Network technologies and trends

Sep 26 2016   4:43AM GMT

Cisco ASA FirePOWER Services and High Availability – Series 2

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Tags:
Arp
Cisco Firewall
Dynamic Routing
Failover
firewall
NAT
NetFlow
Routing
Syslog
TCP
UDP

The Cisco ASA Appliances offers failover in following states

  • Stateless failover
  • Stateful failover.

By default Cisco ASA Appliance performs stateless failover and in this mode of operation, the Active Unit  does the following

  • Synchronizes its configuration with the standby unit.
  • Maintains all Stateful flow information
  • Doesn’t synchronises Stateful flow with the  Standby Unit

The Stateless failover is not a viable option, especially when failover occurs as it has to re-establish all the connections. This state simply cannot provide the availability of the services without any disruption. However some hardware platforms like Cisco ASA 5505 are only capable of working in Stateless failover mode.

When Stateful failover is enabled on the Cisco ASA Active unit it is capable synchronizing  the following with Standby Unit

  • Stateful table for TCP & UDP connection
  • Routing table both static and dynamic learned routes
  • ARP table
  • Bridge-group MAC mapping table in the transparent mode.
  • Application Inspection data for certain applications like
    • Packet Data Protocol (PDP)
    • General Packet Radio Service (GPRS)
    • GPRS Tunnelling Protocol (GPT)
    • Session Initiation Protocol (SIP) signalling tables.
  • VPN Data structures like Security Associations (SA)

However Stateful failover is supported only for the Cisco ASA Software features, where as the Cisco ASA FirePOWER module need to track the connection state independently.  When failover occurs ASA FirePOWER flows are transferred to the new Active unit.  The ASA FirePOWER module in the new active unit is capable of inspecting the traffic only from that point as old inspection states are not transferred during the failover process.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: