Home > Articles > Cisco Network Technology > General Networking > Cisco ASA High Availability Concepts and Configurations

Cisco ASA High Availability Concepts and Configurations

Article Description

In any business network, one of the most important things that needs to be addressed is up time. Depending on the size of the business and the business network, every minute of downtime can greatly affect the productivity of the businesses, employees, and the business systems that use the network.

To address this within the Adaptive Security Appliance (ASA) product line, Cisco offers high availability through a series of failover capabilities. Sean Wilkins takes a look at a few of these failover capabilities and shows you how they can be configured to provide high availability.

Like this article? We recommend

CCNA Routing and Switching 200-120 Network Simulator

CCNA Routing and Switching 200-120 Network Simulator


ASA Failover Addresses

Physical Failover Connectivity

When connecting the two different ASA failover partners, there are possibly two different failover specific links that need to be connected. How exactly they are connected depends on the specific configuration.

The first of these failover links is called the failover link; this link is used to determine the operating status of the paired device. There are two different ways to connect the failover link: using a switch or using a direct cable between the paired devices. When using a switch for this connectivity, ensure that it is configured to be on a separate VLAN from any other traffic. This link can use any unused ASA interface including physical, redundant, and EtherChannel.

The second of these failover links is called the stateful failover link. As is obvious from the name, this link is used only if the stateful failover mode is used. This link is used to pass per-connection state information between failover partners (or failover groups) and can include a large amount of data.

For the stateful failover link, there are three different ways that it can be configured: using a dedicated interface (either a direct cable between ASA 's or using an isolated VLAN through a switch), sharing the failover link, or sharing with a regular data interface.

For any ASA implementation in which the number of connections will be high, it is recommended that a dedicated interface be used. If the number of connections will be moderate, sharing the failover link is possible, but performance should be monitored to ensure that the stateful traffic is not taking over the link. The third option is to share a regular data interface. Generally, this is never recommended unless there is no other option.

One very important thing to note is that, by default, all information that goes over the failover link and stateful failover link is sent in clear text. This can be changed by either configuring the use of an IPSec tunnel or by configuring a failover key.

4. ASA Failover Configuration | Next Section Previous Section