[c-nsp] Geographically dispersed ASA failover?
Matt Buford
matt at overloaded.net
Wed Sep 2 16:19:35 EDT 2009
On Wed, Sep 2, 2009 at 1:56 PM, Michael Fox <michaelfox100 at gmail.com> wrote:
> As long as your latency is under 10ms, you should be fine.
> >From Cisco's site: "For optimum performance when using long distance LAN
> failover, the latency for the failover link should be less than 10
> milliseconds and no more than 250 milliseconds. If latency is more than 10
> milliseconds, some performance degradation occurs due to retransmission of
> failover messages.
>
> http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1052476
>
I have done this (with low latency circuits). I have migrated customers
from one city to another nearby city across <5 ms links by bridging their
VLANs across the circuit (outer and inner VLANs), then moving one firewall
of a failover pair one night (leaving things running for a day or two with
failover across datacenters), then the next night failing it over to the
firewall in the new DC and moving the 2nd firewall. This lets us do
"hitless" firewall migrations from one DC to another. Downtime for the 1
forced failover required to complete the process is sub-second, and stateful
failover allows connections to survive.
We haven't ever left it split like that long term, but I haven't noticed any
problems in the day-or-two migration situations we've done this for.
More information about the cisco-nsp
mailing list