Cisco Secure Firewall ASA Series Command Reference, A-H Commands - fa – fd [Cisco Secure Firewall ASA] (2024)

To enable failover, use the failover command in global configuration mode. To disable failover, use the no form of this command.

failover

no failover

Syntax Description

This command has no arguments or keywords.

Command Default

Failover is disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command History

Usage Guidelines

Use the no form of this command to disable failover.

Caution

All information sent over the failover and Stateful Failover links is sent in clear text unless you secure the communication with a failover key. If the ASA is used to terminate VPN tunnels, this information includes any usernames, passwords and preshared keys used for establishing the tunnels. Transmitting this sensitive data in clear text could pose a significant security risk. We recommend securing the failover communication with a failover key if you are using the ASA to terminate VPN tunnels.

The ASA 5505 device allows only Stateless Failover, and only while not acting as an Easy VPN hardware client.

Examples

The following example disables failover:

ciscoasa(config)# no failoverciscoasa(config)#

Related Commands

To switch a standby ASA or failover group to the active state, use the failover active command in privileged EXEC mode. To switch an active ASA or failover group to standby, use the no form of this command.

failover active [ group group_id ]

no failover active [ group group_id ]

Syntax Description

Command Default

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command History

Usage Guidelines

Use the failover active command to initiate a failover switch from the standby unit, or use the no failover active command from the active unit to initiate a failover switch. You can use this feature to return a failed unit to service, or to force an active unit offline for maintenance. If you are not using Stateful Failover, all active connections are dropped and must be reestablished by the clients after the failover occurs.

Switching for a failover group is available only for Active/Active failover. If you enter the failover active command on an Active/Active failover unit without specifying a failover group, all groups on the unit become active.

Examples

The following example switches the standby group 1 to active:

ciscoasa# failover active group 1

Related Commands

To allow the ASA virtual to authenticate with Microsoft Azure using a Service Principal, use the failover cloud authentication command in global configuration mode. To disable Microsoft Azure authentication, use the no form of this command.

failover cloud authentication { application-id appl-id | directory-id dir-id | key secret-key }

no failover cloud authentication { application-id appl-id | directory-id dir-id | key secret-key [ encrypt ] }

Syntax Description

Command Default

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command History

Usage Guidelines

To be able to automatically make API calls to modify Azure route tables, the ASA virtual HA units need to have Azure Active Directory credentials. Azure employs the concept of a Service Principal which, in simple terms, is a service account. A Service Proncipal allows you to provision an account with only enough permissions and scope to run a task within a predefined set of Azure resources.

When you have an application that needs to access or modify Azure resources, such as route tables, you must set up an Azure Active Directory (AD) application and assign the required permissions to it.

When you register an Azure AD application in the Azure portal, two objects are created in your Azure AD tenant: an application object, and a service principal object. The service principal object defines the policy and permissions for an application's use in a specific tenant, providing the basis for a security principal to represent the application at run-time.

After you set up the service principal, you obtain the Directory ID , Application ID , and Secret key . Theseare required to configure Azure authentication credentials.

Note	Azure provides instructions on how to create an Azure AD application and service principal in the Azure Resource Manager Documentation .

Examples

The following example adds the Azure authentication credentials to the public cloud failover configuration:

(config)# failover cloud authentication application-id dfa92ce2-fea4-67b3-ad2a-6931704e420(config)# failover cloud authentication directory-id 227b0f8f-684d-48fa-9803-c08138b77ae9(config)# failover cloud authentication key 5yOhH593dtD/O8gzAlWgulrkWz5dH02d2STk3LDbI4c=(config)#

Related Commands

To configure the public cloud failover peer, use the failover cloud peer command in global configuration mode. To disable the failover peer, use the no form of this command.

failover cloud peer { ip ip-address | port port-number }

no failover cloud peer

Syntax Description

Command Default

The default is the port number specified by the failover cloud port control command (or its default if not specified).

Command Modes

The following table shows the modes in which you can enter the command:

Command History

Usage Guidelines

The IP address is used to establish a TCP failover control connection to the public cloud HA peer. The port is used when attempting to open a failover connection to the HA peer, who may already by the Active unit. Configuring the port here may be needed if NAT is being performed between the HA peers. In most cases it won't need to be configured.

The no version of this command removes the peer IP address and sets the port number to its default value. If the port is not specified, the port number is set to its default value, even it is was set to a different value previously using this command.

Examples

The following example configures a public cloud failover peer:

ciscoasa(config)# failover cloud peer ip 10.4.3.5 port 4444ciscoasa(config)#

Related Commands

To specify the public cloud failover unit poll and hold times, use the failover cloud polltime command in global configuration mode. To restore the default poll and hold times, use the no form of this command.

failover cloud polltime poll_time [ holdtime time ]

no failover cloud polltime

Syntax Description

Command Default

The default values on the ASA virtual are as follows:

• The polltime poll_time is 5 second.

• The holdtime time is 15 seconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command History

Usage Guidelines

Used to set the polling interval that the Backup uses for monitoring the presence of the Active unit. Optionally, you can also set the amount of time (hold time) that the Backup unit will wait, in the absence of a response from the Active unit, before taking over the Active role. The hold time will be forced to be at least three times the poll time. With a faster poll time, the ASA can detect failure and trigger failover faster. However, faster detection can cause unnecessary switchovers when the network is temporarily congested.

Examples

The following example configures failover polling for the public cloud failover configuration:

ciscoasa(config)# failover cloud polltime 10 holdtime 30

Related Commands

To specify the two TCP ports used by public cloud failover pairs, the port used for failover communication between the two peers, and the port used for Azure Load Balancer probes, use the failover cloud port command in global configuration mode. Use the no form of this command restore the default values for these ports.

failover cloud port { control port-number | probe port-number [ interface if-name ] }

no failover cloud port { control | probe }

Syntax Description

Command Default

The public cloud failover TCP control port number is 44442.

The Azure Load Balancer health probe port number is 44441.

Command Modes

The following table shows the modes in which you can enter the command:

Command History

Usage Guidelines

Use the no form of this command to restore the default port values.

On the physical ASA and the non-public cloud virtual ASA, the system handles failover conditions using gratuitous ARP requests where the backup ASA sends out a gratuitous ARP indicating it is now associated with the active IP and MAC addresses. Most public cloud environments do not allow broadcast traffic of this nature. For this reason, an HA configuration in the public cloud requires ongoing connections be restarted when failover happens.

The health of the active unit is monitored by the backup unit to determine if specific failover conditions are met. If those conditions are met, failover occurs. The failover time can vary from a few seconds to over a minute depending on the responsiveness of the public cloud infrastructure.

Examples

The following example configures TCP ports for failover communication and Azure Load Balancer probes to the public cloud failover configuration:

ciscoasa(config)# failover cloud port control 4444 ciscoasa(config)# failover cloud port probe 4443

Related Commands

To configure an Azure route table that directs internal routes to the Active unit, use the failover cloud route-table command in global configuration mode. To remove the route table configuration, use the no form of this command.

failover cloud route-table table-name [ subscription-id sub-id ]

no failover cloud route-table

Syntax Description

Command Default

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command History

Usage Guidelines

On failover, you want to direct internal routes to the active unit, which uses the configured route table information to automatically direct the routes to itself.

Configure these settings on both the primary and secondary units. There is no synching of configuration from the primary unit to the secondary unit.

To update user-defined routes in more than one Azure subscription, use the optional subscription-id parameter. The subscription-id at the route-table command level overrides the Azure Subscription ID specified at the global level. If you enter the route-table command without specifying the subscription-id , the global parameter is used.

Use the no form of this command remove the route table configuration.

Note	When you enter this command the ASA virtual switches to cfg-fover-cloud-rt mode.

Examples

The following examples show how to enable the cfg-fover-cloud-rt mode for public cloud failover route table configuration:

ciscoasa(config)# failover cloud route-table inside-rtciscoasa(cfg-fover-cloud-rt)# ciscoasa(config)# failover cloud route-table inside-rt subscription-id cd5fe6b4-d2ed-45ciscoasa(cfg-fover-cloud-rt)#

Related Commands

To configure an Azure resource group, required for route table update requests, use the rg command in cfg-fover-cloud-rt configuration mode. To remove the resource group information from the configuration, use the no form of this command.

rgresource-group

no rg

Syntax Description

Command Default

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command History

Usage Guidelines

An Azure resource group is a container that holds related resources for an Azure solution. The resource group can include all the resources for the solution, or only those resources that you want to manage as a group. You decide how you want to allocate resources to resource groups based on what makes the most sense for your organization.

Configure these settings on both the primary and secondary units. There is no synching of configuration from the primary unit to the secondary unit.

Use the no form of this command remove the resource group information from the configuration.

Note	Azure provides information about resource groups in the Azure Resource Manager Documentation .

Examples

The following example adds an Azure resource group to the public cloud failover configuration:

ciscoasa(cfg-fover-cloud-rt)# rg east-rgciscoasa(cfg-fover-cloud-rt)# 

Related Commands

To configure an route that requires updating during a failover, use the route command in cfg-fover-cloud-rt configuration mode. To remove the route information from the configuration, use the no form of this command.

route { name route-name prefix address-prefix nexthop ip-address }

no route name route-name

Syntax Description

Command Default

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command History

Usage Guidelines

On failover, you want to direct internal routes to the active unit, which uses the configured route table information to automatically direct the routes to itself.

Configure these settings on both the primary and secondary units. There is no synching of configuration from the primary unit to the secondary unit.

Use the no form of this command remove the route information from the configuration.

Note	Azure provides information about routing requirements in the Azure Resource Manager Documentation .

Examples

The following example adds a route that requires updating to the public cloud failover configuration:

ciscoasa(cfg-fover-cloud-rt)# route route-to-outside prefix 10.4.2.0/24 nexthop 10.4.1.4ciscoasa(cfg-fover-cloud-rt)# 

Related Commands

To configure the Azure Subscription ID for the Azure Service Principal, use the failover cloud subscription-id command in global configuration mode. The no form of this command removes the subscription information from the configuration.

failover cloud subscription-id sub-id

no failover cloud subscription-id

Syntax Description

Command Default

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command History

Usage Guidelines

The Azure Subscription ID is needed to modify Azure route tables, for example, when you want to direct internal routes to the active unit.

Note	You should be able to find your Subscription ID from the ‘Subscriptions’ tab of the Azure Portal, https://portal.azure.com .

Examples

The following example adds the Azure subscription ID to the public cloud failover configuration:

(config)# failover cloud (config)# failover cloud subscription-id ab2fe6b2-c2bd-44(config)#

Related Commands

To configure the ASA virtual as either the primary or secondary unit in a public cloud failover configuration, use the failover lan unit command in global configuration mode. To remove the unit role setting, use the no form of this command.

failover cloud unit { primary | secondary }

no failover cloud unit

Syntax Description

Command Default

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command History

Usage Guidelines

To ensure redundancy, you can deploy the ASA virtual in a public cloud environment in an Active/Backup high availability (HA) configuration. HA in the public cloud implements a stateless Active/Backup solution that allows for a failure of the active ASA virtual to trigger an automatic failover of the system to the backup ASA virtual.

When setting up Active/Backup failover, you configure one unit to be primary and the other as secondary. At this point, the two units act as two separate devices for device and policy configuration, as well as for events, dashboards, reports and health monitoring.

The main differences between the two units in a failover pair are related to which unit is active and which unit is backup, namely which unit actively passes traffic. Although both units are capable of passing traffic, only the primary unit responds Load Balancer probes and programs any configured routes to use it as a route destination. The backup unit's primary function is to monitor the health of the primary unit. The primary unit always becomes the active unit if both units start up at the same time (and are of equal operational health).

Examples

The following example sets the ASA virtual as the primary unit in a public cloud failover configuration:

ciscoasa(config)# failover cloud unit primary

Related Commands

To execute a command on a specific unit in a failover pair, use the failover exec command in privileged EXEC or global configuration mode.

failover exec { active | standby | mate } cmd_string

Syntax Description

Command Default

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command History

Usage Guidelines

You can use the failover exec command to send commands to a specific unit in a failover pair.

Because configuration commands are replicated from the active unit or context to the standby unit or context, you can use the failover exec command to enter configuration commands on the correct unit, no matter which unit you are logged in to. For example, if you are logged in to the standby unit, you can use the failover exec active command to send configuration changes to the active unit. Those changes are then replicated to the standby unit. Do not use the failover exec command to send configuration commands to the standby unit or context; those configuration changes are not replicated to the active unit and the two configurations will no longer be synchronized.

Output from configuration, exec, and show commands is displayed in the current terminal session, so you can use the failover exec command to issue show commands on a peer unit and view the results in the current terminal.

You must have sufficient privileges to execute a command on the local unit to execute the command on the peer unit.

Command Modes

The failover exec command maintains a command mode state that is separate from the command mode of your terminal session. By default, the failover exec command mode is global configuration mode for the specified device. You can change that command mode by sending the appropriate command (such as the interface command) using the failover exec command.

Changing failover exec command modes for the specified device does not change the command mode for the session that you are using to access the device. For example, if you are logged in to the active unit of a failover pair, and you issue the following command in global configuration mode, you will remain in global configuration mode, but any commands sent using the failover exec command will be executed in interface configuration mode:

ciscoasa(config)# failover exec interface GigabitEthernet0/1ciscoasa(config)# 

Changing commands modes for your current session to the device does not affect the command mode used by the failover exec command. For example, if you are in interface configuration mode on the active unit, and you have not changed the failover exec command mode, the following command would be executed in global configuration mode:

ciscoasa(config-if)# failover exec active router ospf 100ciscoasa(config-if)# 

Use the show failover exec command to display the command mode on the specified device in which commands sent with the failover exec command are executed.

Security Considerations

The failover exec command uses the failover link to send commands to and receive the output of the command execution from the peer unit. You should use the failover key command to encrypt the failover link to prevent eavesdropping or man-in-the-middle attacks.

Limitations

• If you upgrade one unit using the zero-downtime upgrade procedure and not the other, both units must be running software that supports the failover exec command for the command to work.

• Command completion and context help are not available for the commands in the cmd_string argument.

• In multiple context mode, you can only send commands to the peer context on the peer unit. To send commands to a different context, you must first change to that context on the unit you are logged in to.

• You cannot use the following commands with the failover exec command:

  • changeto

  • debug (undebug )

• If the standby unit is in the failed state, it can still receive commands from the failover exe c command if the failure is due to a service card failure; otherwise, the remote command execution will fail.

• You cannot use the failover exec command to switch from privileged EXEC mode to global configuration mode on the failover peer. For example, if the current unit is in privileged EXEC mode, and you enter the failover exec mate configure terminal command, the show failover exec mate command output will show that the failover exec session is in global configuration mode. However, entering configuration commands for the peer unit using the failover exec command will fail until you enter global configuration mode on the current unit.

• You cannot enter recursive failover exec commands, such as the failover exec mate failover exec mate command.

• Commands that require user input or confirmation must use the /nonconfirm option.

Examples

The following example shows how to use the failover exec command to display failover information on the active unit. The unit on which the command is executed is the active unit, so the command is executed locally.

ciscoasa(config)# failover exec active show failoverFailover On Failover unit PrimaryFailover LAN Interface: failover GigabitEthernet0/3 (up)Unit Poll frequency 1 seconds, holdtime 3 secondsInterface Poll frequency 3 seconds, holdtime 15 secondsInterface Policy 1Monitored Interfaces 2 of 250 maximumVersion: Ours 8.0(2), Mate 8.0(2)Last Failover at: 09:31:50 jst May 2 2004 This host: Primary - Active Active time: 2483 (sec) slot 0: ASA5520 hw/sw rev (1.0/8.0(2)) status (Up Sys) admin Interface outside (192.168.5.101): Normal admin Interface inside (192.168.0.1): Normal slot 1: ASA-SSM-20 hw/sw rev (1.0/) status (Up/Up) Other host: Secondary - Standby Ready Active time: 0 (sec) slot 0: ASA5520 hw/sw rev (1.0/8.0(2)) status (Up Sys) admin Interface outside (192.168.5.111): Normal admin Interface inside (192.168.0.11): Normal slot 1: ASA-SSM-20 hw/sw rev (1.0/) status (Up/Up)Stateful Failover Logical Update Statistics Link : failover GigabitEthernet0/3 (up) Stateful Obj xmit xerr rcv rerr General 328 0 328 0 sys cmd 329 0 329 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 0 0 0 0 UDP conn 0 0 0 0 ARP tbl 0 0 0 0 Xlate_Timeout 0 0 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 1 329 Xmit Q: 0 1 329ciscoasa(config)#

The following example uses the failover exec command to display the failover status of the peer unit. The command is executed on the the primary unit, which is the active unit, so the information displayed is from the secondary, standby unit.

ciscoasa(config)# failover exec mate show failoverFailover On Failover unit SecondaryFailover LAN Interface: failover GigabitEthernet0/3 (up)Unit Poll frequency 1 seconds, holdtime 3 secondsInterface Poll frequency 3 seconds, holdtime 15 secondsInterface Policy 1Monitored Interfaces 2 of 250 maximumVersion: Ours 8.0(2), Mate 8.0(2)Last Failover at: 09:19:59 jst May 2 2004 This host: Secondary - Standby Ready Active time: 0 (sec) slot 0: ASA5520 hw/sw rev (1.0/8.0(2)) status (Up Sys) admin Interface outside (192.168.5.111): Normal admin Interface inside (192.168.0.11): Normal slot 1: ASA-SSM-20 hw/sw rev (1.0/) status (Up/Up) Other host: Primary - Active Active time: 2604 (sec) slot 0: ASA5520 hw/sw rev (1.0/8.0(2)) status (Up Sys) admin Interface outside (192.168.5.101): Normal admin Interface inside (192.168.0.1): Normal slot 1: ASA-SSM-20 hw/sw rev (1.0/) status (Up/Up)Stateful Failover Logical Update Statistics Link : failover GigabitEthernet0/3 (up) Stateful Obj xmit xerr rcv rerr General 344 0 344 0 sys cmd 344 0 344 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 0 0 0 0 UDP conn 0 0 0 0 ARP tbl 0 0 0 0 Xlate_Timeout 0 0 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 1 344 Xmit Q: 0 1 344

The following example uses the failover exec command to display the failover configuration of the failover peer. The command is executed on the primary unit, which is the active unit, so the information displayed is from the secondary, standby unit.

ciscoasa(config)# failover exec mate show running-config failoverfailoverfailover lan interface failover GigabitEthernet0/3failover polltime unit 1 holdtime 3failover polltime interface 3 holdtime 15failover link failover GigabitEthernet0/3failover interface ip failover 10.0.5.1 255.255.255.0 standby 10.0.5.2ciscoasa(config)# 

The following example uses the failover exec command to create a context on the active unit from the standby unit. The command is replicated from the active unit back to the standby unit. Note the two “Creating context...” messages. One is from the failover exec command output from the peer unit when the context is created, and the other is from the local unit when the replicated command creates the context locally.

ciscoasa(config)# show context Context Name Class Interfaces URL*admin default GigabitEthernet0/0, disk0:/admin.cfg GigabitEthernet0/1 Total active Security Contexts: 1! The following is executed in the system execution space on the standby unit.ciscoasa(config)# failover exec active context textCreating context 'text'... Done. (2)Creating context 'text'... Done. (3)ciscoasa(config)# show contextContext Name Class Interfaces URL*admin default GigabitEthernet0/0, disk0:/admin.cfg GigabitEthernet0/1 text default (not entered)Total active Security Contexts: 2

The following example shows the warning that is returned when you use the failover exec command to send configuration commands to a failover peer in the standby state:

ciscoasa# failover exec mate static (inside,outside) 192.168.5.241 192.168.0.241**** WARNING **** Configuration Replication is NOT performed from Standby unit to Active unit. Configurations are no longer synchronized.ciscoasa(config)#

The following example uses the failover exec command to send the show interface command to the standby unit:

ciscoasa(config)# failover exec standby show interfaceInterface GigabitEthernet0/0 "outside", is up, line protocol is up Hardware is i82546GB rev03, BW 1000 Mbps Auto-Duplex(Half-duplex), Auto-Speed(100 Mbps) MAC address 000b.fcf8.c290, MTU 1500 IP address 192.168.5.111, subnet mask 255.255.255.0 216 packets input, 27030 bytes, 0 no buffer Received 2 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 L2 decode drops 284 packets output, 32124 bytes, 0 underruns 0 output errors, 0 collisions 0 late collisions, 0 deferred input queue (curr/max blocks): hardware (0/0) software (0/0) output queue (curr/max blocks): hardware (0/1) software (0/0) Traffic Statistics for "outside": 215 packets input, 23096 bytes 284 packets output, 26976 bytes 0 packets dropped 1 minute input rate 0 pkts/sec, 21 bytes/sec 1 minute output rate 0 pkts/sec, 23 bytes/sec 1 minute drop rate, 0 pkts/sec 5 minute input rate 0 pkts/sec, 21 bytes/sec 5 minute output rate 0 pkts/sec, 24 bytes/sec 5 minute drop rate, 0 pkts/secInterface GigabitEthernet0/1 "inside", is up, line protocol is up Hardware is i82546GB rev03, BW 1000 Mbps Auto-Duplex(Half-duplex), Auto-Speed(10 Mbps) MAC address 000b.fcf8.c291, MTU 1500 IP address 192.168.0.11, subnet mask 255.255.255.0 214 packets input, 26902 bytes, 0 no buffer Received 1 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 L2 decode drops 215 packets output, 27028 bytes, 0 underruns 0 output errors, 0 collisions 0 late collisions, 0 deferred input queue (curr/max blocks): hardware (0/0) software (0/0) output queue (curr/max blocks): hardware (0/1) software (0/0) Traffic Statistics for "inside": 214 packets input, 23050 bytes 215 packets output, 23140 bytes 0 packets dropped 1 minute input rate 0 pkts/sec, 21 bytes/sec 1 minute output rate 0 pkts/sec, 21 bytes/sec 1 minute drop rate, 0 pkts/sec 5 minute input rate 0 pkts/sec, 21 bytes/sec 5 minute output rate 0 pkts/sec, 21 bytes/sec 5 minute drop rate, 0 pkts/secInterface GigabitEthernet0/2 "failover", is up, line protocol is up Hardware is i82546GB rev03, BW 1000 Mbps Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps) Description: LAN/STATE Failover Interface MAC address 000b.fcf8.c293, MTU 1500 IP address 10.0.5.2, subnet mask 255.255.255.0 1991 packets input, 408734 bytes, 0 no buffer Received 1 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 L2 decode drops 1835 packets output, 254114 bytes, 0 underruns 0 output errors, 0 collisions 0 late collisions, 0 deferred input queue (curr/max blocks): hardware (0/0) software (0/0) output queue (curr/max blocks): hardware (0/2) software (0/0) Traffic Statistics for "failover": 1913 packets input, 345310 bytes 1755 packets output, 212452 bytes 0 packets dropped 1 minute input rate 1 pkts/sec, 319 bytes/sec 1 minute output rate 1 pkts/sec, 194 bytes/sec 1 minute drop rate, 0 pkts/sec 5 minute input rate 1 pkts/sec, 318 bytes/sec 5 minute output rate 1 pkts/sec, 192 bytes/sec 5 minute drop rate, 0 pkts/sec...

The following example shows the error message returned when issuing an illegal command to the peer unit:

ciscoasa# failover exec mate bad commandbad command ^ERROR: % Invalid input detected at '^' marker.

The following example shows the error message that is returned when you use the failover exec command when failover is disabled:

ciscoasa(config)# failover exec mate show failoverERROR: Cannot execute command on mate because failover is disabled

Related Commands

To configure an Active/Active failover group, use the failover group command in global configuration mode. To remove a failover group, use the no form of this command.

failover group num

no failover group num

Syntax Description

Command Default

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command History

Usage Guidelines

You can define a maximum of two failover groups. The failover group command can only be added to the system context of devices configured for multiple context mode. You can create and remove failover groups only when failover is disabled.

Entering this command puts you in the failover group command mode. The primary , secondary , preempt , replication http , interface-policy , mac address , and polltime interface commands are available in the failover group configuration mode. Use the exit command to return to global configuration mode.

Note

The failover polltime interface , failover interface-policy , failover replication http , and failover mac address commands have no affect in Active/Active failover configurations. They are overridden by the following failover group configuration mode commands: polltime interface , interface-policy , replication http , and mac address .

When removing failover groups, you must remove failover group 1 last. Failover group 1 always contains the admin context. Any context not assigned to a failover group defaults to failover group 1. You cannot remove a failover group that has contexts explicitly assigned to it.

Note

If you have more than one Active/Active failover pair on the same network, it is possible to have the same default virtual MAC addresses assigned to the interfaces on one pair as are assigned to the interfaces of the other pairs because of the way the default virtual MAC addresses are determined. To avoid having duplicate MAC addresses on your network, make sure you assign each physical interface a virtual active and standby MAC address using the mac address command.

Examples

The following partial example shows a possible configuration for two failover groups:

ciscoasa(config)# failover group 1 ciscoasa(config-fover-group)# primaryciscoasa(config-fover-group)# preempt 100ciscoasa(config-fover-group)# exitciscoasa(config)# failover group 2ciscoasa(config-fover-group)# secondaryciscoasa(config-fover-group)# preempt 100ciscoasa(config-fover-group)# exitciscoasa(config)#

Related Commands

To configure Bidirectional Forwarding Detection (BFD) for unit health monitoring, use the failover health-check bfd command in global configuration mode. To disable BFD, use the no form of this command.

failover health-check bfd template_name

no failover health-check bfd template_name

Syntax Description

Command Default

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command History

Usage Guidelines

The regular unit monitoring can cause false alarms when CPU usage is high. The BFD method is distributed, so high CPU does not affect its operation.

You must first configure a BFD single-hop template to define the packet rate:

bfd-template single-hop template_name

bfd interval min-tx milliseconds min-rx milliseconds multiplier multiplier_value

See the following limitations:

• Firepower 9300 and 4100 only.

• Active/Standby only.

• Routed mode only

Examples

The following example enables BFD unit health detection:

ciscoasa(config)# bfd template single-hop failover-temp ciscoasa(config-bfd)# bfd interval min-tx 50 min-rx 50 multiplier 3ciscoasa(config)# failover health-check bfd failover-temp

Related Commands

To specify the IPv4 address and mask or IPv6 address and prefixfor the failover interface and the Stateful Failover interface, use the failover interface ip command in global configuration mode. To remove the IP address, use the no form of this command.

failover interface ip if_name [ ip_address mask standby ip_address | ipv6_address | prefix standby ipv6_address ]

no failover interface ip if_name [ ip_address mask standby ip_address | ipv6_address | prefix standby ipv6_address ]

Syntax Description

Command Default

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command History

Usage Guidelines

The standby address must be in the same subnet as the primary address.

You can only have one failvover interface ip command in the configuration. Therefore, your failover interface can have either an IPv6 or an IPv4 address; you cannot assign both an IPv6 and an IPv4 address to the interface.

Failover and Stateful Failover interfaces are functions of Layer 3, even when the ASA is operating in transparent firewall mode, and are global to the system.

In multiple context mode, you configure failover in the system context (except for the monitor-interface command).

This command must be part of the configuration when bootstrapping an ASA for LAN failover.

Examples

The following example shows how to specify an IPv4 address and mask for the failover interface:

ciscoasa(config)# failover interface ip lanlink 172.27.48.1 255.255.255.0 standby 172.27.48.2 

The following example shows how to specify an IPv6 address and prefix for the failover interface:

ciscoasa(config)# failover interface ip lanlink 2001:a0a:b00::a0a:b70/64 standby 2001:a0a:b00::a0a:b71 

Related Commands

To specify the policy for failover when monitoring detects an interface failure, use the failover interface-policy command in global configuration mode. To restore the default, use the no form of this command.

failover interface-policy num [ % ]

no failover interface-policy num [ % ]

Syntax Description

Command Default

The defaults are as follows:

• num is 1.

• Monitoring of physical interfaces is enabled by default; monitoring of logical interfaces is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command History

Usage Guidelines

There is no space between the num argument and the optional % keyword.

If the number of failed interfaces meets the configured policy and the other ASA is functioning correctly, the ASA marks itself as failed and a failover might occur (if the active ASA is the one that fails). Only interfaces that are designated as monitored by the monitor-interface command count towards the policy.

Note	This command applies to Active/Standby failover only. In Active/Active failover, you configure the interface policy for each failover group with the interface-policy command in failover group configuration mode.

Examples

The following examples show two ways to specify the failover policy:

ciscoasa(config)# failover interface-policy 20%ciscoasa(config)# failover interface-policy 5

Related Commands

To establish IPsec LAN-to-LAN tunnels on the failover and state links between the units to encrypt all failover communications, use the failover ipsec pre-shared-key command in global configuration mode To remove the key, use the no form of this command.

failover ipsec pre-shared-key key

no failover ipsec pre-shared-key

Syntax Description

Command Default

0 (unencrypted) is the default.

Command Modes

The following table shows the modes in which you can enter the command:

Command History

Usage Guidelines

Unless you secure the failover communications, all information sent over the failover and Stateful Failover links is sent in clear text. If the ASA is used to terminate VPN tunnels, this information includes any usernames, passwords and preshared keys used for establishing the tunnels. Transmitting this sensitive data in clear text could pose a significant security risk. We recommend securing the failover communication if you are using the ASA to terminate VPN tunnels.

We recommend using the failover ipsec pre-shared-key method of encryption over the legacy failover key method.

You cannot use both IPsec encryption and the legacy failover key encryption. If you configure both methods, IPsec is used. However, if you use the master passphrase (see the password encryption aes and key config-key password-encryption commands), you must first remove the failover key using the no failover key command before you configure IPsec encryption.

Note

If you configure HA failover encryption in evaluation mode, the systems use DES for the encryption. If you then register the devices using an export-compliant account, the devices will use AES after a reboot. Thus, if a system reboots for any reason, including after installing an upgrade, the peers will be unable to communicate and both units will become the active unit. We recommend that you do not configure encryption until after you register the devices. If you do configure this in evaluation mode, we recommend you remove the encryption before registering the devices.

When you use this command, the system creates an IKE policy. Because the system allows a maximum of 20 IKE policies, if there are already 20, this command will fail.

Note	Failover LAN-to-LAN tunnels do not count against the IPsec (Other VPN) license.

Examples

The following example configures an IPsec pre-shared key:

ciscoasa(config)# failover ipsec pre-shared-key a3rynsun

Related Commands

To specify the key for encrypted and authenticated communication between units in a failover pair (over the failover and state links), use the failover key command in global configuration mode. To remove the key, use the no form of this command.

failover key [ 0 | 8 ] { hex key | shared_secret }

no failover key

Syntax Description

Command Default

0 (unencrypted) is the default.

Command Modes

The following table shows the modes in which you can enter the command:

Command History

Usage Guidelines

Unless you secure the failover communications, all information sent over the failover and Stateful Failover links is sent in clear text. If the ASA is used to terminate VPN tunnels, this information includes any usernames, passwords and preshared keys used for establishing the tunnels. Transmitting this sensitive data in clear text could pose a significant security risk. We recommend securing the failover communication if you are using the ASA to terminate VPN tunnels.

We recommend using the failover ipsec pre-shared-key method of encryption over the legacy failover key method.

You cannot use both IPsec encryption (the failover ipsec pre-shared-key command) and the legacy failover key encryption. If you configure both methods, IPsec is used. However, if you use the master passphrase (see the password encryption aes and key config-key password-encryption commands), you must first remove the failover key using the no failover key command before you configure IPsec encryption.

Note

If you configure HA failover encryption in evaluation mode, the systems use DES for the encryption. If you then register the devices using an export-compliant account, the devices will use AES after a reboot. Thus, if a system reboots for any reason, including after installing an upgrade, the peers will be unable to communicate and both units will become the active unit. We recommend that you do not configure encryption until after you register the devices. If you do configure this in evaluation mode, we recommend you remove the encryption before registering the devices.

Examples

The following example shows how to specify a shared secret for securing failover communication between units in a failover pair:

ciscoasa(config)# failover key abcdefg

The following example shows how to specify a hexadecimal key for securing failover communication between two units in a failover pair:

ciscoasa(config)# failover key hex 6a1ed228381cf5c68557cb0c32e614dc

The following example shows an encrypted password copied and pasted from more system:running-config output:

ciscoasa(config)# failover key 8 TPZCVNgdegLhWMa

Related Commands

To specify the interface used for failover communication, use the failover lan interface command in global configuration mode. To remove the failover interface, use the no form of this command.

failover lan interface if_name { phy_if [ .sub_if ] | vlan_if ] }

no failover lan interface [ if_name { phy_if [ .sub_if ] | vlan_if ] } ]

Syntax Description

Command Default

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command History

Usage Guidelines

Do not use this command when both primary and secondary units have failover enabled. Changing the failover interface configuration leads to a split-brain scenario (Active-Active).

The two units in a failover pair constantly communicate over a failover link to determine the operating status of each unit.

Failover Link Data

The following information is communicated over the failover link:

• The unit state (active or standby)

• Hello messages (keep-alives)

• Network link status

• MAC address exchange

• Configuration replication and synchronization

Interface for the Failover Link

You can use any unused data interface (physical, redundant, or EtherChannel) as the failover link; however, you cannot specify an interface that is currently configured with a name. The failover link interface is not configured as a normal networking interface; it exists for failover communication only. This interface can only be used for the failover link (and also for the state link). The ASA does not support sharing interfaces between user data and the failover link even if different subinterfaces are configured for user data and failover. A separate physical, EtherChannel, or redundant interface must be used for the failover link.

See the following guidelines for the failover link:

• 5506-X through 5555-X—You cannot use the Management interface as the failover link; you must use a data interface. The only exception is for the 5506H-X, where you can use the management interface as the failover link.

• 5506H-X—You can use the Management 1/1 interface as the failover link. If you configure it for failover, you must reload the device for the change to take effect. In this case, you cannot also use the ASA Firepower module, because it requires the Management interface for management purposes.

• 5585-X—Do not use the Management 0/0 interface, even though it can be used as a data interface. It does not support the necessary performance for this use.

• Firepower 9300 ASA security module—You can use either a management type or data type interface as the failover link. To conserve interfaces and to share a failover link between modules in the same chassis, use a management type interface. For example, you have 2 chassis, each with 3 ASA security modules. You can create 3 failover pairs between the chassis. You can use a single 10 GigabitEthernet management interface between the chassis to act as the failover link. Just configure a unique VLAN subinterface within each module.

• All models—1 GB interface is large enough for a combined failover and state link.

For a redundant interface used as the failover link, see the following benefits for added redundancy:

• When a failover unit boots up, it alternates between the member interfaces to detect an active unit.

• If a failover unit stops receiving keepalive messages from its peer on one of the member interfaces, it switches to the other member interface.

For an EtherChannel used as the failover link, to prevent out-of-order packets, only one interface in the EtherChannel is used. If that interface fails, then the next interface in the EtherChannel is used. You cannot alter the EtherChannel configuration while it is in use as a failover link.

Connecting the Failover Link

Connect the failover link in one of the following two ways:

• Using a switch, with no other device on the same network segment (broadcast domain or VLAN) as the failover interfaces of the ASA.

• Using an Ethernet cable to connect the units directly, without the need for an external switch.

If you do not use a switch between the units, if the interface fails, the link is brought down on both peers. This condition may hamper troubleshooting efforts because you cannot easily determine which unit has the failed interface and caused the link to come down.

The ASA supports Auto-MDI/MDIX on its copper Ethernet ports, so you can either use a crossover cable or a straight-through cable. If you use a straight-through cable, the interface automatically detects the cable and swaps one of the transmit/receive pairs to MDIX.

Additional Guidelines

• When using VLANs on connecting switches, use a dedicated VLAN for the failover link. Sharing the failover link VLAN with any other VLANs can cause intermittent traffic problems and ping and ARP failures. If you use a switch to connect the failover link, use dedicated interfaces on the switch and ASA for the failover link; do not share the interface with subinterfaces carrying regular network traffic.

• On systems running in multiple context mode, the failover link resides in the system context. This interface and the state link, if used, are the only interfaces that you can configure in the system context. All other interfaces are allocated to and configured from within security contexts.

• The IP address and MAC address for the failover link do not change at failover.

Caution

All information sent over the failover and Stateful Failover links is sent in clear text unless you secure the communication with a failover key. If the ASA is used to terminate VPN tunnels, this information includes any user names, passwords and preshared keys used for establishing the tunnels. Transmitting this sensitive data in clear text could pose a significant security risk. We recommend securing the failover communication with a failover key if you are using the ASA to terminate VPN tunnels.

Examples

The following example configures the failover parameters for the primary unit, including a shared failover and state link:

failover lan unit primaryfailover lan interface folink gigabitethernet0/3failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.2interface gigabitethernet 0/3no shutdownfailover link folink gigabitethernet0/3failover ipsec pre-shared-key a3rynsunfailover

Related Commands

To configure the ASA as either the primary or secondary unit in a LAN failover configuration, use the failover lan unit command in global configuration mode. To restore the default setting, use the no form of this command.

failover lan unit { primary | secondary }

no failover lan unit { primary | secondary }

Syntax Description

Command Default

Secondary.

Command Modes

The following table shows the modes in which you can enter the command:

Command History

Usage Guidelines

For Active/Standby failover, the primary and secondary designation for the failover unit refers to which unit becomes active at boot time. The primary unit becomes the active unit at boot time when the following occurs:

• The primary and secondary unit both complete their boot sequence within the first failover poll check.

• The primary unit boots before the secondary unit.

If the secondary unit is already active when the primary unit boots, the primary unit does not take control; it becomes the standby unit. In this case, you need to enter the no failover active command on the secondary (active) unit to force the primary unit back to active status.

For Active/Active failover, each failover group is assigned a primary or secondary unit preference. This preference determines on which unit in the failover pair the contexts in the failover group become active at startup when both units start simultaneously (within the failover polling period).

This command must be part of the configuration when bootstrapping an ASA for LAN failover.

Examples

The following example sets the ASA as the primary unit in LAN-based failover:

ciscoasa(config)# failover lan unit primary

Related Commands

To specify the Stateful Failover interface and to enable Stateful Failover, use the failover link command in global configuration mode. To remove the Stateful Failover interface, use the no form of this command.

failover link if_name [ phy_if ]

no failover link

Syntax Description

Command Default

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command History

Usage Guidelines

To use Stateful Failover, you must configure a Stateful Failover link (also known as the state link) to pass connection state information.

Shared with the Failover Link

Sharing a failover link is the best way to conserve interfaces. If you experience performance problems on that interface, consider dedicating a separate interface for the state link.

Dedicated Interface

You can use a dedicated data interface (physical, redundant, or EtherChannel) for the state link. For an EtherChannel used as the state link, to prevent out-of-order packets, only one interface in the EtherChannel is used. If that interface fails, then the next interface in the EtherChannel is used.

Connect a dedicated state link in one of the following two ways:

• Using a switch, with no other device on the same network segment (broadcast domain or VLAN) as the failover interfaces of the ASA.

• Using an Ethernet cable to connect the appliances directly, without the need for an external switch.

If you do not use a switch between the units, if the interface fails, the link is brought down on both peers. This condition may hamper troubleshooting efforts because you cannot easily determine which unit has the failed interface and caused the link to come down.

The ASA supports Auto-MDI/MDIX on its copper Ethernet ports, so you can either use a crossover cable or a straight-through cable. If you use a straight-through cable, the interface automatically detects the cable and swaps one of the transmit/receive pairs to MDIX.

For optimum performance when using long distance failover, the latency for the state link should be less than 10 milliseconds and no more than 250 milliseconds. If latency is more than10 milliseconds, some performance degradation occurs due to retransmission of failover messages.

Additional Guidelines

• In multiple context mode, the Stateful Failover link resides in the system context. This interface and the failover interface are the only interfaces in the system context. All other interfaces are allocated to and configured from within security contexts.

• The IP address and MAC address for the Stateful Failover link does not change at failover unless the Stateful Failover link is configured on a regular data interface.

Caution

All information sent over the failover and Stateful Failover links is sent in clear text unless you secure the communication with a failover key. If the ASA is used to terminate VPN tunnels, this information includes any user names, passwords and preshared keys used for establishing the tunnels. Transmitting this sensitive data in clear text could pose a significant security risk. We recommend securing the failover communication with a failover key if you are using the ASA to terminate VPN tunnels.

Examples

The following example configures the failover parameters for the primary unit, including a shared failover and state link:

failover lan unit primaryfailover lan interface folink gigabitethernet0/3failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.2interface gigabitethernet 0/3no shutdownfailover link folink gigabitethernet0/3failover ipsec pre-shared-key a3rynsunfailover

Related Commands

To specify the failover virtual MAC address for a physical interface, use the failover mac address command in global configuration mode. To remove the virtual MAC address, use the no form of this command.

failover mac address phy_if active_mac standby_mac

no failover mac address phy_if active_mac standby_mac

Syntax Description

Command Default

Not configured.

Command Modes

The following table shows the modes in which you can enter the command:

Command History

Usage Guidelines

The failover mac address command lets you configure virtual MAC addresses for an Active/Standby failover pair. If virtual MAC addresses are not defined, then when each failover unit boots it uses the burned-in MAC addresses for its interfaces and exchanges those addresses with its failover peer. The MAC addresses for the interfaces on the primary unit are used for the interfaces on the active unit.

However, if both units are not brought online at the same time and the secondary unit boots first and becomes active, it uses the burned-in MAC addresses for its own interfaces. When the primary unit comes online, the secondary unit will obtain the MAC addresses from the primary unit. This change can disrupt network traffic. Configuring virtual MAC addresses for the interfaces ensures that the secondary unit uses the correct MAC address when it is the active unit, even if it comes online before the primary unit.

The failover mac address command is unnecessary (and therefore cannot be used) on an interface configured for LAN-based failover because the failover lan interface command does not change the IP and MAC addresses when failover occurs. This command has no affect when the ASA is configured for Active/Active failover.

When adding the failover mac address command to your configuration, it is best to configure the virtual MAC address, save the configuration to flash memory, and then reload the failover pair. If the virtual MAC address is added when there are active connections, then those connections stop. Also, you must write the complete configuration, including the failover mac address command, to the flash memory of the secondary ASA for the virtual MAC addressing to take effect.

If the failover mac address is specified in the configuration of the primary unit, it should also be specified in the bootstrap configuration of the secondary unit.

Note	This command applies to Active/Standby failover only. In Active/Active failover, you configure the virtual MAC address for each interface in a failover group with the mac address command in failover group configuration mode.

You can also set the MAC address using other commands or methods, but we recommend using only one method. If you set the MAC address using multiple methods, the MAC address used depends on many variables, and might not be predictable.

Examples

The following example configures the active and standby MAC addresses for the interface named intf2:

ciscoasa(config)# failover mac address Ethernet0/2 00a0.c969.87c8 00a0.c918.95d8

Related Commands

To specify the failover unit poll and hold times, use the failover polltime command in global configuration mode. To restore the default poll and hold times, use the no form of this command.

failover polltime [ unit ] [ msec ] poll_time [ holdtime [ msec time ]

no failover polltime [ unit ] [ msec ] poll_time [ holdtime [ msec time ]

Syntax Description

Command Default

The default values on the ASA are as follows:

• The poll_time is 1 second.

• The holdtime time is 15 seconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command History

Usage Guidelines

You cannot enter a holdtime value that is less than three times the unit poll time. With a faster poll time, the ASA can detect failure and trigger failover faster. However, faster detection can cause unnecessary switch overs when the network is temporarily congested.

If a unit does not receive a hello packet on the failover link for one polling period, additional testing occurs through the remaining interfaces. If there is still no response from the peer unit during the hold time, then the unit is considered failed and, if the failed unit is the active unit, the standby unit takes over as the active unit.

You can include both failover polltime [unit ] and failover polltime interface commands in the configuration.

Note

When CTIQBE traffic is passed through an ASA in a failover configuration, you should decrease the failover hold time on the ASA to below 30 seconds. The CTIQBE keepalive timeout is 30 seconds and may time out before failover occurs in a failover situation. If CTIQBE times out, Cisco IP SoftPhone connections to Cisco CallManager are dropped, and the IP SoftPhone clients need to reregister with the CallManager.

Examples

The following example changes the unit poll time frequency to 3 seconds:

ciscoasa(config)# failover polltime 3

The following example configures the ASA to send a hello packet every 200 milliseconds and to fail over in 800 milliseconds if no hello packets are received on the failover interface within that time. The optional unit keyword is included in the command.

ciscoasa(config)# failover polltime unit msec 200 holdtime msec 800

Related Commands

To specify the data interface polltime and holdtime in an Active/Standby failover configuration, use the failover polltime interface command in global configuration mode. To restore the default polltime and holdtime, use the no form of this command.

failover polltime interface [ msec ] polltime [ holdtime time ]

no failover polltime interface [ msec ] polltime [ holdtime time ]

Syntax Description

Command Default

The default values are as follows:

• The poll time is 5 seconds.

• The holdtime time is 5 times the poll time .

Command Modes

The following table shows the modes in which you can enter the command:

Command History

Usage Guidelines

This command is available for Active/Standby failover only. For Active/Active failover, use the polltime interface command in failover group configuration mode.

With a faster poll time, the ASA can detect failure and trigger failover faster. However, faster detection can cause unnecessary switchovers when the network is temporarily congested.

You can include both failover polltime unit and failover polltime interface commands in the configuration.

Note

When CTIQBE traffic is passed through an ASA in a failover configuration, you should decrease the failover hold time on the ASA to below 30 seconds. The CTIQBE keepalive timeout is 30 seconds and may time out before failover occurs in a failover situation. If CTIQBE times out, Cisco IP SoftPhone connections to Cisco CallManager are dropped, and the IP SoftPhone clients need to reregister with the CallManager.

Examples

The following example sets the interface polltime frequency to 15 seconds:

ciscoasa(config)# failover polltime interface 15

The following example sets the interface polltime frequency to 500 milliseconds and the holdtime to 5 seconds:

ciscoasa(config)# failover polltime interface msec 500 holdtime 5

Related Commands

To change the interface link state poll time, use the failover polltime link-state command in global configuration mode. To disable the link-state poll, use the no form of this command.

failover polltime link-state msec poll_time

no failover polltime link-state msec poll_time

Syntax Description

Command Default

The default polltime is 500 msec.

Command Modes

The following table shows the modes in which you can enter the command:

Command History

Usage Guidelines

By default, each ASA in a failover pair checks the link state of its interfaces every 500 msec. You can customize the polltime; for example, if you set the polltime to 300 msec, the ASA can detect an interface failure and trigger failover faster.

In Active/Active mode, you set this rate for the system; you cannot set this rate per failover group.

Examples

The following example sets the link-state polltime to 300 msec:

ciscoasa(config)# failover polltime link-state msec 300

Related Commands

To force the standby unit to reboot, use the failover reload-standby command in privileged EXEC mode.

failover reload-standby

Syntax Description

This command has no arguments or keywords.

Command Default

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command History

Usage Guidelines

Use this command when your failover units do not synchronize. The standby unit restarts and resynchronizes to the active unit after it finishes booting.

Examples

The following example shows how to use the failover reload-standby command on the active unit to force the standby unit to reboot:

ciscoasa# failover reload-standby

Related Commands

To enable HTTP (port 80) connection replication, use the failover replication http command in global configuration mode. To disable HTTP connection replication, use the no form of this command.

failover replication http

no failover replication http

Syntax Description

This command has no arguments or keywords.

Command Default

Disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command History

Usage Guidelines

By default, the ASA does not replicate HTTP session information when Stateful Failover is enabled. Because HTTP sessions are typically short-lived, and because HTTP clients typically retry failed connection attempts, not replicating HTTP sessions increases system performance without causing serious data or connection loss. The failover replication http command enables the stateful replication of HTTP sessions in a Stateful Failover environment.

In Active/Active failover configurations, you control HTTP session replication per failover group using the replication http command in failover group configuration mode.

Examples

The following example shows how to enable HTTP connection replication:

ciscoasa(config)# failover replication http

Related Commands

To configure the bulk-sync connection replication rate, use the failover replication rate command in global configuration mode. To restore the default setting, use the no form of this command.

failover replication rate rate

no failover replication rate

Syntax Description

Command Default

Varies depending on your model.

Command Modes

The following table shows the modes in which you can enter the command:

Command History

Usage Guidelines

You can configure the rate at which the ASA replicates connections to the standby unit when using Stateful Failover. By default, connections are replicated to the standby unit during a 15 second period. However, when a bulk sync occurs (for example, when you first enable failover), 15 seconds may not be long enough to sync large numbers of connections due to a limit on the maximum connections per second. For example, the maximum connections on the ASASM is 8 million; replicating 8 million connections in 15 seconds means creating 533 K connections per second. However, the maximum connections allowed per second is 300 K. You can now specify the rate of replication to be less than or equal to the maximum connections per second, and the sync period will be adjusted until all the connections are synced.

Examples

The following example sets the failover replication rate to 20000 connections per second:

ciscoasa(config)# failover replication rate 20000

Related Commands

To restore a failed ASA to an unfailed state, use the failover reset command in privileged EXEC mode.

failover reset [ group group_id ]

Syntax Description

Command Default

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command History

Usage Guidelines

The failover reset command allows you to change the failed unit or group to an unfailed state. The failover reset command can be entered on either unit, but we recommend that you always enter the command on the active unit. Entering the failover reset command at the active unit will “unfail” the standby unit.

You can display the failover status of the unit with the show failover or show failover state commands.

There is no no form of this command.

In Active/Active failover, entering failover reset resets the whole unit. Specifying a failover group with the command resets only the specified group.

Examples

The following example shows how to change a failed unit to an unfailed state:

ciscoasa# failover reset

Related Commands

To lock configuration changes on the standby unit or standby context in a failover pair, use the failover standby config-lock command in global configuration mode. To allow configuration on the standby unit, use the no form of this command.

failover standby config-lock

no failover standby config-lock

Syntax Description

This command has no arguments or keywords.

Command Default

By default, configurations on the standby unit/context are allowed with a warning message.

Command Modes

The following table shows the modes in which you can enter the command:

Command History

Usage Guidelines

You can lock configuration changes on the standby unit (Active/Standby failover) or the standby context (Active/Active failover) so you cannot make changes on the standby unit outside normal configuration syncing.

Examples

The following example disallows configuration on the standby unit:

ciscoasa(config)# failover standby config-lock

Related Commands

To specify the failover reconnect timeout value for asymmetrically routed sessions, use the failover timeout command in global configuration mode. To restore the default timeout value, use the no form of this command.

failover timeout hh [ :mm : [ :ss ]

failover timeout [ hh [ :mm : [ :ss ] ]

Syntax Description

Command Default

By default, hh , mm , and ss are 0, which prevents connections from reconnecting.

Command Modes

The following table shows the modes in which you can enter the command:

Command History

Usage Guidelines

This command is used in conjunction with the static command with the nailed option. The nailed option allows connections to be reestablished in a specified amount of time after bootup or a system goes active. The failover timeout command specifies that amount of time. If not configured, the connections cannot be reestablished. The failover timeout command does not affect the asr-group command.

Note	Adding the nailed option to the static command causes TCP state tracking and sequence checking to be skipped for the connection.

Entering the no form of this command restores the default value. Entering failover timeout 0 also restores the default value. When set to the default value, this command does not appear in the running configuration.

Examples

The following example switches the standby group 1 to active:

ciscoasa(config)# failover timeout 12:30ciscoasa(config)# show running-config failoverno failoverfailover timeout 12:30:00

Related Commands

When using bridge groups or IPv6 duplicate address detection (DAD), to disable waiting for the failover peer unit to go into the standby state, use the failover wait-disable command in global configuration mode. With these features, the new active unit waits to pass traffic until after the standby unit finishes network tasks and transitions to the standby state. To reenable waiting, use the no form of this command.

failover wait-disable

no failover wait-disable

Command Default

By default, the active unit will wait up to 3000 ms for the standby unit to finish transitiong to the standby state (no failover wait-disable ).

Command Modes

The following table shows the modes in which you can enter the command:

Command History

Usage Guidelines

When you use bridge groups or IPv6 DAD, when a failover occurs the new active unit waits up to 3000 ms for the standby unit to finish networking tasks and transition to the standby state. Then the active unit can start passing traffic. To avoid this delay, you can disable the waiting time, and the active unit will start passing traffic before the standby unit transitions.

Examples

The following example disables waiting:

ciscoasa(config)# failover wait-disableciscoasa(config)# 

To configure the fallback timers that the Cisco Intercompany Media Engine uses to fallback from VoIP to PSTN when connection integrity degrades, use the fallback command in uc-ime configuration mode. To remove the fallback settings, use the no form of this command.

fallback { sensitivity-file filename | monitoring timer timer_millisec hold-down timer timer_sec }

no fallback { sensitivity-file filename | monitoring timer timer_millisec hold-down timer timer_sec }

Syntax Description

Command Default

By default, the length of the monitoring timer is 100 milliseconds. The length of the hold-down timer is 20 seconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command History

Usage Guidelines

Specifies the fallback timer for the Cisco Intercompany Media Engine.

Internet connections can vary wildly in their quality and vary over time. Therefore, even if a call is sent over VoIP because the quality of the connection was good, the connection quality might worsen mid-call. To ensure an overall good experience for the end user, Cisco Intercompany Media Engine attempts to perform a mid-call fallback.

Performing a mid-call fallback requires the ASA to monitor the RTP packets coming from the Internet and send information into an RTP Monitoring Algorithm (RMA) API, which will indicates to the ASA whether fallback is required. If fallback is required, the ASA sends a REFER message to Cisco UCM to tell it that it needs to fallback the call to PSTN.

Note	You cannot change the fallback timer when the Cisco Intercompany Media Engine proxy is enabled for SIP inspection. Remove the Cisco Intercompany Media Engine proxy from SIP inspection before changing the fallback timer.

Examples

The following example shows how to configure the Cisco Intercompany Media Engine while specifying the fallback timers:

ciscoasa(config)# uc-ime local_uc-ime_proxyciscoasa(config-uc-ime)# media-termination ime-media-termciscoasa(config-uc-ime)# ucm address 192.168.10.30 trunk-security-mode non-secureciscoasa(config-uc-ime)# ticket epoch 1 password password1234ciscoasa(config-uc-ime)# fallback monitoring timer 120ciscoasa(config-uc-ime)# fallback hold-down timer 30

The following example shows how to configure the Cisco Intercompany Media Engine while specifying a sensitivity file:

ciscoasa(config)# uc-ime local_uc-ime_proxyciscoasa(config-uc-ime)# media-termination ime-media-termciscoasa(config-uc-ime)# ucm address 192.168.10.30 trunk-security-mode non-secureciscoasa(config-uc-ime)# ticket epoch 1 password password1234ciscoasa(config-uc-ime)# fallback sensitivity-file local_uc-ime_fallback_policy

Related Commands

To fill IS-IS link-state packets (LSPs), use the fast-flood command in router isis configuration mode. To disable the fast flooding, use the no form of this command.

fast-flood [ lsp-number ]

no fast-flood [ lsp-number ]

Syntax Description

Command Default

Fast flooding is disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command History

Usage Guidelines

The fast-flood command sends a specified number of LSPs from the ASA. If no LSP number value is specified, the default it 5. The LSPs invoke SPF before running SPF. When you speed up the LSP flooding process, you improve overall network convergence time.

The ASA should always flood, at least, the LSP that triggered SPF before the router runs the SPF computation.

We recommend that you enable the fast flooding of LSPs before the ASA runs the SPF computation, in order to achieve a faster convergence time

Examples

In the following example, the fast-flood command is entered to configure the ASA to fill the first seven LSPs that invoke SPF, before the SPF computation is started. When the show running-configuration command is entered, the output confirms that fast flooding has been enabled on the ASA:

ciscoasa# clear isis rib redistribution 10.1.0.0 255.255.0.0ciscoasa> enableciscoasa# configure terminalciscoasa(config)# router isisciscoasa(config-router)# fast-flood 7ciscoasa(config-router)# endciscoasa# show running-config | inc fast-floodfast-flood 7

Related Commands