Pros and Cons about using two interfaces on Stateful Failover
I am looking for some documentation about the pros and cons about using single interface vs. two interfaces when configuring stateful failover. I know
it is always best to keep the LAN-based failover and stateful failover data streams on separate interfaces. The stateful failover data stream is usually much larger than the LAN-based failover because of the usually large number of connections that come and go. In addition, LAN-based failover messages must be able to travel between the two units without being lost or delayed. Otherwise, the loss of LAN-based failover messages indicates that one or both units have failed. Is there any more deatails on this?
Re: Pros and Cons about using two interfaces on Stateful Failove
This issue is talked about in the Config Guide.
"Sharing a data interface with the Stateful Failover interface can leave you vulnerable to replay attacks. Additionally, large amounts of Stateful Failover traffic may be sent on the interface, causing performance problems on that network segment."
The short of it is that you don't want the ASA to start missing failover hellos because the interface too busy processing stateful failover traffic. The potential being false-positive failover events. I hope this helps answer your question.
On February 24, 2020, the Cisco PSIRT published eleven (11) vulnerabilities in Cisco FXOS and NX-OS Software. Eight (8) out of the eleven (11) vulnerabilities were found by our internal security and engineering teams, two were found by TAC during the trou...
Hello All, i have two vm firepower as HA and they are working fine as HA the traffics going through fin but there is a red mark shows on the HA, can someone tell me what does that mean please? This only appears on the HA not in individual device...
Software Checker and Automation
This event had place on Thursday 23rd, January at 10hrs PDT
Omar Santos is an active member of the cyber security community, where he leads several industry-wide init...
Securing What's Now and What's Next. With our annual global survey of 2,800 security leaders, we dove deep to compile key benchmark statistics. The 2020 CISO Benchmark Report provides valuable takeaways and data on the most pressing cybersecurity to...
I have 2 Firepower module (ASA 5525) with Malware and IPS licence. Recently i changed the Malware policy action set to "Block Malware" and "Reset Connection". How to log the event if my policy blocked any files? Please find the attached screen shot f...