Cisco ASA 5505 Configuration Manual page 1196

Failover and Stateful Failover Links
If you are using a dedicated Ethernet interface for the Stateful Failover link, you can use either a switch
or a crossover cable to directly connect the units. If you use a switch, no other hosts or routers should be
on this link.
Note Enable the PortFast option on Cisco switch ports that connect directly to the adaptive security appliance.
If you use a data interface as the Stateful Failover link, you receive the following warning when you
specify that interface as the Stateful Failover link:
******* WARNING ***** WARNING ******* WARNING ****** WARNING
Sharing Stateful failover interface with regular data interface is not
a recommended configuration due to performance and security concerns.
******* WARNING ***** WARNING ******* WARNING ****** WARNING
Sharing a data interface with the Stateful Failover interface can leave you vulnerable to replay attacks.
Additionally, large amounts of Stateful Failover traffic may be sent on the interface, causing
performance problems on that network segment.
Using a data interface as the Stateful Failover interface is supported in single context, routed mode only.
Note
In multiple context mode, the Stateful Failover link resides in the system context. This interface and the
failover interface are the only interfaces in the system context. All other interfaces are allocated to and
configured from within security contexts.
Note The IP address and MAC address for the Stateful Failover link does not change at failover unless the
Stateful Failover link is configured on a regular data interface.
All information sent over the failover and Stateful Failover links is sent in clear text unless you secure
Caution
the communication with a failover key. If the adaptive security appliance is used to terminate VPN
tunnels, this information includes any usernames, passwords, and preshared keys used for establishing
the tunnels. Transmitting this sensitive data in clear text could pose a significant security risk. We
recommend securing the failover communication with a failover key if you are using the adaptive
security appliance to terminate VPN tunnels.
Failover Interface Speed for Stateful Links
If you use the failover link as the Stateful Failover link, you should use the fastest Ethernet interface
available. If you experience performance problems on that interface, consider dedicating a separate
interface for the Stateful Failover interface.
Use the following failover interface speed guidelines for the adaptive security appliances:
•
•
Cisco ASA 5500 Series Configuration Guide using ASDM
57-4
Cisco ASA 5510
– Stateful link speed can be 100 Mbps, even though the data interface can operate at 1 Gigabit due
to the CPU speed limitation.
Cisco ASA 5520/5540/5550
– Stateful link speed should match the fastest data link.
Chapter 57 Information About High Availability
*********
*********
OL-20339-01