Thank you very much, I appreciate the feedback!

Hello! Sorry for the extremely late reply, but if you are still looking for the answer to this question I'd be more than happy to help. Firstly, I think the question is probably more along the lines of the difference between the Failover Link and Stateful Link. I say this only because I used the Management interface for the Failover Link; it could have been any other interface but I decided to use Management0/0 for the video. Otherwise, the management interface would mostly likely be used for out of band management if used for its intended purpose. Now failover and stateful links are 2 different things... The failover link is what communicates failover/health information between the ASAs. So for example, if the primary ASA suffered a link failure, that would be communicated over the failover link and tell the secondary ASA to become active. The stateful link is something entirely different and also optional... this is the link that communicates stateful information such as firewall states and NAT mappings to the standby ASA. For example, say that the primary ASA is forwarding traffic. Firewall states are constantly being added, as well as NAT if you are running NAT on the ASA. Now, let's say that ASA fails and the standby unit become active. Connections would most likely be reset because the firewall states would not exist, so traffic coming from the outside to inside would be blocked and the sessions would need to be re-established. With a stateful link and all of that information being synced with the standby ASA, if it does become active, then sessions will not be reset and connection will not need to be re-established because all of those firewall states will have been replicated to that secondary ASA over the stateful link. I hope this helps and thanks for your question!

Hey Ernest, thanks for the feedback! The reason why you need that layer 2 adjacency between ASAs is because the active and standby interfaces are on the same subnet. Let's say the active IP is 10.0.0.1 for the active firewall. If that link fails (or the firewall fails) the standby will take over for 10.0.0.1. By connecting those interfaces to individual L3 interfaces you have split that subnet, so you will end up having reachability issues. The L2 switch allows you to reach the active firewall regardless of which router the traffic came in on and you don't have to worry about blackholing traffic. Now, with that being said, I have configured this in the past the way you mentioned, however I was using the firewall links as transport links and running OSPF. In that scenario (though I don't believe it is best practice), I did not have an issue with monitoring on those links. If I remember correctly, the firewalls were connected to 2 L3 switches with a L3 link connecting those switches together. The standby ASA suspends the OSPF process, and therefore no traffic would be routed toward the secondary unless the primary failed. So you "should" be able to do it that way, but I would advise that the routers are connected together via a L3 link and you are running a routing protocol between the routers and ASAs. I can possibly lab this up again if I have a moment and see if I can reproduce the issue that you described.

@@RMTechCentral You have explained this perfectly, thanks so very much. It's all clicking now. I really appreciate the thorough explanation and response. Subscribed!!!

You're very welcome!

You are most welcome!