08-17-2012 02:23 PM - edited 03-11-2019 04:43 PM
Whatt is the difference between failover link and state link in the context of Cisco FWSM? Why do I need both or what is the best practice? Thanks in advance. Just trying to understand.
08-17-2012 02:53 PM
Hello ,
The difference is that the stateful link is the one in charge of handling the replication of the connections across the FWSM ( Used for the stateful failover) so if by any chance the device goes down the connections already established do not go down.
Regards
08-18-2012 08:42 PM
Well I should have asked question different way. I have config for two pairs (one pair in one segment and another pair in another segment) and failover configuration is different in terms of one pair has two unique vlans being trunks across crossover cable - unique LAN failover vlan and state vlan while other pair only has one vlan for both purposes...
PAIR-1
failover
failover lan unit primary
failover lan interface failover Vlan100
failover polltime unit 15 holdtime 45
failover link failover Vlan100
failover interface ip failover 192.168.1.1 255.255.255.252 standby 192.168.1.2
PAIR-2
failover
failover lan unit primary
failover lan interface failover Vlan300
failover polltime unit 1 holdtime 3
failover polltime interface 3
failover interface-policy 1
failover link stateful Vlan301
failover interface ip failover 192.168.254.1 255.255.255.252 standby 192.168.254.2
failover interface ip stateful 192.168.254.5 255.255.255.252 standby 192.168.254.6
According Cisco's failover configuration document you should have two vlans trunked across two chassis (ASA or FWSMs on 6500s). I am trying to understand what type of traffic "lan interface failover" vlan 300 in above config and "link stateful" vlan 301 in above config carry across? What is the best practice? should have uniqe vlans or just one vlan for both purposes? Sorry for not being clear on my initial question.
08-18-2012 11:14 PM
Hello Atrey,
Well it is 100 % recommeded to use 2 different vlans ( FWSM) or 2 different interfaces (ASA) for the failover link and the state link between 2 units, this because of the amount of data being transfered on both of this links,
Not all the time you have the oportunity to use 2 of them so that is why you can use only one, I have seen a lot of scenarios using just one and that works perfect but again if possible then use 2
Is just a desing preference or optimization
Regards,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide