topic Hi,From the command reference in Network Security

ASA HTTP connection replication question

d-fillmore — Tue, 12 Mar 2019 05:52:24 GMT

I'm assessing the potential service impact of failing over from one ASA to another with HTTP replication disabled.

There is some concern that HTTP flows may be broken or disrupted when we failover

Surely HTTP is just an application running over TCP and the connection table is replicated by default in a stateful failover pair so I'm struggling to see how HTTP would be affected.

Is HTTP replication only relevant if you have HTTP inspection enabled and all that inspection info can be replicated?

Cheers, Dom

Hi,From the command reference

Vibhor Amrodia — Sat, 02 May 2015 03:43:06 GMT

Hi,

From the command reference:-

"By default, the ASA does not replicate HTTP session information when Stateful Failover is enabled. Because HTTP sessions are typically short-lived, and because HTTP clients typically retry failed connection attempts, not replicating HTTP sessions increases system performance without causing serious data or connection loss. The failover replication http command enables the stateful replication of HTTP sessions in a Stateful Failover environment, but could have a negative affect on system performance."

Refer:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/f1.html#pgfId-2014541

Also . HTTP inspection would not have any effect on the stateful connection replication on the failover.

I hope this answers your query. If you have any other query , please let me know.

Thanks and Regards,

Vibhor Amrodia

Hi Vibhor, Thanks for taking

d-fillmore — Sat, 02 May 2015 07:36:37 GMT

Hi Vibhor, Thanks for taking the time to respond, but this doesn't answer my question.

I always read as much of the documentation available as possible before posting.

Cheers, Dom

Hi,Okay. Let me answer this

Vibhor Amrodia — Sun, 03 May 2015 03:36:43 GMT

Hi,

Okay. Let me answer this as per the query.

HTTP connections are not replicated to the Standby unit on Stateful Failover without the "failover http replication" command enabled.

HTTP inspection is irrelevant to the connection being replicated or not on the HA pair.

Let me know if any other queries.

Thanks ad Regards,

Vibhor Amrodia

Hi Vibhor,Are the HTTP

d-fillmore — Sun, 03 May 2015 09:03:33 GMT

Hi Vibhor,

Are the HTTP connections we're talking about connections to the ASA, or through the ASA?

HTTP is a layer 7 Protocol. If the TCP connection table is replicated between ASAs then I would expect HTTP to function uninterrupted though a pair of ASAs if you failed them over from one to the other, much like an SSH session, which would stay up.

Do you see what I'm getting at? If you replicate TCP connections between both devices, anything that runs on top of TCP should subsequently be replicated

Cheers, Dom

Hi,I am referring to the

Vibhor Amrodia — Sun, 03 May 2015 10:55:49 GMT

Hi,

I am referring to the Connections through the ASA device.

You need to understand that when we are talking about about HTTP connection it talks about the HTTP service which works on port 80.

So , all the port 80 connections will not be replicated to the Standby Unit until and unless this command is enabled on the ASA device.

Check this Statement from the same link:-

"To enable HTTP (port 80) connection replication"

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/f1.html#pgfId-2014541

Thanks and Regards,

Vibhor Amrodia

Ah OK. So by default, all TCP

d-fillmore — Mon, 04 May 2015 07:02:39 GMT

Ah OK. So by default, all TCP connections except on port 80 are replicated and you need to explicitly enable replication of port 80 by using HTTP replication?

Hi,Yes , you are correct

Vibhor Amrodia — Mon, 04 May 2015 07:07:43 GMT

Hi,

Yes , you are correct.

Thanks and Regards,

Vibhor Amrodia

Thanks :)

d-fillmore — Mon, 04 May 2015 07:15:48 GMT

Thanks 🙂

Hi Vibhor, Do you know what

d-fillmore — Tue, 05 May 2015 08:48:43 GMT

Hi Vibhor, Do you know what the performance impact is of enabling HTTP replication?

eg Is it an increase in the load on the processor to synchronise lots of small flows?

I'm trying to get a feel for what is an acceptable number of HTTP flows for a given ASA (eg 5580-20) to consider turning HTTP replication on

Cheers, Dom

Hi,I don't think the HTTP

Vibhor Amrodia — Tue, 05 May 2015 09:37:12 GMT

Hi,

I don't think the HTTP replication would have any problems with the load on the ASA device.

It can certainly increase the load on the Stateful link for the failover.

In normal scenario , we don't see many issues with this being enabled.

Thanks and Regards,

Vibhor Amrodia