Cisco ASA Failover Tips and misc.


When setting up a Cisco ASA failover pair, try to follow the following rules & tips:

  1. Do not use a crossover Ethernet cable or a fiber-optic patch cable to directly connect the two failover LAN interfaces if the firewalls are located close to each other:

    Instead, each interface should connect to a switch port so that the link status is always up to one firewall interface if the other firewall interface fails. Otherwise, both units sense a link-down condition and assume that their own interfaces have a failure.

  2. You should also prepare the switch ports where the LAN-based failover interfaces connect so that failover communication can begin almost immediately. You should enable Spanning Tree Protocol PortFast and disable trunking and EtherChannel negotiation. You can use the following IOS Software commands to configure the switch ports:
    Switch# configure terminal
    Switch(config)# interface type mod/num
    ! Enable PortFast for immediate traffic forwarding
    Switch(config-if)# spanning-tree portfast
    ! Disable trunking by making it an access switch port
    Switch(config-if)# switchport mode access
    ! Disable EtherChannel negotiation
    Switch(config-if)# no channel-group
  3. You can use one dedicated LAN interface (10/100 or Gigabit Ethernet) to carry both LAN-based failover and stateful failover information. The interface bandwidth must be large enough to carry the aggregate failover load.

    However, it is always best to keep the LAN-based failover and stateful failover data streams on separate interfaces. The stateful failover data stream is usually much larger than the LAN-based failover because of the usually large number of connections that come and go. Therefore, you should set aside the fastest firewall interface that is available for stateful failover.

  4. In addition, LAN-based failover messages must be able to travel between the two units without being lost or delayed. Otherwise, the loss of LAN-based failover messages indicates that one or both units have failed.

    You can link the two stateful failover interfaces directly with a fiber-optic or crossover patch cord without connecting them to intermediate switches. However, neither firewall unit can determine which unit has had an interface failure, because the link status is lost on both units simultaneously.

    The best-practice recommendations stress the need for an active device such as a switch to connect the stateful failover interfaces. If one unit loses an interface, a switch would keep the link status up for the other firewall unit. This prevents the case of a split brain or no brain problem which essentially means both or neither of the units become active.

  5. In the case of FWSMs, they each have a 6-Gbps internal trunk link to the switch backplane. With their high performance, stateful failover information can easily burst up to the link bandwidth. Therefore, if two FWSMs are located in separate chassis, you should provide a stateful failover VLAN link of at least 6 Gbps. You can do this by aggregating Gigabit Ethernet links into a Gigabit EtherChannel.
  6. All stateful failover updates are sent and received over the interface named if_name (stateful, for example). Stateful failover can share the same interface as LAN-based failover if needed. However, you should always try to keep stateful and LAN-based failover isolated on two separate interfaces set aside for these purposes.
Related Posts with Thumbnails

About the Author

Alfred Tong
Author and owner of this blog. A Networking enthusiast, full time networking and systems Engineer. Generally curious about all things IT. Certifications: GIAC GSEC, CCNP-S, CCNP, CCSP, CCDP, CCNA, RHCE, JNCIA - FWV
  • Jag

    i’m looking at installing a HA cisco network, using 2 ASA, 2 core switches and 4 edge switches, each LAN cable from the firewall/s will go to each core switch – however will this not create a loop? does STP not need to be turned off on these 2 ports?

    • It’s difficult to explain this without a diagram but essentially no L2 loop is formed.

      Cisco ASA ports are routed ports. Both the Primary unit and the Secondary unit ports each have different IPs. The failover port connecting the two ASAs are also routed ports which is on a different subnet than the interfaces. Therefore, no L2 loop exists and spanning tree is not necessary. You can use spanning tree portfast on the switch port connecting to the ASA.

      I hope this helps answer your question.

      Alfred Tong

  • Pingback: ASA Failover using a switch()