Your company’s active ASA currently shares its stateful failover link with a regular data interface. Your supervisor asks you to configure a failover key on both the active ASA and the standby ASA.
Which of the following is most likely the reason? (Select the best answer.)
- so that the risk of exposure of VPN configuration information is mitigated
- so that both ASA devices forward traffic for a given group of security contexts
- so that the active ASA can monitor the status of the standby ASA
- so that the stateful failover link cannot use a regular data interface
Most likely, you would configure a failover key on both the active Cisco Adaptive Security Appliance (ASA) and the standby ASA so that the risk of exposure of virtual private network (VPN) configuration is mitigated. An ASA can share its stateful failover link with a regular data interface only when the unit is operating in single context, routed mode. However, Cisco strongly recommends using a dedicated Ethernet interface or sharing a LAN failover link instead because stateful failover traffic can increase the possibility of congestion and can negatively impact the performance of the shared data interface. In addition, all LAN failover and stateful failover information is transmitted as clear text by default. Therefore, sharing the stateful failover link with a regular data interface can unnecessarily expose VPN configuration information, such as user names, passwords, and preshared keys (PSKs) to malicious users on the shared network segment. You can mitigate this risk by configuring a failover key on both the active unit and the standby unit to protect failover information.
You would not configure a failover key so that the active ASA can monitor the status of the standby ASA. An ASA can be configured to participate in either an active/standby or an active/active failover configuration. In an active/standby configuration, one ASA serves as the active unit and forwards traffic. A second ASA functions as a standby unit, which monitors the status of the active unit. If a failover event is triggered, the standby unit takes on the role of the active unit.
You would not configure a failover key so that both ASA devices forward traffic for a given group of security contexts. An active/active failover configuration enables both ASAs to forward traffic for a select group of security contexts. With active/active failover, two failover groups exist as security contexts on each ASA. When a failover event is triggered, a failover group can become active on a standby unit or the entire standby unit can become the new active unit. Because an active/active failover configuration relies on security contexts, both ASAs must be in multiple context mode before active/active failover can be implemented. The failover configuration for each unit in an active/active failover configuration is managed from within the system context. Unlike user contexts, the system context does not contain any normal data interfaces.
You would not configure a failover key so that the stateful failover link cannot use a regular data interface. Instead, you would configure an ASA to operate in multiple context, routed mode or multiple context, transparent mode. An ASA operating in multiple context, routed mode or multiple context, transparent mode does not support using a regular data interface as the stateful failover link. When an ASA is operating in multiple context mode, the stateful failover link resides in the system context, which does not contain any regular data interfaces. Thus the stateful failover link cannot be a shared data link.
The implementation of the failover process between the active and standby units can be either stateless or stateful. In a stateless failover implementation, the standby unit of a failover pair takes on the IP and Media Access Control (MAC) addresses of the old active unit during a failover event. This mechanism enables network clients to maintain their existing network configurations? however, because no network state information is retained, the clients must reestablish their network connections through the new active unit. By contrast, the active unit in a stateful failover implementation transmits certain types of state information through a stateful failover link to the standby unit. This exchange of state information ensures that the standby unit can preserve the state information for open connections during the failover process. Because the state information is preserved, the impact of a failover event on network hosts with open connections can be mitigated.