Re: How Fast do ASA Failover Links Need to Be?

ben.weber · ‎05-10-2018

I'm curious if there are any recommendations about this. I'm setting up an active/standby pair of 5585s that have two 10g interfaces. The ports I'm planning on using for my failover (and stateful failover) are both 1g. Is this kosher or would the failover interfaces need to be closer to the performance of the production interfaces?

It seems like the failover interfaces are only sharing information about config changes, and then the state table and that sort of thing. So maybe don't need to be as fast?

Are there any recommendations on what the ratios between production interfaces and failover interfaces should be?

Thanks,

Ben

oppnetwork · ‎05-10-2018

AlexPi · ‎05-10-2018

Hello Ben,

On an active/standby failover as far as I know, if firewall A dies, then firewall B takes over and the link between them does not play big role other than synchronizing the configuration from active to standby and checking to see what the status is between the two devices.

I am running two 5525-x in active/standby and every time the failover had to kick in there was 1-3 pings lost and then you could not tell the difference in performance, since the link between them is not used for anything else. Note that I have the failover over a 1G port.

Note, that I have never seen in Cisco literature any recommendation on failover link speeds for active/passive. I guess the story would be different though for active/active.

Hope that makes sense.

------------------------------------------------------------------
If this was helpful, please vote as helpful by clicking on the star icon below.
-------------------------------------

ben.weber · ‎05-11-2018

Right, but you're talking about basic failover. I'm talking about stateful failover where the firewalls pass real-time state table information back and forth so sessions don't have to re-establish in the event of a failover. (So there's no ping loss, for example.)

In that case it's not that all traffic is shared, so it wouldn't have to be as fast as the production interfaces necessarily. But it's way more traffic than just a basic failover link.

AlexPi · ‎05-12-2018

Hello Ben,

I am talking about Stateful Failover in my case as well.

I did a little bit of searching and under the Cisco ASA Series CLI Configuration Guide, 9.0 - Chapter: Information About Failover - Failover Interface Speed for Stateful Links it reads:

"Use the following failover interface speed guidelines for the ASAs:

Cisco ASA 5580/5585-X

– Use only non-management 1 Gigabit ports for the stateful link because management ports have lower performance and cannot meet the performance requirement for Stateful Failover."

So I guess 1 Gigabit should be fine, or you can use more than one 1 Gigabit ports, if you feel that it would make a difference. As I personally at least could not find any more details on that and from my setup, the 1 Gigabit port is fine, I would also try Cisco TAC for further advice.

I hope that helps.

------------------------------------------------------------------
If this was helpful, please vote as helpful by clicking on the star icon below.
-------------------------------------

Florin Barhala · ‎05-11-2018

I subscribe to AlexPi reply.

To make sure we are right about this: just add failover interfaces to any SNMP monitoring interface and check traffic overview. If you want to go deep you can perform a manual failover and check traffic pattern on the failover interface during failover timeline. I wouldn't expect that much of a volume.