Cisco ASA Active/Passive Failover Configuration Example (2024)

Table of Contents
Overview ASA Fail-Over Modes Hardware and Software Requirements Failover and Stateful Failover Links Failover Link Design MAC Addresses and IP Addresses Standby IP Address IP/Mac address Behaviour During Failover Configuration Example Verification Test Failover Force Failover Failover Interface Monitoring Exclude Interfaces from Monitor Failover EXEC mate Failover Syslog Messages A few things to consider Closing up References

Overview

High Availability is one of the most crucial requirements for a smooth network operation. In terms of routers or switches, we have a variety of options to choose from such as Switch-Stack, vPC, VSS, HSRP etc.

When it comes to firewalls, we only have very limited options because of the stateful nature of the firewall appliances. Most of us would usually go with an Active/Passive firewall design where the Active firewall processes the traffic and the Standby firewall just sits there and waits to take over in an event of a failure. You can also choose an Active/Active design if that suits your environment.

In this blog post, we will learn how to configure Active/Passive Failover on the Cisco ASA firewalls.

ASA Fail-Over Modes

As I mentioned before, ASA supports two failover modes, Active/Active failover and Active/Standby failover.

  • In Active/Standby failover, one device functions as the Active unit and passes the traffic. The second standby unit does not actively pass traffic. When a failover occurs, the Standby unit assumes the active role and starts passing the traffic.

  • In an Active/Active failover, both ASAs can pass traffic. Please note that Active/Active failover is only available to ASAs in multiple context modes. In Active/Active failover, you divide the security contexts on the ASA into 2 failover groups. A failover group is simply a logical group of one or more security contexts. One group is assigned to be Active on the primary ASA, and the other group is assigned to be active on the Secondary ASA. When a failover occurs, it occurs at the failover group level.

Hardware and Software Requirements

  • Both units in a Failover must be the same model and have the same number and types of interfaces.
  • Have the same modules installed and have the same RAM installed.
  • Both units should have the same major (first number) and minor (second number) software version.
  • Have the same AnyConnect images.

Failover and Stateful Failover Links

As with any other firewall cluster, you need to have some sort of connectivity between the firewalls to exchange information such as heart-beat and state information.

Cisco ASA Active/Passive Failover Configuration Example (1)

With the ASAs, you need two links - the failover link and the optional stateful failover link. Cisco recommends using the same interface between the two firewalls. For example, for a failover link, if you have used Gi0/1 in device 1, use the same interface Gi0/1 in device 2 as well.

  • Failover Link - The two units in a failover pair constantly communicate over the failover link to determine the operating status of each unit. The failover link data includes
    • The unit state (active or standby)
    • Hello messages/keep-alives
    • Link status
    • MAC address exchange
    • Configuration replication and synchronization
  • Stateful Failover Link - To use Stateful Failover, you must configure a Stateful Failover link to exchange 'connection state' information. You can use a dedicated data interface (physical or Port-Channel) as the state link.

💡

Cisco recommends the latency for the stateful failover link should be less than 10 milliseconds and no more than 250 milliseconds.

Failover Link Design

Cisco recommends that the failover links and data interfaces use different paths in order to decrease the chance of all interfaces failing at the same time. For example, If the failover link is down, the ASA can use the data interfaces to determine if a failover is necessary. Subsequently, the failover operation is suspended until the health of the failover link is restored.

Not recommended - If a single switch or a set of switches is used to connect both failover and data interfaces between two ASAs, then when a switch or inter-switch-link is down, both ASAs become active (split-brain) as shown below.

Cisco ASA Active/Passive Failover Configuration Example (2)

Recommended - Cisco recommends that failover links not use the same switch as the data interfaces. You can use a different switch or connect the failover link directly between the units as shown below.

Cisco ASA Active/Passive Failover Configuration Example (3)

MAC Addresses and IP Addresses

Standby IP Address

When you configure ASA's interfaces, you can optionally specify a standby IP address alongside the active IP address on the same subnet. When a failover occurs, the new active unit takes over the active IP addresses and MAC addresses. 

! Example !interface Gi0/1 nameif INSIDE security-level 100 ip address 10.10.12.1 255.255.255.0 standby 10.10.12.2

IP/Mac address Behaviour During Failover

The active unit always uses the primary unit's IP and MAC addresses. When a failover occurs, the standby unit assumes the IP addresses and MAC addresses of the failed unit (formerly active) and begins passing traffic.

See Also
What Is Storage Active-Active Clustering | Pure Storage

When the failed unit comes back online, it stays in a standby state and takes over the standby IP addresses and MAC addresses.

Configuration Example

I prefer to configure the Standby IP addresses on all the interfaces even though they are optional. 

interface GigabitEthernet0/0 nameif WAN security-level 0 ip address 201.85.10.1 255.255.255.248 standby 201.85.10.2 !interface GigabitEthernet0/1 nameif INSIDE security-level 100 ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2 !

Failover configuration is very straightforward. The Secondary box doesn't have any configuration except for the failover bits. The only config difference between both units is one line of config failover lan unit <primary or secondary>

failoverfailover lan unit primaryfailover lan interface FAILOVER-LINK GigabitEthernet0/5failover ipsec pre-shared-key cisco123failover link STATEFUL-LINK GigabitEthernet0/6failover interface ip FAILOVER-LINK 192.168.100.1 255.255.255.252 standby 192.168.100.2failover interface ip STATEFUL-LINK 192.168.100.5 255.255.255.252 standby 192.168.100.6
failoverfailover lan unit secondaryfailover lan interface FAILOVER-LINK GigabitEthernet0/5failover ipsec pre-shared-key cisco123failover link STATEFUL-LINK GigabitEthernet0/6failover interface ip FAILOVER-LINK 192.168.100.1 255.255.255.252 standby 192.168.100.2failover interface ip STATEFUL-LINK 192.168.100.5 255.255.255.252 standby 192.168.100.6

Most of the configs are self-explanatory, I've used Gi0/5 and Gi0/6 as failover and state links respectively.

Please note that all the information sent over the failover and state links is sent in clear text. There are two ways to secure communication between peers, using IPSec PSK or a failover key, the former is recommended by Cisco.

As soon as you finish the failover configuration on both units, the console should display the following message.

asa-lab-01# Failover LAN became OKSwitchover enabledConfiguration has changed, replicate to mate.Beginning configuration replication: Sending to mate.End Configuration Replication to mate

Verification

You can use show failover CLI command to check the current failover status. 

asa-lab-01# show failover Failover On Failover unit PrimaryFailover LAN Interface: FAILOVER-LINK GigabitEthernet0/5 (up)Reconnect timeout 0:00:00Unit Poll frequency 1 seconds, holdtime 15 secondsInterface Poll frequency 5 seconds, holdtime 25 secondsInterface Policy 1Monitored Interfaces 2 of 61 maximumMAC Address Move Notification Interval not setVersion: Ours 9.8(4), Mate 9.8(4)Serial Number: Ours 9A077RPR8KV, Mate 9AS2E40FB75Last Failover at: 10:01:54 UTC Oct 20 2022 This host: Primary - Active Active time: 409 (sec) slot 0: empty Interface WAN (201.85.10.1): Normal (Monitored) Interface INSIDE (192.168.10.1): Normal (Monitored) Other host: Secondary - Standby Ready Active time: 6 (sec) Interface WAN (201.85.10.2): Normal (Monitored) Interface INSIDE (192.168.10.2): Normal (Monitored)
asa-lab-01# show failover Failover On Failover unit SecondaryFailover LAN Interface: FAILOVER-LINK GigabitEthernet0/5 (up)Reconnect timeout 0:00:00Unit Poll frequency 1 seconds, holdtime 15 secondsInterface Poll frequency 5 seconds, holdtime 25 secondsInterface Policy 1Monitored Interfaces 2 of 61 maximumMAC Address Move Notification Interval not setVersion: Ours 9.8(4), Mate 9.8(4)Serial Number: Ours 9AS2E40FB75, Mate 9A077RPR8KVLast Failover at: 16:22:29 UTC Oct 22 2022 This host: Secondary - Standby Ready Active time: 6 (sec) slot 0: empty Interface WAN (201.85.10.2): Normal (Monitored) Interface INSIDE (192.168.10.2): Normal (Monitored) Other host: Primary - Active Active time: 450 (sec) Interface WAN (201.85.10.1): Normal (Monitored) Interface INSIDE (192.168.10.1): Normal (Monitored)

Test Failover

Let's power-off the active unit and see what happens. Obviously, we want the secondary unit to take over the role of active and start passing the traffic.

Once we powered-off the primary ASA, we can verify the failover status from the secondary unit (now active) as shown below. 

asa-lab-01# show failover history ==========================================================================From State To State Reason==========================================================================10:05:12 UTC Oct 20 2022Sync Config Sync File System Failover state check10:05:12 UTC Oct 20 2022Sync File System Bulk Sync Failover state check10:05:28 UTC Oct 20 2022Bulk Sync Standby Ready Failover state check10:10:37 UTC Oct 20 2022Standby Ready Just Active HELLO not heard from mate10:10:37 UTC Oct 20 2022Just Active Active Drain HELLO not heard from mate10:10:37 UTC Oct 20 2022Active Drain Active Applying Config HELLO not heard from mate 10:10:37 UTC Oct 20 2022Active Applying Config Active Config Applied HELLO not heard from mate10:10:37 UTC Oct 20 2022Active Config Applied Active HELLO not heard from mate==========================================================================
asa-lab-01# show failover Failover On Failover unit SecondaryFailover LAN Interface: FAILOVER-LINK GigabitEthernet0/5 (up)Reconnect timeout 0:00:00Unit Poll frequency 1 seconds, holdtime 15 secondsInterface Poll frequency 5 seconds, holdtime 25 secondsInterface Policy 1Monitored Interfaces 2 of 61 maximumMAC Address Move Notification Interval not setVersion: Ours 9.8(4), Mate 9.8(4)Serial Number: Ours 9AS2E40FB75, Mate 9A077RPR8KVLast Failover at: 10:10:37 UTC Oct 20 2022 This host: Secondary - Active Active time: 91 (sec) slot 0: empty Interface WAN (201.85.10.1): Normal (Waiting) Interface INSIDE (192.168.10.1): Normal (Waiting) Other host: Primary - Failed Active time: 508 (sec) Interface WAN (201.85.10.2): Unknown (Monitored) Interface INSIDE (192.168.10.2): Unknown (Monitored)

Force Failover

For whatever reason you want to force the failover, you can use the failover active command.

To force the standby unit to become active, run failover active from the standby unit or run no failover active on the active unit. 

asa-lab-01# no failover active asa-lab-01# Switching to Standby

Failover Interface Monitoring

By default, monitoring is enabled on all physical interfaces and on any hardware or software modules installed on the ASA, such as the ASA FirePOWER module. So, if one of the monitored links goes down on the active unit, the standby unit will take over the role.

To demonstrate interface monitoring, I'm going to shut down one of the links between the active unit and the switch.

As you can see below, the console displays a message indicating that the failover occurs due to interface monitoring. You can also use the show failover history command to check the reason behind any failover events. 

asa-lab-01# Switching to StandbyPrimary: Switching to Ok for reason Interface check.
asa-lab-01# show failover history ==========================================================================From State To State Reason==========================================================================10:20:05 UTC Oct 20 2022Active Config Applied Active Set by the config command10:20:48 UTC Oct 20 2022Active Failed Interface check10:20:51 UTC Oct 20 2022Failed Standby Ready Interface check10:20:58 UTC Oct 20 2022Standby Ready Failed Interface check10:21:08 UTC Oct 20 2022Failed Standby Ready Interface check==========================================================================

Exclude Interfaces from Monitor

If you want to exclude interfaces connected to less critical networks from affecting your failover events, you can use the no monitor-interface <interface-name> command. 

asa-lab-01# show monitor-interface This host: Primary - Active Interface WAN (201.85.10.1): Normal (Monitored) Interface INSIDE (192.168.10.1): Normal (Monitored) Other host: Secondary - Standby Ready Interface WAN (201.85.10.2): Normal (Monitored) Interface INSIDE (192.168.10.2): Normal (Monitored)asa-lab-01(config)# no monitor-interface INSIDEasa-lab-01# show monitor-interface This host: Primary - Active Interface WAN (201.85.10.1): Normal (Monitored) Other host: Secondary - Standby Ready Interface WAN (201.85.10.2): Normal (Monitored)

As you can see above, INSIDE interface is no longer monitored for failover.

Failover EXEC mate

This is one of the commands I use frequently, suppose you are logged into the active unit but want to run some commands on the standby unit, you can use failover exec mate command followed by the actual command you want to run.

The following shows getting the show failover output from the standby unit but running the command from the active unit. 

asa-lab-01# failover exec mate show failover | incl This This host: Secondary - Standby Ready

Failover Syslog Messages

ASA issues a number of syslog messages related to failover. The ranges of message IDs associated with failover are: 101xxx, 102xxx, 103xxx, 104xxx, 105xxx, 210xxx, 311xxx, 709xxx, 727xxx.

I've included some of the syslog messages below. 

%ASA-1-104002: (Primary) Switching to STANDBY - Set by the config command%ASA-1-104001: (Primary) Switching to ACTIVE - Set by the config command.%ASA-1-103001: (Secondary) No response from other firewall (reason code = 4).%ASA-1-104001: (Secondary) Switching to ACTIVE - HELLO not heard from mate.%ASA-1-105003: (Primary) Monitoring on interface WAN waiting%ASA-1-105003: (Primary) Monitoring on interface INSIDE waiting%ASA-1-105004: (Primary) Monitoring on interface WAN normal%ASA-1-105004: (Primary) Monitoring on interface INSIDE normal%ASA-1-105003: (Primary) Monitoring on interface INSIDE waiting%ASA-1-105004: (Primary) Monitoring on interface INSIDE normal

A few things to consider

  1. Even though the configuration and state information are synced across the peers, the files are not. For example, the IOS image and AnyConnect images that you require need to be uploaded into both units individually.
  2. Preemption is not supported in Active/Passive failover mode.

Closing up

Configuring the failover is very straightforward but understanding how it works is more crucial for troubleshooting. I've tried to cover as much as I can, however, if you would like to learn more about Failover, please check out the official Cisco guide I mentioned under the reference section.

References

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-config/ha-failover.html

Cisco ASA Active/Passive Failover Configuration Example (2024)
Top Articles
How to Protest Property Taxes in Texas | NTPTS
How To Send Coins to Other Crypto Wallets - Kriptomat
What Did Bimbo Airhead Reply When Asked
Best Pizza Novato
Swimgs Yuzzle Wuzzle Yups Wits Sadie Plant Tune 3 Tabs Winnie The Pooh Halloween Bob The Builder Christmas Autumns Cow Dog Pig Tim Cook’s Birthday Buff Work It Out Wombats Pineview Playtime Chronicles Day Of The Dead The Alpha Baa Baa Twinkle
Methstreams Boxing Stream
Live Basketball Scores Flashscore
Rabbits Foot Osrs
Kobold Beast Tribe Guide and Rewards
Blue Ridge Now Mugshots Hendersonville Nc
Turbocharged Cars
Lqse-2Hdc-D
Caresha Please Discount Code
Dutchess Cleaners Boardman Ohio
House Party 2023 Showtimes Near Marcus North Shore Cinema
Illinois Gun Shows 2022
Char-Em Isd
How Much You Should Be Tipping For Beauty Services - American Beauty Institute
Huntersville Town Billboards
Water Trends Inferno Pool Cleaner
Free Personals Like Craigslist Nh
Trivago Myrtle Beach Hotels
Discord Nuker Bot Invite
Skepticalpickle Leak
Elanco Rebates.com 2022
Nicole Wallace Mother Of Pearl Necklace
Forager How-to Get Archaeology Items - Dino Egg, Anchor, Fossil, Frozen Relic, Frozen Squid, Kapala, Lava Eel, and More!
Lake Dunson Robertson Funeral Home Lagrange Georgia Obituary
Junee Warehouse | Imamother
How Much Is Mink V3
Buhsd Studentvue
Boggle BrainBusters: Find 7 States | BOOMER Magazine
Pepsi Collaboration
Cdcs Rochester
Top 25 E-Commerce Companies Using FedEx
Easy Pigs in a Blanket Recipe - Emmandi's Kitchen
The All-New MyUMobile App - Support | U Mobile
Firestone Batteries Prices
All-New Webkinz FAQ | WKN: Webkinz Newz
The Attleboro Sun Chronicle Obituaries
Subdomain Finder
Pgecom
Go Nutrients Intestinal Edge Reviews
Kate Spade Outlet Altoona
CPM Homework Help
4Chan Zelda Totk
Join MileSplit to get access to the latest news, films, and events!
Acuity Eye Group - La Quinta Photos
Latest Posts
5 Benefits of Maintaining Good Credit
Crime Scene Processing Protocol
Article information

Author: Fredrick Kertzmann

Last Updated:

Views: 5418

Rating: 4.6 / 5 (66 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Fredrick Kertzmann

Birthday: 2000-04-29

Address: Apt. 203 613 Huels Gateway, Ralphtown, LA 40204

Phone: +2135150832870

Job: Regional Design Producer

Hobby: Nordic skating, Lacemaking, Mountain biking, Rowing, Gardening, Water sports, role-playing games

Introduction: My name is Fredrick Kertzmann, I am a gleaming, encouraging, inexpensive, thankful, tender, quaint, precious person who loves writing and wants to share my knowledge and understanding with you.