Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
566
Views
0
Helpful
4
Replies

Migrating stateful interface

Brian O'Flynn
Level 1
Level 1

‎10-15-2013 05:52 AM - edited ‎03-11-2019 07:52 PM

Hi,

I have a customer that has a pair of firewalls connected using a separate Stateful and Failover interface.  I would like to amalgamate the two together.  Would there by any impact with moving the Stateful interface onto the failover interface?  I need to free up an interface.  This would be with Cisco ASA 5510's running v8.2.

Cheers

Brian

Labels:
0 Helpful
4 Replies 4

Patrick Moubarak
Level 4
Level 4

‎10-15-2013 08:58 AM

Hi Brian,

You can use the same interface (with the same logical network) or split it in 2 subinterfaces:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_overview.html#wp1077627

Failover Interface Speed for Stateful Links

If you use the failover link as the Stateful Failover link, you should use the fastest Ethernet interface available. If you experience performance problems on that interface, consider dedicating a separate interface for the Stateful Failover interface.

Use the following failover interface speed guidelines for the ASAs:

Cisco ASA 5510

Stateful link speed can be 100 Mbps, even though the data interface can operate at 1 Gigabit due to the CPU speed limitation.

Patrick


0 Helpful

Brian O'Flynn
Level 1
Level 1
In response to Patrick Moubarak

‎10-16-2013 12:48 AM

Hi Patrick,

Thank you for the reply, my question is more around that moment when you move the stateful interface onto the failover and click apply on ASDM.  Would there be any impact to the firewall state or user traffic?

Cheers

Brian

0 Helpful

Patrick Moubarak
Level 4
Level 4
In response to Brian O'Flynn

‎10-16-2013 11:48 AM

I would do it in a maintenance window to be safe. Never tried it in production.

If you remove the failover link command (stop replicating state connection table...) then it becomes a stateless failover (ASAs replicate config but not conn/xlate/... tables). If no failover occurs at this moment, then you should not experience downtime.

Then when you add it again (just on a different interface), the active ASA should start replicating state information to the standby... also no downtime that I can see here.

I would still do it in a maintenance window to be safe.

Good luck,

Patrick

0 Helpful

Brian O'Flynn
Level 1
Level 1
In response to Patrick Moubarak

‎10-18-2013 08:58 AM

Done this last night, just changed the firewall so that the stateful interface used the failover link, no outage to do this.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card