I'd like to hear some comments from people that have used the redundant interface feature on the ASA. Has there been any noticeable benefit in failover times?
Or can the failover polltimes be tuned so that this feature is unnecessary and is not worth the cost of burning so many ports on the firewall?
Please let me know if you are talking about ISP failover in a single ASA or failover feature between two ASAs.
Let me know for further queries.
I am talking about using the redundant interface feature on the ASA and unit redundancy VS. using only unit redundancy.
The redundant interface feature fails over a bit quicker but at the cost of burning ports and additional complexity.
In my testing, with adjusted polling timers, I didn't find that the difference in failover times between the 2 methods seemed to justify using the redundant interface feature.
I was hoping that there are some people out there that have done it both ways and have some thoughts on it.
Well these are two different scenerios. Interface redundancy is at a single ASA level. If the unit fails then there is no point in keeping a redundant link.
On the other hand if you consider failover between two ASAs then yes you make sure that if one unit fails the other takes over.
I agree that the failover between two units is slower than that of the interface as all the connection states need to be replicated on thge second unit.
Are you using statefull failover?
what is teh poll time you tested with.