https://community.cisco.com/t5/network-security/lan-and-state-failover-benefits-of-separate-interfaces/m-p/3362314#M310364 <P><SPAN>failover lan interface FAILOVER Ethernet0/3</SPAN></P> <P><SPAN>This means ASA use this Ethernet 0/3 interface to monitor failover through&nbsp;hello messages. This determines which unit is going to be&nbsp;Active or Standby. Also used for configuration replication.</SPAN></P> <P><SPAN>You should monitor the stateful traffic in your environment. If its heavy, its better to use a dedicated link for failover.&nbsp;</SPAN></P> <P>You can use any available and unused interface other than Ethernet 0/3 for stateful traffic exchange&nbsp;&nbsp;</P> <P><SPAN>Example: </SPAN></P> <P><SPAN>failover link FAILOVER Ethernet0/1</SPAN></P> <P>&nbsp;</P> <P><SPAN>We can configure IPSEC tunnel or failover key command to&nbsp;encrypt&nbsp;message exchange.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>Thank you.</SPAN></P> Sun, 08 Apr 2018 07:23:38 GMT DeepanBarathi 2018-04-08T07:23:38Z https://community.cisco.com/t5/network-security/lan-and-state-failover-benefits-of-separate-interfaces/m-p/2334812#M310348 <P>I've typically configured both LAN and State failover for the ASAs via the same physical interface.&nbsp; For example on an ASA5510:</P><P></P><P><SPAN style="font-family: courier new,courier;">failover</SPAN></P><P><SPAN style="font-family: courier new,courier;">failover lan unit primary</SPAN></P><P><SPAN style="font-family: courier new,courier;">failover lan interface FAILOVER Ethernet0/3</SPAN></P><P><SPAN style="font-family: courier new,courier;">failover link FAILOVER Ethernet0/3</SPAN></P><P><SPAN style="font-family: courier new,courier;">failover interface ip FAILOVER 192.168.0.1 255.255.255.252 standby 192.168.0.2</SPAN></P><P></P><P>I'm now upgrading to the -X series, and since they have more physical interfaces, I'm wondering if there's any advantage to configuring stateful failover information on a separate interface?&nbsp; Like this:</P><P></P><P><SPAN style="font-family: courier new,courier;">failover lan unit primary</SPAN></P><P><SPAN style="font-family: courier new,courier;">failover lan interface LAN_FAILOVER GigabitEthernet0/4</SPAN></P><P><SPAN style="font-family: courier new,courier;">failover link STATE_FAILOVER GigabitEthernet0/5</SPAN></P><P><SPAN style="font-family: courier new,courier;">failover interface ip LAN_FAILOVER 192.168.0.1 255.255.255.252 standby 192.168.0.2</SPAN></P><P><SPAN style="font-family: courier new,courier;">failover interface ip STATE_FAILOVER 192.168.1.1 255.255.255.252 standby 192.168.1.2</SPAN></P> Tue, 12 Mar 2019 02:55:38 GMT https://community.cisco.com/t5/network-security/lan-and-state-failover-benefits-of-separate-interfaces/m-p/2334812#M310348 johnnylingo 2019-03-12T02:55:38Z https://community.cisco.com/t5/network-security/lan-and-state-failover-benefits-of-separate-interfaces/m-p/2334813#M310357 <HTML><HEAD></HEAD><BODY><P>Think I found the answer </P><P></P><P><A href="http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1051759">http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1051759</A></P></BODY></HTML> Wed, 23 Oct 2013 23:18:13 GMT https://community.cisco.com/t5/network-security/lan-and-state-failover-benefits-of-separate-interfaces/m-p/2334813#M310357 johnnylingo 2013-10-23T23:18:13Z https://community.cisco.com/t5/network-security/lan-and-state-failover-benefits-of-separate-interfaces/m-p/2334814#M310361 <HTML><HEAD></HEAD><BODY><P>Hello Johnyy,</P><P></P><P>Can you please share what you understood from this? and which one should be used? </P><P></P><P>Or if I say I want to enable statefull failover so that when my Primary firewall goes down, all the connection information should be passed to secondary set and secondary to act as active one. For this do I need to enable both Lan failover as well as link faiolver? </P><P></P><P>I doubt if failover link only helps in sharing connection information to secondary firewall. and lan failover is allways needed to check state of primary firewall.</P></BODY></HTML> Tue, 07 Jan 2014 12:04:31 GMT https://community.cisco.com/t5/network-security/lan-and-state-failover-benefits-of-separate-interfaces/m-p/2334814#M310361 Gagandeep Kumar 2014-01-07T12:04:31Z https://community.cisco.com/t5/network-security/lan-and-state-failover-benefits-of-separate-interfaces/m-p/3362314#M310364 <P><SPAN>failover lan interface FAILOVER Ethernet0/3</SPAN></P> <P><SPAN>This means ASA use this Ethernet 0/3 interface to monitor failover through&nbsp;hello messages. This determines which unit is going to be&nbsp;Active or Standby. Also used for configuration replication.</SPAN></P> <P><SPAN>You should monitor the stateful traffic in your environment. If its heavy, its better to use a dedicated link for failover.&nbsp;</SPAN></P> <P>You can use any available and unused interface other than Ethernet 0/3 for stateful traffic exchange&nbsp;&nbsp;</P> <P><SPAN>Example: </SPAN></P> <P><SPAN>failover link FAILOVER Ethernet0/1</SPAN></P> <P>&nbsp;</P> <P><SPAN>We can configure IPSEC tunnel or failover key command to&nbsp;encrypt&nbsp;message exchange.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>Thank you.</SPAN></P> Sun, 08 Apr 2018 07:23:38 GMT https://community.cisco.com/t5/network-security/lan-and-state-failover-benefits-of-separate-interfaces/m-p/3362314#M310364 DeepanBarathi 2018-04-08T07:23:38Z