Cisco Community
English
Register
ANNOUNCEMENT - Security Restructure has finished!. Email and Web Notifications are ON now - LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
304
Views
0
Helpful
1
Replies
Highlighted
mrahman0302
mrahman0302 Beginner
Beginner
‎04-14-2011 09:07 AM
‎04-14-2011 09:07 AM

Pros and Cons about using two interfaces on Stateful Failover

Hi,

I am looking for some documentation about the pros and cons about using single interface vs. two interfaces when configuring stateful failover. I know

it is always best to keep the LAN-based failover and stateful failover data streams on separate interfaces. The stateful failover data stream is usually much larger than the LAN-based failover because of the usually large number of connections that come and go. In addition, LAN-based failover messages must be able to travel between the two units without being lost or delayed. Otherwise, the loss of LAN-based failover messages indicates that one or both units have failed. Is there any more deatails on this?

Thanks.

Labels:
0 Helpful
Reply
1 REPLY 1
Highlighted
brquinn
brquinn Beginner
Beginner
‎04-14-2011 09:27 AM
‎04-14-2011 09:27 AM

Re: Pros and Cons about using two interfaces on Stateful Failove

This issue is talked about in the Config Guide.

"Sharing a data interface with the Stateful Failover interface can leave  you vulnerable to replay attacks. Additionally, large amounts of  Stateful Failover traffic may be sent on the interface, causing  performance problems on that network segment."

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_overview.html#wp1077551

The short of it is that you don't want the ASA to start missing failover hellos because the interface too busy processing stateful failover traffic. The potential being false-positive failover events. I hope this helps answer your question.

Thanks,

Brendan

0 Helpful
Reply
Latest Contents
Multiple Vulnerabilities in Cisco FXOS and NX-OS Software
Created by Omar Santos on 02-26-2020 02:18 PM
0
0
0
0
On February 24, 2020, the Cisco PSIRT published eleven (11) vulnerabilities in Cisco FXOS and NX-OS Software. Eight (8) out of the eleven (11) vulnerabilities were found by our internal security and engineering teams, two were found by TAC during the trou... view more
NGFW
Created by starsulaiman21266 on 02-25-2020 01:58 AM
1
0
1
0
Hello All, i have two vm firepower as HA and they are working fine as HA the traffics going through fin but there is a red mark shows on the HA, can someone tell me what does that mean please? This only appears on the HA not in individual device... view more
Meet the Authors FAQ´s - A Cybersecurity Deep Dive with Omar...
Created by ciscomoderator on 02-24-2020 05:28 PM
0
0
0
0
Software Checker and Automation   This event had place on Thursday 23rd, January at 10hrs PDT  Introduction   Featured Author Omar Santos is an active member of the cyber security community, where he leads several industry-wide init... view more
Get the Cisco 2020 CISO Benchmark Report
Created by Kelli Glass on 02-24-2020 08:16 AM
0
0
0
0
Securing What's Now and What's Next. With our annual global survey of 2,800 security leaders, we dove deep to compile key benchmark statistics. The 2020 CISO Benchmark Report provides valuable takeaways and data on the most pressing cybersecurity to... view more
Malware Policy
Created by Manu Shankar on 02-24-2020 02:40 AM
1
0
1
0
I have 2 Firepower module (ASA 5525) with Malware and IPS licence. Recently i changed the Malware policy action set to "Block Malware" and "Reset Connection". How to log the event if my policy blocked any files? Please find the attached screen shot f... view more
CreatePlease to create content
Discussion
Blog
Document
Video