ASA LAN BASED ACTIVE/STANDBY STATEFUL FAILOVER
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-25-2007 11:34 AM - edited 03-11-2019 03:20 AM
Hi, I would like to know what kind of performance problems could I have if I configure two ASAs 5520 doing Active/Standby Failover using the same LAN interface for the failover link/stateful llink.
That?s because I need to use two outside interfaces.
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-25-2007 11:45 AM
The problem is that the firewall uses this interface to send state of connections to the standby, so every traffic in the firewall is replicated to the standby and in case it's going through your lan there must be some delay in this transmition. you can use management interface for this link!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-25-2007 12:27 PM
thankyou, What I want to do is connecto two ASA 5520 doing stateful failover Active/Stanby but I want to use only one Ethernet Interface.
Is there a problem of doing that??
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-25-2007 12:35 PM
The problem I see if the two units are connected through the inside lan is that:
If the active unit fails and the secondary unit did not received all the states because of the delay of the connection some connections can be dropped because the packedt that left the "primary unit" now comes back to the secondary (who is active) if the secondary did not received the satate of this connection it will drop this packets.
Plus the data exchanged between the units will be concurrent with the traffic that your firewall has to send to hosts who are communicating through the firewall what can make the connections slower dependinf of your traffic
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-25-2007 01:43 PM
Thankyou, I?m not thinking using the LAN inside connection also for failover, what do you think if I use a single "dedicated" link to do failover - stateful. My question is because in the documentation they use two links: one for failover and another for stateful. That means that if I?m using ASAs 5520 I will loose 2 of the five interfaces just for the failover.
