Cisco FirePOWER ASA 5500 series Configuration Manual page 206

Understanding Failover
LAN-Based Failover Link
You can use any unused Ethernet interface on the device as the failover link. You cannot specify an
interface that is currently configured with a name. The failover link interface is not configured as a
normal networking interface; it exists only for failover communication. This interface should only be
used for the failover link (and optionally for the Stateful Failover link). You can connect the LAN-based
failover link by using a dedicated switch with no hosts or routers on the link or by using a crossover
Ethernet cable to link the units directly.
When using VLANs, use a dedicated VLAN for the failover link. Sharing the failover link VLAN with
Note
any other VLANs can cause intermittent traffic problems and ping and ARP failures. If you use a switch
to connect the failover link, use dedicated interfaces on the switch and security appliance for the failover
link; do not share the interface with subinterfaces carrying regular network traffic.
On systems running in multiple context mode, the failover link resides in the system context. This
interface and the Stateful Failover link, if used, are the only interfaces that you can configure in the
system context. All other interfaces are allocated to and configured from within security contexts.
Note The IP address and MAC address for the failover link do not change at failover.
Serial Cable Failover Link (PIX Security Appliance Only)
The serial Failover cable, or "cable-based failover," is only available on the PIX 500 series security
appliance. If the two units are within six feet of each other, then we recommend that you use the serial
Failover cable.
The cable that connects the two units is a modified RS-232 serial link cable that transfers data at
117,760 bps (115 Kbps). One end of the cable is labeled "Primary". The unit attached to this end of the
cable automatically becomes the primary unit. The other end of the cable is labeled "Secondary". The
unit attached to this end of the cable automatically becomes the secondary unit. You cannot override
these designations in the PIX 500 series security appliance software. If you purchased a PIX 500 series
security appliance failover bundle, this cable is included. To order a spare, use part number PIX-FO=.
The benefits of using cable-based failover include:
•
•
•
•
•
The disadvantages include:
•
•
Cisco Security Appliance Command Line Configuration Guide
14-4
The PIX 500 series security appliance can immediately detect a power loss on the peer unit and
differentiate between a power loss from an unplugged cable.
The standby unit can communicate with the active unit and can receive the entire configuration
without having to be bootstrapped for failover. In LAN-based failover you need to configure the
failover link on the standby unit before it can communicate with the active unit.
The switch between the two units in LAN-based failover can be another point of hardware failure;
cable-based failover eliminates this potential point of failure.
You do not have to dedicate an Ethernet interface (and switch) to the failover link.
The cable determines which unit is primary and which is secondary, eliminating the need to
manually enter that information in the unit configurations.
Distance limitation—the units cannot be separated by more than 6 feet.
Slower configuration replication.
Chapter 14 Configuring Failover
OL-10088-01