Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
508
Views
0
Helpful
1
Replies

Pros and Cons about using two interfaces on Stateful Failover

mrahman0302
Level 1
Level 1

‎04-14-2011 09:07 AM - edited ‎03-11-2019 01:20 PM

Hi,

I am looking for some documentation about the pros and cons about using single interface vs. two interfaces when configuring stateful failover. I know

it is always best to keep the LAN-based failover and stateful failover data streams on separate interfaces. The stateful failover data stream is usually much larger than the LAN-based failover because of the usually large number of connections that come and go. In addition, LAN-based failover messages must be able to travel between the two units without being lost or delayed. Otherwise, the loss of LAN-based failover messages indicates that one or both units have failed. Is there any more deatails on this?

Thanks.

Labels:
0 Helpful
1 Reply 1

brquinn
Level 1
Level 1

‎04-14-2011 09:27 AM

This issue is talked about in the Config Guide.

"Sharing a data interface with the Stateful Failover interface can leave  you vulnerable to replay attacks. Additionally, large amounts of  Stateful Failover traffic may be sent on the interface, causing  performance problems on that network segment."

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_overview.html#wp1077551

The short of it is that you don't want the ASA to start missing failover hellos because the interface too busy processing stateful failover traffic. The potential being false-positive failover events. I hope this helps answer your question.

Thanks,

Brendan

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card