Home > Articles > Certification > Cisco Certification

  • Print
  • + Share This
From the author of ASA Failover Addresses

Physical Failover Connectivity

When connecting the two different ASA failover partners, there are possibly two different failover specific links that need to be connected. How exactly they are connected depends on the specific configuration.

The first of these failover links is called the failover link; this link is used to determine the operating status of the paired device. There are two different ways to connect the failover link: using a switch or using a direct cable between the paired devices. When using a switch for this connectivity, ensure that it is configured to be on a separate VLAN from any other traffic. This link can use any unused ASA interface including physical, redundant, and EtherChannel.

The second of these failover links is called the stateful failover link. As is obvious from the name, this link is used only if the stateful failover mode is used. This link is used to pass per-connection state information between failover partners (or failover groups) and can include a large amount of data.

For the stateful failover link, there are three different ways that it can be configured: using a dedicated interface (either a direct cable between ASA 's or using an isolated VLAN through a switch), sharing the failover link, or sharing with a regular data interface.

For any ASA implementation in which the number of connections will be high, it is recommended that a dedicated interface be used. If the number of connections will be moderate, sharing the failover link is possible, but performance should be monitored to ensure that the stateful traffic is not taking over the link. The third option is to share a regular data interface. Generally, this is never recommended unless there is no other option.

One very important thing to note is that, by default, all information that goes over the failover link and stateful failover link is sent in clear text. This can be changed by either configuring the use of an IPSec tunnel or by configuring a failover key.

  • + Share This
  • 🔖 Save To Your Account