Your company’s active ASA currently shares its stateful failover link with a regular data interface. Your
supervisor asks you to configure a failover key on both the active ASA and the standby ASA.
Which of the following is most likely the reason? (Select the best answer.)
A.
so that the risk of exposure of VPN configuration information is mitigated
B.
so that both ASA devices forward traffic for a given group of security contexts
C.
so that the active ASA can monitor the status of the standby ASA
D.
so that the stateful failover link cannot use a regular data interface
Explanation:
Most likely, you would configure a failover key on both the active Cisco Adaptive Security Appliance (ASA) and
the standby ASA so that the risk of exposure of virtual private network (VPN) configuration is mitigated. An ASA
can share its stateful failover link with a regular data interface only when the unit is operating in single context,
routed mode. However, Cisco strongly recommends using a dedicated Ethernet interface or sharing a LAN
failover link instead because stateful failover traffic can increase the possibility of congestion and can negatively
impact the performance of the shared data interface. In addition, all LAN failover and stateful failover
information is transmitted as clear text by default. Therefore, sharing the stateful failover link with a regular data
interface can unnecessarily expose VPN configuration information, such as user names, passwords, and
preshared keys (PSKs) to malicious users on the shared network segment. You can mitigate this risk by
configuring a failover key on both the active unit and the standby unit to protect failover information.
You would not configure a failover key so that the active ASA can monitor the status of the standby ASA. An
ASA can be configured to participate in either an active/standby or an active/active failover configuration. In an
active/standby configuration, one ASA serves as the active unit and forwards traffic. A second ASA functions as
a standby unit, which monitors the status of the active unit. If a failover event is triggered, the standby unit takes
on the role of the active unit.
You would not configure a failover key so that both ASA devices forward traffic for a given group of security
contexts. An active/active failover configuration enables both ASAs to forward traffic for a select group of
security contexts. With active/active failover, two failover groups exist as security contexts on each ASA. When
a failover event is triggered, a failover group can become active on a standby unit or the entire standby unit can
become the new active unit. Because an active/active failover configuration relies on security contexts, both
ASAs must be in multiple context mode before active/active failover can be implemented. The failover
configuration for each unit in an active/active failover configuration is managed from within the system context.
Unlike user contexts, the system context does not contain any normal data interfaces.
You would not configure a failover key so that the stateful failover link cannot use a regular data interface.
Instead, you would configure an ASA to operate in multiple context, routed mode or multiple context,
transparent mode. An ASA operating in multiple context, routed mode or multiple context, transparent mode
does not support using a regular data interface as the stateful failover link. When an ASA is operating in
multiple context mode, the stateful failover link resides in the system context, which does not contain any
regular data interfaces. Thus the stateful failover link cannot be a shared data link.
The implementation of the failover process between the active and standby units can be either stateless or
stateful. In a stateless failover implementation, the standby unit of a failover pair takes on the IP and Media
Access Control (MAC) addresses of the old active unit during a failover event. This mechanism enables
network clients to maintain their existing network configurations? however, because no network state
information is retained, the clients must reestablish their network connections through the new active unit. By
contrast, the active unit in a stateful failover implementation transmits certain types of state information through
a stateful failover link to the standby unit. This exchange of state information ensures that the standby unit can
preserve the state information for open connections during the failover process. Because the state information
is preserved, the impact of a failover event on network hosts with open connections can be mitigated.Cisco: Information About High Availability: Stateful Failover Link