Wednesday, February 19, 2014

Cisco ASA: Stateful Failover And Stateless (Regular) Failover Configuration And Explanations

One of the things I like about doing this blog is that it can bring up some good conversation between tech guys.  One of my hopes is that 'YOU' become better by reading this blog.  On that same note, "I" also become better by your comments.  I had a post some time back about zero downtime for ASA upgrades that were in HA mode.  (You can see that post here)  After the post, I had a guy bring up that what I showed was not really zero downtime.  But what it really came down to was perception of what zero downtime really is.  Now that dude was right in what he said.  There is a difference in a 'blip', as he said, and zero downtime (really meaning a difference in 'stateful failover' and 'regular failover').  So this past weekend on that move I was doing, one of my tasks was to get the two ASAs they had in HA mode.  Well that discussion between that dude and I rang in my head when I was doing that config.  And I have to say, I much appreciated it too.  His comments made me better this weekend.  So, with that conversation in my head, I did the configuration of stateful failover as well.
So, here are two definitions we all need to know, as defined by Cisco documentation:

Stateless (Regular) Failover

When a failover occurs, all active connections are dropped. Clients need to reestablish connections when the new active unit takes over.

Stateful Failover

When Stateful Failover is enabled, the active unit continually passes per-connection state information to the standby unit. After a failover occurs, the same connection information is available at the new active unit. Supported end-user applications are not required to reconnect to keep the same communication session.

Here is what the config looked like at the end on the primary unit, using version 8.0(4).  (<--- Yes, Im going to do an upgrade soon on these).  Gig0/2 for is the stateful link.  Gig0/3 is the stateless link.

failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover replication http
failover link state GigabitEthernet0/2
failover interface ip failover 172.20.20.1 255.255.255.252 standby 172.20.20.2
failover interface ip state 172.20.30.1 255.255.255.252 standby 172.20.30.2
failover
no monitor-interface management

 So, what communications are moved over the 'stateless failover' link and the 'stateful failover' link?  Good question.  Here is what Cisco says for both:

Failover Link

The two units in a failover pair constantly communicate over a failover link to determine the operating status of each unit. The following information is communicated over the failover link: the unit state (active or standby), hello messages (keep-alives), network link status, MAC address exchange,  and configuration replication and synchronization

Stateful Link

NAT translation table, TCP connection states, UDP connection states, the ARP table, the Layer 2 bridge table (when running in transparent firewall mode), the HTTP connection states (if HTTP replication is enabled), the ISAKMP and IPSec SA table, GTP PDP connection database, and the SIP signalling sessions.

Posted by

6 comments:

  1. AnonymousJuly 1, 2015 at 12:08 AM

    very Helpfull

    ReplyDelete
  2. AnonymousDecember 16, 2015 at 6:53 AM

    Indeed very helpful

    ReplyDelete
  3. salman azizJanuary 26, 2016 at 11:48 AM

    excellent

    ReplyDelete
  4. AnonymousNovember 18, 2016 at 5:44 AM

    Question: can both (failover AND state) pass through same physical link? I have just one port to spare for failover purposes. I have SINGLE context.

    ReplyDelete
  5. IanJuly 24, 2017 at 1:37 AM

    Thanks a lot....this helps

    ReplyDelete

Your comment will be reviewed for approval. Thank you for submitting your comments.

Subscribe to: Post Comments (Atom)