Transparent firewall mode requirements – Cisco ASA 5505 User Manual
Page 1299
 
61-11
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 61 Information About High Availability
Transparent Firewall Mode Requirements
The following clientless SSL VPN features are not supported with Stateful Failover:
•
Smart Tunnels
•
Port Forwarding
•
Plugins
•
Java Applets
•
IPv6 clientless or Anyconnect sessions
•
Citrix authentication (Citrix users must reauthenticate after failover)
Note
If failover occurs during an active Cisco IP SoftPhone session, the call remains active because the call 
session state information is replicated to the standby unit. When the call is terminated, the IP SoftPhone 
client loses connection with the Cisco CallManager. This occurs because there is no session information 
for the CTIQBE hangup message on the standby unit. When the IP SoftPhone client does not receive a 
response back from the Call Manager within a certain time period, it considers the CallManager 
unreachable and unregisters itself. 
For VPN failover, VPN end-users should not have to reauthenticate or reconnect the VPN session in the 
event of a failover. However, applications operating over the VPN connection could lose packets during 
the failover process and not recover from the packet loss.
Transparent Firewall Mode Requirements
When the active unit fails over to the standby unit, the connected switch port running Spanning Tree 
Protocol (STP) can go into a blocking state for 30 to 50 seconds when it senses the topology change. To 
avoid traffic loss while the port is in a blocking state, you can configure one of the following 
workarounds depending on the switch port mode:
•
Access mode—Enable the STP PortFast feature on the switch:
interface
interface_id
spanning-tree portfast
The PortFast feature immediately transitions the port into STP forwarding mode upon linkup. The 
port still participates in STP. So if the port is to be a part of the loop, the port eventually transitions 
into STP blocking mode.
•
Trunk mode—Block BPDUs on the ASA on both the inside and outside interfaces:
access-list
id ethertype deny bpdu
access-group
id in interface inside_name
access-group
id in interface outside_name
Blocking BPDUs disables STP on the switch. Be sure not to have any loops involving the ASA in 
your network layout.
If neither of the above options are possible, then you can use one of the following less desirable 
workarounds that impacts failover functionality or STP stability:
•
Disable failover interface monitoring.
•
Increase failover interface holdtime to a high value that will allow STP to converge before the ASAs 
fail over.
•
Decrease STP timers to allow STP to converge faster than the failover interface holdtime.