of 17
8/13/2019 Failover Overview
1/17
FAILOVER OVERVIEW
8/13/2019 Failover Overview
2/17
FAILOVER OVE
Two ASAs can be configured to operate as a high availability or failover pa
to leverage two separate devices so that one of them is always available in c
one fails. Naturally, there is a possibility that both ASAs might fail within the sam
timeframe, but your goal as a network professional should be to minimize tha
8/13/2019 Failover Overview
3/17
FORMS OF FA
Active-standby: One ASA takes on the active role, handling all the normal se
functions. The other ASA stays in standby mode, ready to take over the active
the event of a failure. The active-standby failover mode provides device redu
Active-active:When the ASAs are running multiple security contexts, the conorganized into groups. One ASA is active for one group of contexts, and the o
active for another group. In effect, both ASAs are actively involved in providi
functions, but not in the same security context simultaneously.
The active-active failover mode provides both device redundancy and load
across contexts.
8/13/2019 Failover Overview
4/17
FAILOVER
To coexist as a failover or redundant pair, two ASAs must be an identical mod
coordinate their failover roles. In active-standby failover, one ASA must funct
active unit, handling all traffic inspection at any given time. The other ASA mu
idle, waiting to take over the active role. Figure 14-1 illustrates this arrangeme
topmost ASA is active, while the bottommost ASA is in standby mode.
8/13/2019 Failover Overview
5/17
FAILOVER
Notice that the ASA pair must share identical sets of interfaces. For example,
an inside and an outside interface, and the similar interfaces must be connec
This is for two reasons:
The standby unit must be ready to take over handling traffic at any time, somust be connected and ready to use.
The two ASAs monitor each others health by communicating over each of
interfaces.
8/13/2019 Failover Overview
6/17
FAILOVER
8/13/2019 Failover Overview
7/17
FAILOVER
8/13/2019 Failover Overview
8/17
FAILOVER
The primary and secondary designations only determine the active and s
addresses not the active and standby roles.
8/13/2019 Failover Overview
9/17
FAILOVER
Active- Active Failover mode
8/13/2019 Failover Overview
10/17
FAILOVER
During a failure in active-active failover mode, the two ASAs effectively sw
but only on a failover group basis. In next Figure, the entire primary ASA h
rendering both of its contexts in failover group 1 useless. The secondary A
on the active role for failover group 1 (ContextA and ContextC), althoug
already active for failover group 2 (ContextB).
8/13/2019 Failover Overview
11/17
FAILOVER
8/13/2019 Failover Overview
12/17
FAILOVER
The ASA configurations are always maintained on the active unit. As you mak
the running configuration, the commands are automatically synchronized fro
unit to the standby unit. You can force the running configuration synchroniza
entering the write standby command on the active unit.
8/13/2019 Failover Overview
13/17
FAILOVER
Links Used for Failover Communication
8/13/2019 Failover Overview
14/17
DETECTING AN ASA F
Two ASAs must be configured with their primary and secondary failover id
that the active unit can determine which MAC and IP addresses to use. B
determines which unit takes on the active role? Each ASA must go throug
election process when it boots.
8/13/2019 Failover Overview
15/17
DETECTING AN ASA F
The election process takes place as follows:
If a peer is detected, is trying to negotiate its own role, and is equally healthy as
ASA, the primary unit will become active and the secondary unit will become s
If a peer is detected, is trying to negotiate its own role, but is not equally healthy
of the two ASAs will become active.
If a peer is detected and it already has the active role, the booting ASA will bec
If no peer is detected at all, the booting ASA will become active.
If the booting ASA becomes active, but later detects its peer that is also active
negotiating roles with its peer to elect only one active role.
8/13/2019 Failover Overview
16/17
DETECTING AN ASA F
An ASA monitors the health of its peer according to the following rules:
As long as hellos are received over the LAN failover interface, the peer mus
and no failover occurs.
If hellos are not received over the LAN failover interface, but hellos are rece
monitored interfaces, the peer must be alive and no failover occurs. Only t
failover interface is declared to be failed and should be repaired as soon
If no hellos are received on any interface for a hold time interval, the peer i
be failed and failover occurs.
8/13/2019 Failover Overview
17/17