I have a customer that has a pair of firewalls connected using a separate Stateful and Failover interface. I would like to amalgamate the two together. Would there by any impact with moving the Stateful interface onto the failover interface? I need to free up an interface. This would be with Cisco ASA 5510's running v8.2.
If you use the failover link as the Stateful Failover link, you should use the fastest Ethernet interface available. If you experience performance problems on that interface, consider dedicating a separate interface for the Stateful Failover interface.
Use the following failover interface speed guidelines for the ASAs:
•Cisco ASA 5510
–Stateful link speed can be 100 Mbps, even though the data interface can operate at 1 Gigabit due to the CPU speed limitation.
Thank you for the reply, my question is more around that moment when you move the stateful interface onto the failover and click apply on ASDM. Would there be any impact to the firewall state or user traffic?
I would do it in a maintenance window to be safe. Never tried it in production.
If you remove the failover link command (stop replicating state connection table...) then it becomes a stateless failover (ASAs replicate config but not conn/xlate/... tables). If no failover occurs at this moment, then you should not experience downtime.
Then when you add it again (just on a different interface), the active ASA should start replicating state information to the standby... also no downtime that I can see here.
I would still do it in a maintenance window to be safe.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...