• Basics of Cisco Defense Orchestrator
  • Onboard FDM-Managed Devices
  • Onboard ASA Devices
  • Onboard an On-Prem Firewall Management Center
  • Migrate On-Prem Management Center Managed Secure Firewall Threat Defense to Cloud-delivered Firewall Management Center
  • Onboard an Umbrella Organization
  • Onboard Cisco Defense Orchestrator Integrations
  • Onboard Meraki MX Devices
  • Onboard AWS Devices
  • Onboard Duo Admin Panel
  • Upgrade Devices and Services
  • Managing On-Prem Firewall Management Center with Cisco Defense Orchestrator
  • Managing Cisco Secure Firewall Threat Defense Devices with Cloud-delivered Firewall Management Center
  • Managing FDM Devices with Cisco Defense Orchestrator
    • Managing FDM-Managed Devices with Cisco Defense Orchestrator
    • Interfaces
    • Synchronizing Interfaces Added to a Firepower Device using FXOS
    • Routing
    • Objects
    • Security Policy Management
    • FDM Policy Configuration
    • Templates
    • Backing Up FDM-Managed Devices
    • FDM-Managed High Availability
      • FDM-Managed High Availability Pair Requirements
      • Create an FDM-Managed High Availability Pair
      • FDM-Managed Devices in High Availability Page
        • High Availability Management Page
        • Edit High Availability Failover Criteria
        • Break an FDM-Managed High Availability Pairing
        • Force a Failover on an FDM-Managed High Availability Pair
        • FDM-Managed High Availability Failover History
        • Refresh the FDM-Managed High Availability Status
        • Failover and Stateful Link for FDM-Managed High Availability
    • FDM-Managed Device Settings
    • Create a REST API Macro
    • Update FDM-Managed Device Security Databases
  • Managing ASA with Cisco Defense Orchestrator
  • Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator
  • Managing Umbrella with Cisco Defense Orchestrator
  • Managing Meraki with Cisco Defense Orchestrator
  • Managing IOS Devices with Cisco Defense Orchestrator
  • Managing AWS with Cisco Defense Orchestrator
  • Managing SSH Devices with Cisco Defense Orchestrator
  • Integrating CDO with Cisco Security Cloud Sign On
  • Virtual Private Network Management
  • Monitor Multi-Factor Authentication Events
  • Cisco Security Analytics and Logging
  • FTD Dashboard
  • Cisco Secure Dynamic Attributes Connector
  • Troubleshooting
  • FAQ and Support
  • CDO Public API
  • Security and Internet Access
  • Open Source and 3rd Party License Attribution
  • Terraform

Failover and Stateful Link for FDM-Managed High Availability

Failover Link and (Optional) Stateful Link

The failover link is a dedicated connection between the two units. The stateful failover link is also a dedicated connection, but you can either use the one failover link as a combined failover/state link, or you can create a separate, dedicated state link. If you use just the failover link, the stateful information also goes over that link: you do not lose stateful failover capability. By default, the communications on the failover and stateful failover links are plain text (unencrypted). You can encrypt the communications for enhanced security by configuring an IPsec encryption key.

You can use any unused data physical interfaces as the failover link and optional dedicated state link. However, you cannot select an interface that is currently configured with a name, or one that has subinterfaces. The failover and stateful failover link interfaces are not configured as normal networking interfaces. They exist for failover communication only, and you cannot use them for through traffic or management access. Because the configuration is synchronized between the devices, you must select the same port number for each end of a link. For example, GigabitEthernet1/3 on both devices for the failover link.

Note

The FDM-managed device does not support sharing interfaces between user data and the failover link.

Failover Link

The two units in a failover pair constantly communicate over a failover link to determine the operating status of each unit and to synchronize configuration changes. The following information is shared over the link:

  • The unit state (active or standby)

  • Hello messages (keep-alives)

  • Network link status

  • MAC address exchange

  • Configuration replication and synchronization

You can use an unused data interface (physical, redundant, or EtherChannel) as the failover link; however, you cannot specify an interface that is currently configured with a name. Do not use a subinterface as the failover link.

The failover link interface is not configured as a normal networking interface; it exists for failover communication only. This interface can only be used for the failover link (and also for the state link).

Stateful Link

The active unit uses the state link to pass connection state information to the standby device. This means that the standby unit can maintain certain types of connections without impacting the user. This information helps the standby unit maintain existing connections when a failover occurs.

You can use a dedicated data interface (physical, redundant, or EtherChannel) for the state link. For an EtherChannel used as the state link, to prevent out-of-order packets, only one interface in the EtherChannel is used. If that interface fails, then the next interface in the EtherChannel is used.

Using a single link for both the failover and stateful failover links is the best way to conserve interfaces. However, you must consider a dedicated interface for the state link and failover link, if you have a large configuration and a high traffic network. We recommend that the bandwidth of the stateful failover link should match the largest bandwidth of the data interfaces on the device.

Copyright © 2023, Cisco Systems, Inc. All rights reserved.