State information becomes out of date, and sessions are terminated if a failover occurs. Failover link failed during operation No failover n/a n/a Each unit marks the failover interface as failed. You should restore the failover link as soon as possible because the unit cannot fail over to the standby unit while the failover link is down. Regular and Stateful Failover The security appliance supports two types of failover, regular and stateful. This section includes these topics: ● Regular Failover ● Stateful Failover Regular Failover When a failover occurs, all active connections are dropped. Clients need to re-establish connections when the new active unit takes over. Stateful Failover When stateful failover is enabled, the active unit continually passes per-connection state information to the standby unit. After a failover occurs, the same connection information is available at the new active unit. Supported end-user applications are not required to reconnect to keep the same communication session. The state information passed to the standby unit includes these:
● The NAT translation table ● The TCP connection states ● The UDP connection states ● The ARP table ● The Layer 2 bridge table (when it runs in the transparent firewall mode) ● The HTTP connection states (if HTTP replication is enabled) ● The ISAKMP and IPSec SA table ● The GTP PDP connection database The information that is not passed to the standby unit when stateful failover is enabled includes these: ● The HTTP connection table (unless HTTP replication is enabled) ● The user authentication (uauth) table ● The routing tables ● State information for security service modules Note: If failover occurs within an active Cisco IP SoftPhone session, the call remains active because the call session state information is replicated to the standby unit. When the call is terminated, the IP SoftPhone client loses connection with the Call Manager. This occurs because there is no session information for the CTIQBE hang-up message on the standby unit. When the IP SoftPhone client does not receive a response back from the Call Manager within a certain time period, it considers the Call Manager unreachable and unregisters itself. Failover Configuration Limitations You cannot configure failover with these types of IP addresses: ● IP addresses obtained through DHCP ● IP addresses obtained through PPPoE ● IPv6 addresses Additionally, these restrictions apply: ● Stateful Failover is not supported on the ASA 5505 adaptive security appliance.
● Active/Active failover is not supported on the ASA 5505 adaptive security appliance. ● You cannot configure failover when Easy VPN Remote is enabled on the ASA 5505 adaptive security appliance. ● VPN failover is not supported in multiple context mode.
You've reached the end of your free preview.
Want to read all 39 pages?
- Fall '19
- IP address, Primary unit, Active Failover