Interface for the Failover Link

You can use an unused data interface (physical, or EtherChannel) as the failover link; however, you cannot specify an interface that is currently configured with a name. You cannot use a data management interface if the interface is configured for communication with Security Cloud Control. You also cannot use a subinterface with the exception of a subinterface defined on the chassis for multi-instance mode. The failover link interface is not configured as a normal networking interface; it exists for failover communication only. This interface can only be used for the failover link (and also for the state link).

The threat defense does not support sharing interfaces between user data and the failover link. You also cannot use separate subinterfaces on the same parent for the failover link and for data (multi-instance chassis subinterfaces only). If you use a chassis subinterface for the failover link, then all subinterfaces on that parent, and the parent itself, are restricted for use as failover links.

See the following guidelines for the failover link:

• Firepower 4100/9300—You cannot use the management-type interface for the failover link.

• See the following guidelines for sizing the link.

  Failover Link Size

  Model	Interface Size for Combined Failover and State Link
  Firepower 1010	1 Gbps
  Firepower 1100	1 Gbps
  Secure Firewall 1200	1 Gbps
  Secure Firewall 3100	Secure Firewall 3105—1 Gbps Secure Firewall 3110—1 Gbps Secure Firewall 3120—1 Gbps Secure Firewall 3130—10 Gbps Secure Firewall 3140—10 Gbps
  Firepower 4100	10 Gbps
  Secure Firewall 4200	10 Gbps
  Firepower 9300	10 Gbps

The alternation frequency is equal to the unit hold time.

For an EtherChannel used as the failover link, to prevent out-of-order packets, only one interface in the EtherChannel is used. If that interface fails, then the next interface in the EtherChannel is used. You cannot alter the EtherChannel configuration while it is in use as a failover link.