Stateful Failover Link - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Chapter 14
Configuring Failover
Stateful Failover Link
To use Stateful Failover, you must configure a Stateful Failover link to pass all state information. You
have three options for configuring a Stateful Failover link:
•
•
•
If you are using a dedicated Ethernet interface for the Stateful Failover link, you can use either a switch
or a crossover cable to directly connect the units. If you use a switch, no other hosts or routers should be
on this link.
Note
Enable the PortFast option on Cisco switch ports that connect directly to the security appliance.
If you are using the failover link as the Stateful Failover link, you should use the fastest Ethernet
interface available. If you experience performance problems on that interface, consider dedicating a
separate interface for the Stateful Failover interface.
If you use a data interface as the Stateful Failover link, you receive the following warning when you
specify that interface as the Stateful Failover link:
******* WARNING ***** WARNING ******* WARNING ****** WARNING
Sharing Stateful failover interface with regular data interface is not
a recommended configuration due to performance and security concerns.
******* WARNING ***** WARNING ******* WARNING ****** WARNING
Sharing a data interface with the Stateful Failover interface can leave you vulnerable to replay attacks.
Additionally, large amounts of Stateful Failover traffic may be sent on the interface, causing
performance problems on that network segment.
Using a data interface as the Stateful Failover interface is only supported in single context, routed mode.
Note
In multiple context mode, the Stateful Failover link resides in the system context. This interface and the
failover interface are the only interfaces in the system context. All other interfaces are allocated to and
configured from within security contexts.
The IP address and MAC address for the Stateful Failover link does not change at failover unless the
Note
Stateful Failover link is configured on a regular data interface.
Caution
All information sent over the failover and Stateful Failover links is sent in clear text unless you secure
the communication with a failover key. If the security appliance is used to terminate VPN tunnels, this
information includes any usernames, passwords and preshared keys used for establishing the tunnels.
Transmitting this sensitive data in clear text could pose a significant security risk. We recommend
securing the failover communication with a failover key if you are using the security appliance to
terminate VPN tunnels.
OL-10088-01
You can use a dedicated Ethernet interface for the Stateful Failover link.
If you are using LAN-based failover, you can share the failover link.
You can share a regular data interface, such as the inside interface. However, this option is not
recommended.
Cisco Security Appliance Command Line Configuration Guide
Understanding Failover
*********
*********
14-5
Advertisement
Table of Contents
Troubleshooting
