Pros and Cons about using two interfaces on Stateful Failover
I am looking for some documentation about the pros and cons about using single interface vs. two interfaces when configuring stateful failover. I know
it is always best to keep the LAN-based failover and stateful failover data streams on separate interfaces. The stateful failover data stream is usually much larger than the LAN-based failover because of the usually large number of connections that come and go. In addition, LAN-based failover messages must be able to travel between the two units without being lost or delayed. Otherwise, the loss of LAN-based failover messages indicates that one or both units have failed. Is there any more deatails on this?
Re: Pros and Cons about using two interfaces on Stateful Failove
This issue is talked about in the Config Guide.
"Sharing a data interface with the Stateful Failover interface can leave you vulnerable to replay attacks. Additionally, large amounts of Stateful Failover traffic may be sent on the interface, causing performance problems on that network segment."
The short of it is that you don't want the ASA to start missing failover hellos because the interface too busy processing stateful failover traffic. The potential being false-positive failover events. I hope this helps answer your question.
Hi,I was trying to 2fa cisco duo , all the required settings done as per below . The problem is duo cloud does nti not getting any request from the asa . So I am not getting any code from the duo https://www.youtube.com/watch?v=6nEvmc8wji...
This event continues the conversation of our recent Community Ask Me Anything event "Secure Remote Workers".
To participate in this event, please use the button to ask your questions
Here’s your ch...
User Experience Enhancements
As part of the Cisco Common User Experience program, we are working towards a more uniform user experience and terminology alignment. This program runs across all Cisco security products.
Early Access introduces a...
This video features a step by step walk through of configuring Cisco AnyConnect on FTD managed by FMC. Timestamps included for certificate installation, Access Control, Licensing, NAT, and Deployment failures.
I am trying to solve a CSR signing issue in a home lab.Can someone clarify this theoretical point? According to Wikipedia: "Before creating a CSR, the applicant first generates a key pair, keeping the private key secret. The...