Cisco ASA 5505 Configuration Manual page 1195

Chapter 57 Information About High Availability
Failover Link
The two units in a failover pair constantly communicate over a failover link to determine the operating
status of each unit. The following information is communicated over the failover link:
•
•
•
•
•
Caution All information sent over the failover and Stateful Failover links is sent in clear text unless you secure
the communication with a failover key. If the adaptive security appliance is used to terminate VPN
tunnels, this information includes any usernames, passwords and preshared keys used for establishing
the tunnels. Transmitting this sensitive data in clear text could pose a significant security risk. We
recommend securing the failover communication with a failover key if you are using the adaptive
security appliance to terminate VPN tunnels.
You can use any unused Ethernet interface on the device as the failover link; however, you cannot specify
an interface that is currently configured with a name. The LAN failover link interface is not configured
as a normal networking interface; it exists for failover communication only. This interface should only
be used for the LAN failover link (and optionally for the Stateful Failover link).
Connect the LAN failover link in one of the following two ways:
•
•
When you use a crossover cable for the LAN failover link, if the LAN interface fails, the link is brought
Note
down on both peers. This condition may hamper troubleshooting efforts because you cannot easily
determine which interface failed and caused the link to come down.
The adaptive security appliance supports Auto-MDI/MDIX on its copper Ethernet ports, so you can
Note
either use a crossover cable or a straight-through cable. If you use a straight-through cable, the interface
automatically detects the cable and swaps one of the transmit/receive pairs to MDIX.
Stateful Failover Link
To use Stateful Failover, you must configure a Stateful Failover link to pass all state information. You
have three options for configuring a Stateful Failover link:
•
•
•
OL-20339-01
The unit state (active or standby)
Hello messages (keep-alives)
Network link status
MAC address exchange
Configuration replication and synchronization
Using a switch, with no other device on the same network segment (broadcast domain or VLAN) as
the LAN failover interfaces of the adaptive security appliance.
Using a crossover Ethernet cable to connect the appliances directly, without the need for an external
switch.
You can use a dedicated Ethernet interface for the Stateful Failover link.
If you are using LAN-based failover, you can share the failover link.
You can share a regular data interface, such as the inside interface. However, this option is not
recommended.
Failover and Stateful Failover Links
Cisco ASA 5500 Series Configuration Guide using ASDM
57-3