Cisco ASA: Failover   Leave a comment


Not using active/active, as ASA terminates VPN connections

– Failover requires 2 identical ASA’s connected through a dedicated failover, and optionally stateful failover, link
– Types
o Active/active: both units pass traffic (ie, load balancing). Units need to be in multiple context mode
o Active/standby: one unit passes traffic. Units either in single or multiple context mode
– Both types support stateful or stateless failover
– VPN failover only available for active/standby, ie not for units in multiple context mode

– Hardware
o Same model, # of interfaces & same RAM
– Software
o Same major & minor software version
– License
o At least one with an unrestricted license (UR)
o Licensed features must be identical

Active/Standby Failover Overview
– Standby unit takes over functions of failed primary unit
– Newly active unit assumes IP & MAC addresses of failed unit

Primary/Secondary Status & Active/Standby Status
– Differences are:
o Primary unit becomes active if both units start at same time
o Primary unit MAC always coupled with active IP
 Exception is when secondary unit is active & can’t obtain primary MAC address over failover link > secondary MAC address used

Device initialization & configuration synchronization
– Synchronization occurs when one or both boot
– Configurations are always synchronized from the active unit to the standby unit
o After startup, the standby clears its config (except failover commands)
– Active unit determination
o If a unit boots & detects a peer already operating as active, it becomes the standby unit
o If a unit boots & does not detect a peer, it becomes the active unit
o If both units boot together, the primary unit becomes the active unit
– Network traffic interruption
o If secondary unit boots & doesn’t detect primary it becomes active unit
 Uses own MAC address for the active IP address
 Thus is primary unit becomes available, it changes its MAC address to the primary unit
• Thus, an interruption
o So, configure failover pair with virtual MAC addresses
– On standby unit, config only exists in memory > command to save to flash on primary will be replicated on secondary

Command replication
– Always flows from active to standby unit
– Command: “write standby” cause standby to clear running config & active sends its entire config to standby
– Command: “copy running-config startup-config” on active will repeat save to flash on standby

Failover Triggers
– Unit fails on these events:
o Unit has hardware or power failure
o Unit has a software failure
o Too many monitored interfaces fail
o Commands: “no failover active” on active, or “failover active” on standby

Failover Actions
Failure Event Policy Active Action Standby Action Notes
Active unit failed (power or h/w) Failover n/a Becomes active; mark active as failed No hello messages are received on any monitored interface or failover link
Formerly active unit recovers No failover Becomes standby No action None
Standby unit failed (power or h/w) No failover Mark standby as failed n/a When the standby unit is marked as failed, no attempt a failover
Failover link failed within operation No failover Mark failover interface as failed Mark failover interface as failed Intervention: restore failover link ASAP > no failover possible
Failover link failed at startup No failover Mark failover interface as failed Become active Both units become active
Stateful failover link failed No failover No action No action State information becomes non-current. Sessions are terminated on failover
Interface failure on active unit above threshold Failover Mark active as failed Become active None
Interface failure on standby unit above threshold No failover No action Mark standby as failed When the standby unit is marked as failed, no attempt a failover

Failover types
– Regular Failover
o All active connections are dropped & must be re-established
– Stateful failover
o Active unit continually passes per-connection state info to standby unit
o State information passed to standby
 NAT translation table
 TCP & UDP connection states
 ARP table
 Layer 2 bridge info (when in transparent firewall mode)
 HTTP connection states (if HTTP replication is enabled)
 ISAKMP & IPSec SA tables
 GTP PDO connection database
o State information not passed to standby
 HTTP connection states (if HTTP replication is not enabled)
 User authentication table (uauth)
 Routing tables
 State info for security service modules
 Session information between IP SoftPhone client & Call Manager

– Primary unit
o Configure active & standby IP addresses for each interface
 “ip address active_addr netmask standby standby_addr”
o Designate as primary unit
 “failover lan unit primary”
o Define the failover interface
 “failover lan interface if_name phy_if”
• “if_name” assigns name to interface specified by “phy_if”
• “phy_if” can be physical port or sub-interface
o Assign active & standby IP address to failover link
 “failover interface ip if_name ip_addr mask standby ip_addr”
• Standby IP must be in same subnet as active
• Failover link IP & MAC don’t change at failover, ie, they stay with the unit
 Enable the interface
o Optionally configure stateful failover link
 Specify interface to be used
• “failover link if_name phy_if”
o Can use failover link
 Assign active & standby IP address
• “failover interface ip if_name ip_addr mask standby ip_addr”
o Standby IP must be in same subnet as active
 Enable the interface
o Enable failover
 “failover”
• Enter on primary device first
o Save config to flash
– Secondary unit
o Define failover interface
 “failover lan interface if_name phy_if
o Assign active & standby IP address
 “failover interface ip if_name ip_addr mask standby ip_addr”
o Enable the interface
o Designate the unit as a secondary
 “failover lan unit secondary”
o Enable failover
 “failover”
o Save config to flash

– Management port as failover

Hi Woz,

First off, if you can upgrade your software version to 8.x and the ASDM software to 6.(x) that would be a great start.

So the ASA only does 802.1q trunking. If you have G0/0 hooked up to port fa0/3 on your switch then you will want to make sure 802.1q is enabled on that port. I would just use a patch cable, no crossover cable. So then you will want to setup your sub-interfaces on the ASA. Here is some config that I snipped from my lab ASA5520:

interface GigabitEthernet0/1
description 802.1q Trunking Interface for test networks

no nameif
no security-level
no ip address
interface GigabitEthernet0/1.2
description Test Subnet 1

vlan 2
nameif test1

security-level 90
ip address

interface GigabitEthernet0/1.3
description Test Subnet 2 vlan 3
nameif test2
security-level 80
ip address

This should get your trunking working as well as your vlans. Now you mention you have multiple switches. If that is the case, you may want to think about using a redundant interface on the ASA so you can hook up both your switches to it for failover. Just an idea if you are going to put this in production for failover.




Hi Ryan

I did configuration (see picture below).

Two ISP modems I connected with Catalyst 3550 to Vlan 1 and Vlan 2, I did Trunk port that I connect with ASA Ga0/1.

On ASA I created two sub interfaces Ga0/1.1(name M1) and Ga0/1.2 (name M2) working on Vlan 2 and Vlan 3.

And after I set one of global domain IP address on each sub interfaces I got connection from asa to each modem gateways

ASA# ping


ASA# ping


But, net step I tried to set routing so I did static default route to Modem 1 through

S [1/0] via, M1

C is directly connected, LAN

C is directly connected, M1

C is directly connected, M2

I was able to set NAT for that network and everything was working fine but question to you, because there is no way to set other like dynamic routing
I have no idea how to set route to both network on M1 and M2, and only one default route can be set.
When I chancged routing to modem 2 I was able to use NAT translation and connection through Modem 2 -network
S [1/0] via, M2

C is directly connected, LAN

C is directly connected, M1

C is directly connected, M2

Any Idea how to set ASA to make those two networks working together?

Re: Sub Interfaces in Cisco ASA5520 through trunk for Vlans

There is not a really good way to do this. What you could do is route a subset of addresses out one or the other. So if you did a “route M1 “, then set the default route to M2. In that case anything >=128.x.x.x would go out M1 and anything sample configs section of the 8.2 configuration guide has some examples of the Track and SLA.

The bottom line is the ASA is not a really good route decision point for this. A more enterprise solution would have a BGP advertised address range terminated to a couple of routers in front of the ASA. The ASA can be paired with another one for failover and even can use an additional “failover” interface. The ASA can have multiple default routes, but they need to be on the same logical interface. In which case the next hop device(s) should all support routing.


Re: Sub Interfaces in Cisco ASA5520 through trunk for Vlans

Paul is right on this one, you will have to use SLA along with track for ISP failover, or route different networks through different ISP’s. I am not sure what you final goal is but if you haven’t done the SLA/track’s configuration before, just let us know and we would be glad to help out.



Posted March 1, 2013 by terop

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: