09-13-2018 08:59 AM - edited 03-12-2019 04:10 AM
If 2 ASAs are setup in HA w/ stateful failover enabled and a failover occurs, do all https connections need to be re-established? The bulk of the connections would be via the outside interface facing servers, while a smaller set would be via OSPF learned networks. Here's the failover configuration from the ASA:
failover
failover lan unit secondary
failover lan interface failover GigabitEthernet1/8
failover key mykey
failover polltime unit 5 holdtime 30
failover replication http
failover link failover GigabitEthernet1/8
failover interface ip failover 172.16.252.254 255.255.255.0 standby 172.16.252.250
09-13-2018 10:11 AM
Hello,
You have stateful failover configured and hence all TCP connections will survive the failover if it happens.
The endpoint applications would not know a difference and there might be a dup ack or retransmission packets which will be a normal TCP scenario and the user running the application would not notice any difference.
Regarding the Dynamic routing protocols, the routes are updated to standby unit and hence the disruption is minimal, all this is clearly documented in the below document, please refer to the 'Supported Features' Section:
HTH
AJ
09-14-2018 06:32 AM
Thanks. I thought that would be the case with HTTP connections, wasn't sure about HTTPS. I read the note about the OSPF learned routes as well.
09-24-2018 01:37 PM
Can anyone confirm the same holds true for https connections?
09-24-2018 01:55 PM
Ajay has replied that all tcp connections will survive the failover. HTTPS is part tcp.
11-03-2018 05:33 PM
according to the cisco asa, all in one firewall bk - the stateful failover does not replicate http-based connections by default as they can add considerable load on the asa if the traffic is a lot.
regards
azam
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide