Solved: Re: Failover link

Vishal6 · ‎11-30-2025

Hi team,

Is it failover and stateful link in Cisco Fw high availability configuration sufficient for configuration and connection synchronization between active and passive devices ?

Aref Alsouqi · ‎12-04-2025

You would need to specify the port channel in the commands "failover lan interface fa" and "failover link st" to be port channel 15. Also, please keep in mind that you can't have any configs that aren't related to the HA on that port channel.

View solution in original post

ahollifield · ‎12-01-2025

What exactly is your question? What platform?

Vishal6 · ‎12-04-2025

Does stateful link performs connection synchronizaton between devices ?

We have failover and stateful link, does flapping or down link status of failover link impact our High availability between devices or it breaks ?

Cristian Matei · ‎12-04-2025

Hi,

Session synchronisation happens over "State link" while everything else happens over "High Availability link". Ideally use a port-channel and assign both roles (State Link and High Availability Link) to it, this way you have physical redundancy built-in for both roles.

If "State Link" fails you'll loose session synchronisation. If "High Availability Link" fails and you don't have standby addresses configured on at last one data interface that is UP and monitored you'll end up in split-brain scenario, while if you do have standby addresses configured there'll be no split-brain. FTD's need to reach each other at layer 2 over monitored links where you have standby addresses configured.

Thanks,

Cristian.

Vishal6 · ‎12-04-2025

Do you mean to this way.

interface GigabitEthernet0/4
description FO-ST
speed 1000
duplex full
channel-group 15 mode active

interface GigabitEthernet0/5
description FO-ST
speed 1000
duplex full
channel-group 15 mode active

interface Port-channel15
nameif HA
security-level 0
ip address 203.0.113.10 255.255.255.252 standby 203.0.113.11

failover link fa interface ip address 2.2.2.1 255.255.255.252 2.2.2.2
stateful link St interface ip address 1.1.1.1 255.255.255.252 1.1.1.2

Aref Alsouqi · ‎12-04-2025

You would need to specify the port channel in the commands "failover lan interface fa" and "failover link st" to be port channel 15. Also, please keep in mind that you can't have any configs that aren't related to the HA on that port channel.

Vishal6 · ‎12-05-2025

Would be port channel configuration without any ip?

Aref Alsouqi · ‎12-05-2025

You don't need any IP configuration for the HA interface(s).

Aref Alsouqi · ‎12-04-2025

Yes, the stateful failover (state link) is responsible to synchronize all the sessions information of the supported features shown in the link below. On the other side, the failover link (control link) is responsible to share the failover information between the two peers. If you loose the state link nothing will be impacted as long as the active role doesn't move to the secondary device.

CLI Book 1: Cisco Secure Firewall ASA Series General Operations CLI Configuration Guide, 9.19 - Failover for High Availability [Cisco Secure Firewall ASA] - Cisco

However, if you happen to have the state link down and at the same time a failover happens between the devices and the secondary device becomes the active, then all the sessions that were already established through the previous active firewall now need to be reinitiated.

With regard to the control link, if that breaks between the two peers then both of them will be acting as the active device which will most likely cause an outage or at least an intermittent outage on your network.

Vishal6 · ‎12-04-2025

if stateful link fails? does Failover link performs job of stateful link ?

Aref Alsouqi · ‎12-04-2025

No, each link is responsible for a different set of tasks. The state link is for sessions synchronization, and the control link is for the failover control traffic such as unite state, hello messages, etc.