Home Site pages CCIE

CCIE

Introduction: CCIE

ASA Failover
ASA Active/Standby Failover

It is a redundancy feature of ASA firewall. For the failover configuration we need two exactly the same ASA connected each other through a
dedicated failover link. There are few requirements for this failover:-

1. Both ASA should be same hardware model

2. Same software version
3. Same numbers of interfaces and interface types
4. Same number of flash (primary may have higher memory compare to secondary but never less)
5. Same DRAM
6. Same operating mode

The reasons for failover

1. ASA power down or off, reboot.

2. Link is down for more than 30 seconds.
3. Failover active or failover command issued on ASA firewall

There are two types of failovers

1. Stateless(regular) Failover

Client application must reconnect itself

Stateful information never pass to the standby unit
Provide redundancy via cable based failover

2. Stateful Failover
All the failover information for each connection information is passed to failover
End user no need to reconnect
State data include global data pool information or states, connection, translation, PAT etc is passed.
Provided by lan base failover

Whenever failover occurs the following stateful information are passed to standby unit,

1. NAT translation table

2. TCP connection states
3. UDP connection states
4. The ARP table
5. Layer 2 bridge table (when running in transparent mode)
6. HTTP connection states (if HTTP replication is enable)
7. IPsec and ISAKMP
8. GTP (GPRS tunneling protocol) and PDP (Packet Data Protocol)- voice inspection
9. SIP signaling

The information those not pass to standby unit

1. The user authentication table (Uauth)

2. The routing table
3. Multicast traffic information
4. State information for security service cards
5. DHCP servers address lease
6. Stateful failover for phone proxy
7. HTTP connection table unless HTTP replication is enable

Failover Restrictions (unsupported)

1. DHCP client
2. PPPoE (Point to point protocol over Ethernet)
3. IPv6

Failover interface testing

1. Link up and down test

2. Network activity test
3. ARP test
4. Broadcast ping test

There are basically two types of failover configuration, Active/Active and Active/Standby failover. The difference between them is that in
active/active failover must run on multiple context mode and both ASA can run traffic (C1 is ASA1 and C2 in ASA2).In active/standby
failover only one ASA pass traffic while other waits in standby state. Both failover configuration support stateful or stateless failover.

Note: - Failover hello messages are generated on the failover link in every 15 seconds by default.