cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


6878
Views
5
Helpful
1
Replies
Beginner

ASA 5520 and Failover Link using the MGMT Int. Why not?

Hi, I have been reading several discussions on here about why the use of the MGMT interface isn't recommended for Failover, but I haven't seen a good enough reason why that is the case.  Please give me some details and facts why this is a bad idea.

I see this reason posted a lot " The failover link should be as fast as the fastest interface in the box."

But please someone explain this to me.   I must be missing something, cause this seems like a silly recommendation to me.

1. In STEADY STATE - What kind of traffic is passing between the ASAs over the failover link and what is the bandwidth required?


2.  If Failover were to occur from the Active to the Standby (say the PS in the Active ASA sizzled out) how could having a faster interface between the two devices help me at this point?  The (former) Active is toast - it can't pass any state traffic if it's dead!  Even having a 10GB link between the two ASAs as this point would be futile.

My setup is 2 5520's in Routed A/S mode.  Currently running 7.1(2), but plan to upgrade to 8.2(4) once we figure this problem out and do the memory upgrades.   (These ASA's have been up for almost 3 years!! )  Gig0-Gig2 are being used for Outside, Inside, and DMZ networks.   Gig3 is the current failover link, but we plan to use it for a new subnet coming soon with sub-interfaces for future growth.  There's nothing on the MGMT ports for both ASAs.

Would it help to answer the above questions with some statistics about load and states on the router?  What do you need me to provide?

Thanks!

Everyone's tags (4)
1 REPLY 1
Highlighted
Cisco Employee

Re: ASA 5520 and Failover Link using the MGMT Int. Why not?

hi

please read below,

excerpts from config guide

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#tri

Cisco recommends that you do not use the management interface for       failover, especially for stateful failover in which the security appliance       constantly sends the connection information from one security appliance to the       other. The interface for failover must be at least of the same capacity as the       interfaces that pass regular traffic, and while the interfaces on the ASA 5540       are gigabit, the management interface is FastEthernet only. The management       interface is designed for management traffic only and is specified as       management0/0.

so what happens in stateful failover is updates are constantly exchanged, these updates include for example connection entires, xlate tables, crypto sessions to name a few

and these updates are real time, now the logic here is that since stateful updates include almost everything it makes sense to use atleast as much capacity as the any other interface in production

the best stats would be if you are able to apply some captures and see for yourself how much data is transferred over the failover link

now we only recommend you to use the link with the highest capacity for stateful failover link, but having said that i have seen many customers use management interface and it has worked for them

now coming to your network, i see all other ports ae gig ports that you are using, so it is not really a good idea to go for management interface as failover link