Cisco ASA Failover – active / passive mode

The range of Cisco ASA offers an interesting operation from its smallest model, the 5505 that allows quickly and efficiently create a topology active – passive functional. The principle is simple, the context is established on a unit that will be declared as primary is replicated unit declared as passive, and falls when the nominal, liabilities fully incorporates the context of the primary.

We will take here a relatively simple configuration, you expose the configuration mode. ASA is a base with two interfaces, one inside and one outside set like this:
interface Ethernet0 / 0
nameif outside
security-level 0
ip address standby
no shut
interface Ethernet0 / 1
nameif inside
security-level 100
ip address standby
no shut

The first thing you probably notice is the presence of the keyword standby, which defines the IP address assigned to the secondary node while in passive mode.

Now look more closely at the configuration of the main unit:
failover lan unit primary
failover lan interface failoverlink Ethernet0 / 7
key ***** failover
failover link failover Ethernet0 / 7
failover failover interface ip standby

The command enables failover simply enable this feature on our ASA.
The failover lan unit primary command tells the ASA that it must be when the primary exchange with the other unit.
Failover lan interface command failoverlink Ethernet0 / 7 indicates that the link will be used for trade-related failover between the primary and the secondary unit. So here it is the Ethernet interface 0/7 interconnecterons us directly our two ASA. Failoverlink the word is simply the name of the interface that we attribute to it.
The failover key command to define an authentication key between the two units failover mode
The command failover interface ip failover standby sets the address used for trade between the two units for failover. So this is here the primary unit to and for the secondary.

As you have seen, there is no major difficulty for the unit primaire.Maintenant, look at that of the secondary unit, which is even simpler:
failover lan unit secondary
failover lan interface failover Ethernet0 / 7
key ***** failover
failover failover interface ip standby

The only difference is the failover lan unit secondary command that specifies the operating mode of our second unit.

To verify and possibly debug configuration, show failover can be useful:
ciscoasa (config) # sh failover
Failover is
Failover unit Primary
Failover LAN Interface: Ethernet0 failoverlink / 7 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 7.2 (2), Mate 7.2 (2)
Last Failover at: 11:24:53 UTC December 1, 2009
This host: Primary – Active
Active time: 1214 (sec)
slot 0: ASA5510 hw / sw rev (1.1/7.2 (2)) status (Up Sys)
Interface outside ( Normal
Interface inside ( Normal
slot 1: empty
Other host: Secondary – Standby Ready
Active time: 871 (sec)
slot 0: ASA5510 hw / sw rev (1.1/7.2 (2)) status (Up Sys)
Interface outside ( Normal
Interface inside ( Normal
slot 1: empty
Stateful Failover Logical Update Statistics
Link: failover Ethernet0 / 3 (up)
Stateful Obj xmit XERR rcv RERR
General 1278 0 1256 0
sys cmd 4212 0 2352 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 226 0 2 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 2 3292
Xmit Q: 0 2 19308

Finally, there are some commands that can be quite useful. Failover active command allows for example to force the passage of a passive node between active. For the reverse, just do a no failover active. You can also proceeding with the restart of the unit via the standby failover reload-standby command. The latter configuration on which it may be worthwhile to look for the configuration of the monitoring interfaces conditioning the switch failover. It would be a little long to detail all the available commands, this is why I urge you to consult the Cisco documentation on the commands available failover, available here:

Leave a Comment