Tag Archives: ASA stateful link

Cisco ASA Firewall Active Standby Failover

By | February 25, 2020

In Active/Standby, One device acts as active and one as standby. Active device handles all over traffic and replicates the configuration and states to standby. By default all interfaces will be monitor to trigger the failover. If one interface went down on active device then standby will take the active role and users will not face any network interruption because standby also have all active connection states as well as standby takes the primary IP address and primary MAC address  while former primary will take the IP address and MAC address of secondary. In the case of transparent firewall mode, standby will take the management IP address of former active ASA.

If we are changing or adding configuration on active device then it will be replicate to standby but when we are changing anything on standby then it will not replicate to active device.

To configure the active/standby failover we need to configure the failover link and stateful link. Stateful link is optional.

We can use the same interface for both links or separate interfaces.

By default, the communications on the failover and stateful failover links are plain text (unencrypted). But we can encrypt this communication for enhanced security by configuring an IPsec encryption key.

cisco asa active standby failover configuration example

By | February 23, 2020

Cisco active standby failover feature provides the stateful failover , means if one firewall fails then traffic will be move on secondary firewall and users will not face any blimp in connectivity. For detailed overview on ASA active standby can read the below article.

ASA Failover Active/Standby (Failover and stateful link on different interfaces)

In below topology , we are using a single link for both failover link and stateful link. both firewalls are directly connected using a single linkon port Gi0/2. We can also connect both ASA firewalls through a layer 2 switch. but this switch should not have other connections as well as we should configure the VLANs on it. This is not compulsory but it is recommended by cisco due to security purpose.

We are having many things which should be in mind before configure the Active / Standby failover and after configure the failover. but we can’t cover all those things with this example. so we have already created a seprate articale for it.

ASA active standby topology

ASA1

Conf t

failover lan unit primary

failover lan interface FAIL_OVER GigabitEthernet0/2

failover link FAIL_OVER GigabitEthernet0/2

failover interface ip FAIL_OVER 10.10.10.1 255.255.255.252 standby 10.10.10.2

failover

int g0/2

no shut

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 30.30.30.254 255.255.255.248 standby 30.30.30.253

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 20.20.20.254 255.255.255.0 standby 20.20.20.253

wr

OPTIONAL

monitor-interface INSIDE
monitor-interface OUTSIDE

NOTE: The ASA requires something that can trigger the failover mechanism. By default all physical interfaces are monitored and used for trigger the failover as well as hardware and software failure is also triggers the failover. we can also define the monitoring of interfaces if we don’t want to monitor all the interfaces

ASA2

Conf t

failover lan unit secondary

failover lan interface FAIL_OVER GigabitEthernet0/2