Failover replication of interface

jvardhan29 · ‎11-13-2010

i would like to know if the firewall is configured in failover and if i am changing the speed or duplex of any data interface (eg:gig0/1) of the unit acting as Active , will it get replicated to standby unit ? Also , if it doesnot gets replicated , will any of the units will give a warning stating that "interface is not in sync with each other ".

Also if i am changing the speed / duplex of a particular interface in the active unit , will the connections continue to traverse across or is it like that they would come to halt or teardown due to interface parameters being changed . what i mean over here is will changing the parameters will do a kind of shut and unshut the interface for that moment ?

Allen P Chen · ‎11-13-2010

Hello,

As commands are entered in the active ASA, the commands should be replicated on the standby unit. The following is mentioned in the configuration guide:

Command replication always flows from the active unit to the standby unit. As commands are entered on the active unit, they are sent across the failover link to the standby unit. You do not have to save the active configuration to Flash memory to replicate the commands.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_standby.html#wp1079487

So changing the interface parameters on the active ASA should be replicated to the standby unit.

Changing the duplex or speed of the interface will not perform a shut/no shut on the interface, but it will interrupt traffic since the interface will try to detect the settings of the switchport it's connected to and renegotiate. For example, if the switchport is configured for auto duplex, and on the ASA you switch the duplex setting from full duplex to half duplex, a little time is needed for the switchport interface to negotiate to half duplex in order to match the ASA.

Therefore, it's probably best to make these changes after hours or during a maintenance window.

Hope this helps.