Re: HTTPS Connection during Stateful Failover

mumbles202 · ‎09-13-2018

If 2 ASAs are setup in HA w/ stateful failover enabled and a failover occurs, do all https connections need to be re-established? The bulk of the connections would be via the outside interface facing servers, while a smaller set would be via OSPF learned networks. Here's the failover configuration from the ASA:

failover
failover lan unit secondary
failover lan interface failover GigabitEthernet1/8
failover key mykey
failover polltime unit 5 holdtime 30
failover replication http
failover link failover GigabitEthernet1/8
failover interface ip failover 172.16.252.254 255.255.255.0 standby 172.16.252.250

Ajay Saini · ‎09-13-2018

Hello,

You have stateful failover configured and hence all TCP connections will survive the failover if it happens.

The endpoint applications would not know a difference and there might be a dup ack or retransmission packets which will be a normal TCP scenario and the user running the application would not notice any difference.

Regarding the Dynamic routing protocols, the routes are updated to standby unit and hence the disruption is minimal, all this is clearly documented in the below document, please refer to the 'Supported Features' Section:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/general/asa-97-general-config/ha-failover.html#ID-2107-000000f0

HTH

AJ

mumbles202 · ‎09-14-2018

Thanks. I thought that would be the case with HTTP connections, wasn't sure about HTTPS. I read the note about the OSPF learned routes as well.

mumbles202 · ‎09-24-2018

Can anyone confirm the same holds true for https connections?

slicerpro · ‎09-24-2018

Ajay has replied that all tcp connections will survive the failover. HTTPS is part tcp.

mkazam001 · ‎11-03-2018

according to the cisco asa, all in one firewall bk - the stateful failover does not replicate http-based connections by default as they can add considerable load on the asa if the traffic is a lot.

regards

azam