Stateful failover link – Cisco ASA 5505 User Manual
Page 1292
61-4
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 61 Information About High Availability
Failover and Stateful Failover Links
Although you can configure failover and failover state links on a port channel link, this port channel
cannot be shared with other firewall traffic.
Stateful Failover Link
To use Stateful Failover, you must configure a Stateful Failover link to pass all state information. You
have three options for configuring a Stateful Failover link:
•
You can use a dedicated Ethernet interface for the Stateful Failover link.
•
You can share the failover link.
•
You can share a regular data interface, such as the inside interface. However, this option is not
recommended.
Connect a dedicated state link in one of the following two ways:
•
Using a switch, with no other device on the same network segment (broadcast domain or VLAN) as
the failover interfaces of the ASA.
•
Using a crossover Ethernet cable to connect the appliances directly, without the need for an external
switch.
Note
When you use a crossover cable for the state link, if the interface fails, the link is brought down on both
peers. This condition may hamper troubleshooting efforts because you cannot easily determine which
interface failed and caused the link to come down.
The ASA supports Auto-MDI/MDIX on its copper Ethernet ports, so you can either use a crossover cable
or a straight-through cable. If you use a straight-through cable, the interface automatically detects the
cable and swaps one of the transmit/receive pairs to MDIX.
Enable the PortFast option on Cisco switch ports that connect directly to the ASA.
If you use a data interface as the Stateful Failover link, you receive the following warning when you
specify that interface as the Stateful Failover link:
******* WARNING ***** WARNING ******* WARNING ****** WARNING *********
Sharing Stateful failover interface with regular data interface is not
a recommended configuration due to performance and security concerns.
******* WARNING ***** WARNING ******* WARNING ****** WARNING *********
Sharing a data interface with the Stateful Failover interface can leave you vulnerable to replay attacks.
Additionally, large amounts of Stateful Failover traffic may be sent on the interface, causing
performance problems on that network segment.
Note
Using a data interface as the Stateful Failover interface is supported in single context, routed mode only.
In multiple context mode, the Stateful Failover link resides in the system context. This interface and the
failover interface are the only interfaces in the system context. All other interfaces are allocated to and
configured from within security contexts.
Note
The IP address and MAC address for the Stateful Failover link does not change at failover unless the
Stateful Failover link is configured on a regular data interface.