Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Configuring the ASA5505 in Active/Standby Failover

Posted on 2011-10-11
6
Medium Priority
?
702 Views
Last Modified: 2012-05-12
I have a small branch office that currently has a Pix 506E.  I am going to replace this Pix with a pair of ASA5505s configured in Active/Standby.  The ASA will do NAT/PAT, 5 site-to-site VPN's, a remote access VPN, as well as inbound and outbound ACL's.  There are 20 users at this location.

Reading the Active/Failover documentation from Cisco, I see the ASA5505 does not support Stateful Failover, but all other ASA models do.  Can someone explain what "stateful failover" means. My thinking is that all connections are dropped when failover occurs, and that the users will have to reconnect to their hosted applications.  Am I correct?  Thanks.
0
Comment
Question by:denver218
  • 3
  • 2
6 Comments
 
LVL 18

Accepted Solution

by:
Jimmy Larsson, CISSP, CEH earned 1000 total points
ID: 36951175
You are right. The failover-function in 5505 (Security plus only!) is limited so that the session table is not replicated between the active and passive firewall, which causes all sessions to be dropped and as to be rebuilt by the end nodes upon a failover.

Best regards
Kvistofta
0
 
LVL 4

Author Comment

by:denver218
ID: 36951250
Thanks.  So the VPNs and everything will failover to the standby unit, in the event the active ASA dies, but everyone will have to reconnect to their applications they access over the VPN right?
0
 
LVL 18

Expert Comment

by:Jimmy Larsson, CISSP, CEH
ID: 36951272
Yes but the VPN-tunnels will also be rebuilt, so you will notice a short (I think a few seconds) interrupt of traffic.

/Kvistofta
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 4

Author Comment

by:denver218
ID: 36951440
Last question I promise:)  The ASA5505 is a stateful firewall, Its just the failover that is not stateful on the ASA5505.  I just want to make sure I am explaining this to them correctly before we order the ASAs.  Thanks.
0
 
LVL 12

Assisted Solution

by:ryan80
ryan80 earned 1000 total points
ID: 36952044
That is correct. The ASA is a stateful firewall, but the failover is not stateful. you will need to move to a 5510 for that.
0
 
LVL 4

Author Closing Comment

by:denver218
ID: 36955434
Thanks.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question