Which of the following failover link configurations can leave an ASA vulnerable to replay attacks? (Select the
best answer.)

A.
connecting the active and standby units directly with a crossover cable

B.
connecting the active and standby units to a dedicated VLAN on a switch

C.
sharing a regular data interface with the stateful failover link

D.
sharing the LAN failover link with the stateful failover link

E.
using a dedicated Ethernet interface as the stateful failover link

Explanation:
Sharing a regular data interface with the stateful failover link on a Cisco Adaptive Security Appliance (ASA) can
leave the ASA vulnerable to replay attacks. A replay attack is a type of maninthemiddle attack in which the
attacker uses a packet sniffer to capture legitimate network data, such as authentication tokens and preshared
keys, and then replays the data to a target. In addition, the attacker might delay or modify the captured data
before directing it to the target. On an ASA, all LAN failover and stateful failover information is transmitted as
clear text by default. Therefore, sharing the stateful failover link with a regular data interface can unnecessarily
expose virtual private network (VPN) configuration information, such as user names, passwords, and preshared
keys (PSKs) to malicious users on the shared network segment. You can mitigate this risk by configuring a
failover key on both the active unit and the standby unit to protect failover information. Cisco strongly
recommends using a dedicated Ethernet interface or sharing a LAN failover link instead of sharing the stateful
failover link with a regular data interface.
ASAs can be configured to participate in either a stateless or a stateful failover implementation. In a stateless
failover implementation, the active unit and standby unit use a dedicated LAN link, known as a LAN failover link,
for failover traffic. The LAN failover link can use any unnamed Ethernet interface and can connect the failover
pair directly, with either a straightthrough or crossover Ethernet cable, or through a switch, with no other
devices on the same network segment or virtual LAN (VLAN) as the failover pair. Although all failover traffic is
sent as clear text by default, a LAN failover link does not leave an ASA vulnerable to replay attacks because the
failover pair are either directly connected or connected through a dedicated VLAN.
By contrast, the failover link between two ASAs in a stateful failover implementation can use a dedicated
Ethernet link, a shared LAN failover link, or a shared regular data interface. If a dedicated Ethernet link is used
for stateful failover, it must follow the same connectivity guidelines as a LAN failover link: it can be either a
direct connection or a dedicated VLAN on a switch. Like a LAN failover link, a stateful failover link using either a
dedicated Ethernet link or a shared LAN failover link does not leave an ASA vulnerable to replay attacks
because the failover pair are either directly connected or connected through a dedicated VLAN.

Cisco: Information About High Availability: Stateful Failover LinkCategory: Cisco Firewall Technologies