Cisco ASA Firewall Active Standby Failover
In Active/Standby, One device acts as active and one as standby. Active device handles all over traffic and replicates the configuration and states to standby. By default all interfaces will be monitor to trigger the failover. If one interface went down on active device then standby will take the active role and users will not face any network interruption because standby also have all active connection states as well as standby takes the primary IP address and primary MAC address while former primary will take the IP address and MAC address of secondary. In the case of transparent firewall mode, standby will take the management IP address of former active ASA.
If we are changing or adding configuration on active device then it will be replicate to standby but when we are changing anything on standby then it will not replicate to active device.
To configure the active/standby failover we need to configure the failover link and stateful link. Stateful link is optional.
We can use the same interface for both links or separate interfaces.
By default, the communications on the failover and stateful failover links are plain text (unencrypted). But we can encrypt this communication for enhanced security by configuring an IPsec encryption key.