface that is as fast as the fastest traffic passing interface. With your design that would have to be one if the Gig ports. This is to ensure that failover stateful info is not going to overload the failover link. I do not have the document infront of me, but im sure it is documented somewhere. - Magnus
Thanks for the link. Ahmad, the key lines in that document are as follows:
"Cisco recommends that you do not use the management interface for failover, especially for stateful failover in which the security appliance constantly sends the connection information from one security appliance to the other. The interface for failover must be at least of the same capacity as the interfaces that pass regular traffic, and while the interfaces on the ASA 5540 are gigabit, the management interface is FastEthernet only. The management interface is designed for management traffic only and is specified as management0/0."
I'm in the same situation with a pair of 5520s. For clarification I found the following excerpt from Cisco Docs stating different requirements for various ASA models. Link at the bottom.
Failover Interface Speed for Stateful Links
If you use the failover link as the Stateful Failover link, you should use the fastest Ethernet interface available. If you experience performance problems on that interface, consider dedicating a separate interface for the Stateful Failover interface.
Use the following failover interface speed guidelines for the adaptive security appliances:
•Cisco ASA 5510
–Stateful link speed can be 100 Mbps, even though the data interface can operate at 1 Gigabit due to the CPU speed limitation.
•Cisco ASA 5520/5540/5550
–Stateful link speed should match the fastest data link.
•Cisco ASA 5580/5585
–Use only non-management 1 Gigabit ports for the stateful link because management ports have lower performance and cannot meet the performance requirement for stateful failover.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...