cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5899
Views
0
Helpful
10
Replies

ASA HTTP connection replication question

d-fillmore
Level 2
Level 2

I'm assessing the potential service impact of failing over from one ASA to another with HTTP replication disabled.

There is some concern that HTTP flows may be broken or disrupted when we failover

Surely HTTP is just an application running over TCP and the connection table is replicated by default in a stateful failover pair so I'm struggling to see how HTTP would be affected.

 

Is HTTP replication only relevant if you have HTTP inspection enabled and all that inspection info can be replicated?

Cheers, Dom

1 Accepted Solution

Accepted Solutions

Hi,

I am referring to the Connections through the ASA device.

You need to understand that when we are talking about about HTTP connection it talks about the HTTP service which works on port 80.

So , all the port 80 connections will not be replicated to the Standby Unit until and unless this command is enabled on the ASA device.

Check this Statement from the same link:-

"To enable HTTP (port 80) connection replication"

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/f1.html#pgfId-2014541

Thanks and Regards,

Vibhor Amrodia

View solution in original post

10 Replies 10

Vibhor Amrodia
Cisco Employee
Cisco Employee

Hi,

From the command reference:-

"By default, the ASA does not replicate HTTP session information when Stateful Failover is enabled. Because HTTP sessions are typically short-lived, and because HTTP clients typically retry failed connection attempts, not replicating HTTP sessions increases system performance without causing serious data or connection loss. The failover replication http command enables the stateful replication of HTTP sessions in a Stateful Failover environment, but could have a negative affect on system performance."

Refer:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/f1.html#pgfId-2014541

Also . HTTP inspection would not have any effect on the stateful connection replication on the failover.

I hope this answers your query. If you have any other query , please let me know.

Thanks and Regards,

Vibhor Amrodia

Hi Vibhor, Thanks for taking the time to respond, but this doesn't answer my question.

I always read as much of the documentation available as possible before posting.

Cheers, Dom

Hi,

Okay. Let me answer this as per the query.

HTTP connections are not replicated to the Standby unit on Stateful Failover without the "failover http replication" command enabled.

HTTP inspection is irrelevant to the connection being replicated or not on the HA pair.

Let me know if any other queries.

Thanks ad Regards,

Vibhor Amrodia

 

Hi Vibhor,

Are the HTTP connections we're talking about connections to the ASA, or through the ASA?

HTTP is a layer 7 Protocol. If the TCP connection table is replicated between ASAs then I would expect HTTP to function uninterrupted though a pair of ASAs if you failed them over from one to the other, much like an SSH session, which would stay up.

 

Do you see what I'm getting at? If you replicate TCP connections between both devices, anything that runs on top of TCP should subsequently be replicated

 

Cheers, Dom

 

Hi,

I am referring to the Connections through the ASA device.

You need to understand that when we are talking about about HTTP connection it talks about the HTTP service which works on port 80.

So , all the port 80 connections will not be replicated to the Standby Unit until and unless this command is enabled on the ASA device.

Check this Statement from the same link:-

"To enable HTTP (port 80) connection replication"

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/f1.html#pgfId-2014541

Thanks and Regards,

Vibhor Amrodia

Ah OK. So by default, all TCP connections except on port 80 are replicated and you need to explicitly enable replication of port 80 by using HTTP replication?

Hi,

Yes , you are correct.

Thanks and Regards,

Vibhor Amrodia

Thanks :) 

Hi Vibhor, Do you know what the performance impact is of enabling HTTP replication?

eg Is it an increase in the load on the processor to synchronise lots of small flows?

I'm trying to get a feel for what is an acceptable number of HTTP flows for a given ASA (eg 5580-20) to consider turning HTTP replication on

 

Cheers, Dom

Hi,

I don't think the HTTP replication would have any problems with the load on the ASA device.

It can certainly increase the load on the Stateful link for the failover.

In normal scenario , we don't see many issues with this being enabled.

Thanks and Regards,

Vibhor Amrodia

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: