Iam trying to find practical answers for the below questions..
1. What is the advantage of configuring both Stateful and Regular (lanbased) failover between 2ASAs (Stateful is not enough?).
2.With Stateful configuration, will the Remote access VPN& Easy VPN cleints will experience any disconnects or its seemless (incase primary one fails).
3. What is the default failover time when the primary unit fails and anywhere we can set the timing..?
4. Also, with Regular failover, I observed MSExchange issues for Easy vpn users (Outlook loosing connectivity to Exchange server when primary fails and even after the secondary took over and RA VPN established. Any suggestions..?
2. No,because when stateful is enable the active unit passes connection state to standby unit, if primary fails Ipsec connections continues without interuption when standby becomes active.
3. Issue in firewall "show failover" and note its output information, it wll show default pool times and holdtime default values in failover sync, to change you would probably very carefully play with failover pooltime values but under normal circumstances we use default values which are preferable.
Thank you...but for Q1: Do we need both to be enabled on ASA (Stateful & Regular)..? I believe stateful is enough. If both enabled any disadvantages when considering failover situation. any suggestions..?
Good question !! I must admit I had to read on this several times to understand the logic.. and if someone could perhaps comment will be great.
My understanding is that both are different, LAN base failover or regular failover monitors asa physical links inlcuding LAN base failover link, it does not monitor or passes stateful information to standby, so if one configures stateful without regular failover cannot be triggered because no physical interfaces are monitored (NO LAN Base failover configured), you can either use the same LAN base failover link to enable stateful failover, or have a dedicated physical link for stateful configuration separated from LAN based failover.
I think stateful failover alone will not be enough, you need both.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...