Transparent firewall mode requirements – Cisco ASA 5505 User Manual

61-11

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 61 Information About High Availability

Transparent Firewall Mode Requirements

The following clientless SSL VPN features are not supported with Stateful Failover:

•

Smart Tunnels

•

Port Forwarding

•

Plugins

•

Java Applets

•

IPv6 clientless or Anyconnect sessions

•

Citrix authentication (Citrix users must reauthenticate after failover)

Note

If failover occurs during an active Cisco IP SoftPhone session, the call remains active because the call
session state information is replicated to the standby unit. When the call is terminated, the IP SoftPhone
client loses connection with the Cisco CallManager. This occurs because there is no session information
for the CTIQBE hangup message on the standby unit. When the IP SoftPhone client does not receive a
response back from the Call Manager within a certain time period, it considers the CallManager
unreachable and unregisters itself.

For VPN failover, VPN end-users should not have to reauthenticate or reconnect the VPN session in the
event of a failover. However, applications operating over the VPN connection could lose packets during
the failover process and not recover from the packet loss.

Transparent Firewall Mode Requirements

When the active unit fails over to the standby unit, the connected switch port running Spanning Tree
Protocol (STP) can go into a blocking state for 30 to 50 seconds when it senses the topology change. To
avoid traffic loss while the port is in a blocking state, you can configure one of the following
workarounds depending on the switch port mode:

•

Access mode—Enable the STP PortFast feature on the switch:

interface

interface_id

spanning-tree portfast

The PortFast feature immediately transitions the port into STP forwarding mode upon linkup. The
port still participates in STP. So if the port is to be a part of the loop, the port eventually transitions
into STP blocking mode.

•

Trunk mode—Block BPDUs on the ASA on both the inside and outside interfaces:

access-list

id ethertype deny bpdu

access-group

id in interface inside_name

access-group

id in interface outside_name

Blocking BPDUs disables STP on the switch. Be sure not to have any loops involving the ASA in
your network layout.

If neither of the above options are possible, then you can use one of the following less desirable
workarounds that impacts failover functionality or STP stability:

•

Disable failover interface monitoring.

•

Increase failover interface holdtime to a high value that will allow STP to converge before the ASAs
fail over.

•

Decrease STP timers to allow STP to converge faster than the failover interface holdtime.