ASA Failover is intended for improving high availability of the firewall solution. ASA
Failover technology uses 2 units in failover pair. We can configure Failover in two modes:
- Active Standby Failover
- Active Active Failover
ASA Failover rules:
- Maximum of 10 ms Round Trip Time between units
- Each logical interface must be in same L2 segment
- Each logical interface is IP addressed (active IP and standby IP)
- IP and MAC (virtual) is always maintained by the current active Unit
- When failover occurs, ASA standby assumes active IP and MAC and sends
- Gratuitous ARP on each interface to recalculate L2 subnets.
- Failover interface is required and intended for configuration replication and keep alive unit pooling
- Stateful interface is optional and intended for live session replication between
units.
ASA Failover – Active Standby
Active Standby failover means that two units are working in active – standby configuration where active state is always present on one of the failover pair. The other one is standby. Standby has identical configuration as active and pools an active unit with keep alive packets. Based on defined timeout (5 seconds pooling interval and 3 times repeats, configurable) failover condition is checked. If failover condition is meet, standby unit becomes active and acquires active IP address and MAC, standby IP and MAC goes to standby Unit. Basic configuration of failover is presented below.
Primary Unit:
failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet0/6
failover link STATEFULL GigabitEthernet0/7
failover interface ip FAILOVER 192.168.1.1 255.255.255.252 standby 192.168.1.2
failover interface ip STATEFULL 192.168.2.1 255.255.255.252 standby 192.168.2.2
Secondary Unit:
failover
failover lan unit secondary
failover lan interface FAILOVER GigabitEthernet0/6
failover link STATEFULL GigabitEthernet0/7
failover interface ip FAILOVER 192.168.1.1 255.255.255.252 standby 192.168.1.2
failover interface ip STATEFULL 192.168.2.1 255.255.255.252 standby 192.168.2.2
TIP: to switch-on failover, use command failover on both units.
- The active unit is determined by these:
- If a unit boots and detects a peer already operative as active, it becomes the
standby unit. - If a unit boots and does not detect a peer, it becomes the active unit.
- If both units boot simultaneously, the primary unit becomes the active unit,
and the secondary unit becomes the standby unit.
More in Cisco Firepower Online Training
Let us guide you through Cisco Firepower Threat Defense technology (FTD) along with Firepower Management Center (FMC) as security management and reporting environment.
Author: Marcin Bialy
FAQs
Active Standby failover means that two units are working in active – standby configuration where active state is always present on one of the failover pair. The other one is standby. Standby has identical configuration as active and pools an active unit with keep alive packets.
What are the two modes that a Cisco ASA can be configured to provide failover? ›
The two units in a Failover configuration must: Be in the same context mode (single or multiple). For single mode: Be in the same firewall mode (routed or transparent). In multiple context mode, the firewall mode is set at the context-level, and you can use mixed modes.
How to configure failover in Cisco ASA? ›
With the ASAs, you need two links - the failover link and the optional stateful failover link. Cisco recommends using the same interface between the two firewalls. For example, for a failover link, if you have used Gi0/1 in device 1, use the same interface Gi0/1 in device 2 as well.
What happens during an ASA failover? ›
The failover mechanism is stateful which means that the active ASA sends all stateful connection information state to the standby ASA. This includes TCP/UDP states, NAT translation tables, ARP table, VPN information and more.
What is difference between active-active and active standby? ›
Active-active high availability clusters distribute workloads evenly across all nodes, ensuring optimal load balancing. In contrast, an active-passive setup keeps nodes on standby, activating them only when the primary fails, leading to potential delays.
What is the difference between cluster and failover in Cisco ASA? ›
1 Answer. The active/active cluster allows you to split traffic into groups so the A node handles traffic for some networks while the B node handles traffic for the others, in the event of a failover the stable unit will handle traffic for both A&B traffic groups (assigned on a per context basis).
What license is required for Cisco ASA failover? ›
For failover, Cisco ASA 5505, ASA 5510, and ASA 5512-X appliances must have the Security Plus license installed. For clustering, all participating Cisco ASA 5585-X appliances with SSP-10 and SSP-20 must have either the Base license or the Security Plus license.
What two features must match between ASA devices to implement a failover configuration? ›
What two features must match between ASA devices to implement a failover configuration? Software, licensing, memory, and interfaces, including the Security Services Module (SSM).
How do I upgrade my ASA in failover mode? ›
Configure
- Run the command show fxos mode to verify that your device is in appliance mode. ...
- Verify the compatibility. ...
- Download the upgrade package from Cisco Software Central. ...
- Reset the ASDM image. ...
- Upload the software image to the primary unit.
- Upload the software image to the secondary unit.
Use the command “show failover” to see which ASA is currently the Active firewall and which role it was assigned (Primary or Secondary). Use the command “show failover history” to see a log detailing failover events that have caused the firewalls to switch roles.
Generally, in an active/passive cluster failover configuration, one or more passive or standby nodes are available to take over for failed nodes. Only the primary node is used for processing. When a node fails, the standby node takes over the resources and the identity of the failed node.
What is the difference between failover link and stateful link? ›
The stateful failover link is used to replicate all the connections that are going through the active ASA. The failover link is used to replicate the configuration and the following info: *The unit state (active or standby).
What is active active in Asa? ›
The Active/Active failover is a feature of Adaptive Security Appliance (ASA) that allows two Firepower devices to pass the traffic simultaneously.
What are the two modes in which Cisco ASA can be configured? ›
The ASA supports two firewall modes: Routed Firewall mode and Transparent Firewall mode.
What information is exchanged between asas over a failover link? ›
The failover mechanism is stateful, meaning the active ASA sends all stateful connection information to the standby ASA. This includes TCP/UDP states, NAT translation tables, ARP tables, and VPN information.
What is the difference between active-active and active-passive failover? ›
Active-active involves all nodes being active simultaneously, ensuring parallel processing and high scalability. Active-passive operates with a single active node and standby nodes ready for failover.
What is active standby mode? ›
The Active/Standby mode of operation (A/S) evolved from initially having the hardware available and connected into the network, to having the necessary software completely installed and available on the second node as well. This is sometimes referred to as a 'warm standby' or 'warm spare.
What is active-active vs active-passive? ›
Active-active clusters: Client machines connect to a load balancer that distributes their workloads across multiple active servers. Active-passive clusters: Client machines connect to the main server, which handles the full workload, while a backup server remains on standby, only activating in the event of a failure.
What happens during failover? ›
Failover is a backup operational mode that automatically switches to a standby database, server or network if the primary system fails, or is shut down for servicing. Failover is an extremely important function for critical systems that require always-on accessibility.
