Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6717
Views
0
Helpful
3
Replies

Lan and State failover - benefits of separate interfaces?

johnnylingo
Level 5
Level 5

‎10-23-2013 03:45 PM - edited ‎03-11-2019 07:55 PM

I've typically configured both LAN and State failover for the ASAs via the same physical interface.  For example on an ASA5510:

failover

failover lan unit primary

failover lan interface FAILOVER Ethernet0/3

failover link FAILOVER Ethernet0/3

failover interface ip FAILOVER 192.168.0.1 255.255.255.252 standby 192.168.0.2

I'm now upgrading to the -X series, and since they have more physical interfaces, I'm wondering if there's any advantage to configuring stateful failover information on a separate interface?  Like this:

failover lan unit primary

failover lan interface LAN_FAILOVER GigabitEthernet0/4

failover link STATE_FAILOVER GigabitEthernet0/5

failover interface ip LAN_FAILOVER 192.168.0.1 255.255.255.252 standby 192.168.0.2

failover interface ip STATE_FAILOVER 192.168.1.1 255.255.255.252 standby 192.168.1.2

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Gagandeep Kumar
Level 1
Level 1
In response to johnnylingo

‎01-07-2014 04:04 AM

Hello Johnyy,

Can you please share what you understood from this? and which one should be used?

Or if I say I want to enable statefull failover so that when my Primary firewall goes down, all the connection information should be passed to secondary set and secondary to act as active one. For this do I need to enable both Lan failover as well as link faiolver?

I doubt if failover link only helps in sharing connection information to secondary firewall. and lan failover is allways needed to check state of primary firewall.

0 Helpful

DeepanBarathi
Level 1
Level 1
In response to Gagandeep Kumar

‎04-08-2018 12:16 AM - edited ‎04-08-2018 12:23 AM

failover lan interface FAILOVER Ethernet0/3

This means ASA use this Ethernet 0/3 interface to monitor failover through hello messages. This determines which unit is going to be Active or Standby. Also used for configuration replication.

You should monitor the stateful traffic in your environment. If its heavy, its better to use a dedicated link for failover. 

You can use any available and unused interface other than Ethernet 0/3 for stateful traffic exchange  

Example:

failover link FAILOVER Ethernet0/1

 

We can configure IPSEC tunnel or failover key command to encrypt message exchange.

 

Thank you.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card