topic Failover link in Network Security

Failover link

Vishal6 — Mon, 01 Dec 2025 07:02:08 GMT

Hi team,

Is it failover and stateful link in Cisco Fw high availability configuration sufficient for configuration and connection synchronization between active and passive devices ?

Re: Failover link

ahollifield — Mon, 01 Dec 2025 21:25:33 GMT

What exactly is your question? What platform?

Re: Failover link

Vishal6 — Thu, 04 Dec 2025 10:06:02 GMT

Does stateful link performs connection synchronizaton between devices ?

We have failover and stateful link, does flapping or down link status of failover link impact our High availability between devices or it breaks ?

Re: Failover link

Cristian Matei — Thu, 04 Dec 2025 10:17:29 GMT

Hi,

Session synchronisation happens over "State link" while everything else happens over "High Availability link". Ideally use a port-channel and assign both roles (State Link and High Availability Link) to it, this way you have physical redundancy built-in for both roles.

If "State Link" fails you'll loose session synchronisation. If "High Availability Link" fails and you don't have standby addresses configured on at last one data interface that is UP and monitored you'll end up in split-brain scenario, while if you do have standby addresses configured there'll be no split-brain. FTD's need to reach each other at layer 2 over monitored links where you have standby addresses configured.

Thanks,

Cristian.

Re: Failover link

Aref Alsouqi — Thu, 04 Dec 2025 11:41:29 GMT

Yes, the stateful failover (state link) is responsible to synchronize all the sessions information of the supported features shown in the link below. On the other side, the failover link (control link) is responsible to share the failover information between the two peers. If you loose the state link nothing will be impacted as long as the active role doesn't move to the secondary device.

CLI Book 1: Cisco Secure Firewall ASA Series General Operations CLI Configuration Guide, 9.19 - Failover for High Availability [Cisco Secure Firewall ASA] - Cisco

However, if you happen to have the state link down and at the same time a failover happens between the devices and the secondary device becomes the active, then all the sessions that were already established through the previous active firewall now need to be reinitiated.

With regard to the control link, if that breaks between the two peers then both of them will be acting as the active device which will most likely cause an outage or at least an intermittent outage on your network.

Re: Failover link

Vishal6 — Thu, 04 Dec 2025 13:15:44 GMT

Do you mean to this way.

interface GigabitEthernet0/4
description FO-ST
speed 1000
duplex full
channel-group 15 mode active

interface GigabitEthernet0/5
description FO-ST
speed 1000
duplex full
channel-group 15 mode active

interface Port-channel15
nameif HA
security-level 0
ip address 203.0.113.10 255.255.255.252 standby 203.0.113.11

failover link fa interface ip address 2.2.2.1 255.255.255.252 2.2.2.2
stateful link St interface ip address 1.1.1.1 255.255.255.252 1.1.1.2

Re: Failover link

Vishal6 — Thu, 04 Dec 2025 13:16:22 GMT

if stateful link fails? does Failover link performs job of stateful link ?

Re: Failover link

Aref Alsouqi — Thu, 04 Dec 2025 14:00:07 GMT

No, each link is responsible for a different set of tasks. The state link is for sessions synchronization, and the control link is for the failover control traffic such as unite state, hello messages, etc.

Re: Failover link

Aref Alsouqi — Thu, 04 Dec 2025 14:15:38 GMT

You would need to specify the port channel in the commands "failover lan interface fa" and "failover link st" to be port channel 15. Also, please keep in mind that you can't have any configs that aren't related to the HA on that port channel.

Re: Failover link

Vishal6 — Fri, 05 Dec 2025 12:48:20 GMT

Would be port channel configuration without any ip?

Re: Failover link

Aref Alsouqi — Fri, 05 Dec 2025 13:17:52 GMT

You don't need any IP configuration for the HA interface(s).