ASA Active/Standby Failover

It is a redundancy feature of ASA firewall. For the failover configuration we need two exactly the same ASA connected each other through a dedicated failover link i.e same LAN cable .

There are few requirements for this failover:-

  1. Both ASA should be same hardware model
  2. Same software version
  3. Same numbers of interfaces and interface types
  4. Same number of flash (primary may have higher memory compare to secondary but never less)
  5. Same DRAM
  6. Same operating mode

The reasons for failover happen in Live Network

  1. ASA power down or off, reboot or power fail.
  2. Link is down for more than 30 seconds.
  3. Failover active or failover command issued on ASA firewall

Two types of failovers.

Stateless(regular) Failover.

Statefull Failover.

  1. Stateless(regular) Failover
  • Client application must reconnect itself
  • Stateful information never pass to the standby unit
  • Provide redundancy via cable based failover
  1. Stateful Failover
    • All the failover information for each connection information is passed to failover
    • End user no need to reconnect
    • State data include global data pool information or states, connection, translation, PAT etc is passed.
    • Provided by lan base failover

Whenever failover occurs the following stateful information are passed to standby unit,

  1. NAT translation table
  2. TCP connection states
  3. UDP connection states
  4. The ARP table
  5. Layer 2 bridge table (when running in transparent mode)
  6. HTTP connection states (if HTTP replication is enable)
  7. IPsec and ISAKMP
  8. GTP (GPRS tunneling protocol) and PDP (Packet Data Protocol)- voice inspection
  9.  SIP signaling

The information those not pass to standby unit

  1. The user authentication table (Uauth)
  2. The routing table
  3. Multicast traffic information
  4. State information for security service cards
  5. DHCP servers address lease
  6. Stateful failover for phone proxy
  7. HTTP connection table unless HTTP replication is enable

Failover Restrictions (unsupported)

  1. DHCP client
  2. PPPoE (Point to point protocol over Ethernet)
  3. IPv6

Failover interface testing

  1. Link up and down test
  2. Network activity test
  3. ARP test
  4. Broadcast ping test