57-5
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 57 Information About High Availability
Active/Active and Active/Standby Failover
• Cisco ASA 5580
–
Use only non-management 1 Gigabit ports for the stateful link because management ports have
lower performance and cannot meet the performance requirement for Stateful Failover.
For optimum performance when using long distance LAN failover, the latency for the failover link
should be less than 10 milliseconds and no more than 250 milliseconds. If latency is more than10
milliseconds, some performance degradation occurs due to retransmission of failover messages.
All platforms support sharing of failover heartbeat and stateful link, but we recommend using a separate
heartbeat link on systems with high Stateful Failover traffic.
Active/Active and Active/Standby Failover
Two types of failover configurations are supported by the adaptive security appliance: Active/Standby
and Active/Active.
In Active/Standby failover, one unit is the active unit. It passes traffic. The standby unit does not actively
pass traffic. When a failover occurs, the active unit fails over to the standby unit, which then becomes
active. You can use Active/Standby failover for adaptive security appliances in single or multiple context
mode, although it is most commonly used for adaptive security appliances in single context mode.
Active/Active failover is only available to adaptive security appliances in multiple context mode. In an
Active/Active failover configuration, both adaptive security appliances can pass network traffic. In
Active/Active failover, you divide the security contexts on the adaptive security appliance into failover
groups. A failover group is simply a logical group of one or more security contexts. Each group is
assigned to be active on a specific adaptive security appliance in the failover pair. When a failover
occurs, it occurs at the failover group level.
For more detailed information about each type of failover, refer the following information:
• Chapter 59, “Configuring Active/Standby Failover”
• Chapter 60, “Configuring Active/Active Failover”
Determining Which Type of Failover to Use
The type of failover you choose depends upon your adaptive security appliance configuration and how
you plan to use the adaptive security appliances.
If you are running the adaptive security appliance in single mode, then you can use only Active/Standby
failover. Active/Active failover is only available to adaptive security appliances running in multiple
context mode.
If you are running the adaptive security appliance in multiple context mode, then you can configure
either Active/Active failover or Active/Standby failover.
• To allow both members of the failover pair to share the traffic, use Active/Active failover. Do not
exceed 50% load on each device.
• If you do not want to share the traffic in this way, use Active/Standby or Active/Active failover.
To Next Page
Loading...
Need help?
General
