Failover for High Availability in Cisco ASA

Failover for High Availability in Cisco ASA

Information About Failover and High Availability

Configuring high availability requires two identical ASAs connected to each other through a dedicated failover link and, optionally, a Stateful Failover link. The health of the active interfaces and units is monitored to determine if specific failover conditions are met. If those conditions are met, failover occurs.

Types of Failover Configurations

The ASA supports two failover configurations, Active/Active failover and Active/Standby failover. Each failover configuration has its own method for determining and performing failover.

Active/Active Failover: In Active/Active failover, both units can pass network traffic. This also lets you configure traffic sharing on your network. Active/Active failover is available only on units running in multiple context mode. When the ASA is configured for Active/Active stateful failover, you cannot enable IPsec or SSL VPN.

Active/Standby Failover: In Active/Standby failover, only one unit passes traffic while the other unit waits in a Standby state. Active/Standby failover is available on units running in either single or multiple context mode.

Both failover configurations support Stateful or Stateless (regular) failover.

Failover System Requirements

Hardware Requirements

The two units in a failover configuration must be the same model, have the same number and types of interfaces, and the same SSMs installed (if any). Both units must have the same amount of RAM memory installed.

If you are using units with different Flash memory sizes in your failover configuration, make sure the unit with the smaller Flash memory has enough space to accommodate the software image files and the configuration files. If it does not, configuration synchronization from the unit with the larger Flash memory to the unit with the smaller Flash memory will fail.

Software Requirements

The two units in a failover configuration must be in the same operating modes (routed or transparent, single or multiple context). They must have the same major (first number) and minor (second number) software version. However, you can use different versions of the software during an upgrade process; for example, you can upgrade one unit from Version 7.0(1) to Version 7.0(2) and have failover remain active. We recommend upgrading both units to the same version to ensure long-term compatibility.

Licensing Requirements

The licensed features such as SSL VPN peers or security contexts etc. on both units participating in failover must be identical.

Licensing Requirements for Active/Active Failover

The following table shows the licensing requirements for this feature:

Model License Requirement
ASA 5505 Not supported.
ASA 5510 Security Plus License.
All other models Base License.

Licensing Requirements for Active/Standby Failover

The following table shows the licensing requirements for this feature:

Model License Requirement
ASA 5505 Security Plus License. (Stateful failover is not supported).
ASA 5510 Security Plus License.
All other models Base License.

 Failover Link

The two units in a failover pair constantly communicate over a failover link to determine the operating status of each unit. The following information is communicated over the failover link:

  • The unit state (active or standby)
  • Hello messages (keep-alives)
  • Network link status
  • MAC address exchange
  • Configuration replication and synchronization
Caution: All information sent over the failover and Stateful Failover links is sent in clear text unless you secure the communication with a failover key. If the ASA is used to terminate VPN tunnels, this information includes any usernames, passwords and preshared keys used for establishing the tunnels. Transmitting this sensitive data in clear text could pose a significant security risk. We recommend securing the failover communication with a failover key if you are using the ASA to terminate VPN tunnels.

You can use any unused Ethernet interface on the device as the failover link; however, you cannot specify an interface that is currently configured with a name. The LAN failover link interface is not configured as a normal networking interface; it exists for failover communication only. This interface should only be used for the LAN failover link (and optionally for the Stateful Failover link).

Connect the LAN failover link in one of the following two ways:

  • Using a switch, with no other device on the same network segment (broadcast domain or VLAN) as the LAN failover interfaces of the ASA.
  • Using an Ethernet cable to connect the ASAs directly, without the need for an external switch. The ASA supports Auto-MDI/MDIX on its copper Ethernet ports, so you can either use a crossover cable or a straight-through cable. If you use a straight-through cable, the interface automatically detects the cable and swaps one of the transmit/receive pairs to MDIX.

Stateful Failover Link

To use Stateful Failover, you must configure a Stateful Failover link to pass all state information. You have three options for configuring a Stateful Failover link:

  • You can use a dedicated Ethernet interface for the Stateful Failover link.
  • If you are using LAN-based failover, you can share the failover link.
  • You can share a regular data interface, such as the inside interface. However, this option is not recommended. Sharing a data interface with the Stateful Failover interface can leave you vulnerable to replay attacks. Additionally, large amounts of Stateful Failover traffic may be sent on the interface, causing performance problems on that network segment. Using a data interface as the Stateful Failover interface is supported in single context, routed mode only.

If you are using a dedicated Ethernet interface for the Stateful Failover link, you can use either a switch or a crossover cable to directly connect the units. If you use a switch, no other hosts or routers should be on this link. Don’t forget to enable the PortFast option on Cisco switch ports that connect directly to the ASA.

Failover Interface Speed for Stateful Links

If you use the failover link as the Stateful Failover link, you should use the fastest Ethernet interface available. If you experience performance problems on that interface, consider dedicating a separate interface for the Stateful Failover interface.

Use the following failover interface speed guidelines for the adaptive security appliances:

  • Cisco ASA 5510

– Stateful link speed can be 100 Mbps, even though the data interface can operate at 1 Gigabit due to the CPU speed limitation.

  • Cisco ASA 5520/5540/5550

Stateful link speed should match the fastest data link.

  • Cisco ASA 5580/5585

Use only non-management 1 Gigabit ports for the stateful link because management ports have lower performance and cannot meet the performance requirement for stateful failover.

For optimum performance when using long distance LAN failover, the latency for the failover link should be less than 10 milliseconds and no more than 250 milliseconds. If latency is more than 10 milliseconds, some performance degradation occurs due to retransmission of failover messages.

All platforms support sharing of failover heartbeat and stateful link, but we recommend using a separate heartbeat link on systems with high Stateful Failover traffic.

Avoiding Interrupted Failover Links

Because ASAs uses failover LAN interfaces to transport messages between primary and secondary units, if a failover LAN interface is down (that is, the physical link is down or the switch used to connect the LAN interface is down), then the ASA failover operation is affected until the health of the failover LAN interface is restored.

In the event that all communication is cut off between the units in a failover pair, both units go into the Active state, which is expected behavior. When communication is restored and the two active units resume communication through the failover link or through any monitored interface, the primary unit remains active, and the secondary unit immediately returns to the Standby state. This relationship is established regardless of the health of the primary unit.

Command Replication

Command replication always flows from the active unit to the standby unit. As commands are entered on the Active unit, they are sent across the failover link to the standby unit. You do not have to save the active configuration to Flash memory to replicate the commands.

Command Replicated to Standby Unit Commands Not Replicated to Standby Unit
all configuration commands except for the modefirewall, and failover lan unit commands all forms of the copy command except for copy running-config startup-config
copy running-config startup-config all forms of the write command except for write memory
delete crypto ca server and associated sub-commands
mkdir debug
rename failover lan unit
rmdir firewall
write memory mode
show
terminal pager and pager

Changes made on the standby unit are not replicated to the active unit. If you enter a command on the standby unit, the ASA displays the following message:

**** WARNING **** Configuration Replication is NOT performed from Standby unit to Active unit. Configurations are no longer synchronized.

This message displays even when you enter many commands that do not affect the configuration. If you enter the write standby command on the active unit, the Standby unit clears its running configuration (except for the failover commands used to communicate with the active unit), and the active unit sends its entire configuration to the standby unit.

For multiple context mode, when you enter the write standby command in the system execution space, all contexts are replicated. If you enter the write standby command within a context, the command replicates only the context configuration.

Replicated commands are stored in the running configuration. To save the replicated commands to the Flash memory on the Standby unit, do the following:

  • For single context mode, enter the copy running-config startup-config command on the Active unit. The command is replicated to the Standby unit, which proceeds to write its configuration to Flash memory.
  • For multiple context mode, enter the copy running-config startup-config command on the Active unit from the system execution space and within each context on disk. The command is replicated to the standby unit, which proceeds to write its configuration to Flash memory. Contexts with startup configurations on external servers are accessible from either unit over the network and do not need to be saved separately for each unit. Alternatively, you can copy the contexts on disk from the active unit to an external server, and then copy them to disk on the standby unit.

Failover Triggers

The unit can fail if one of the following events occurs:

  • The unit has a hardware failure or a power failure.
  • The unit has a software failure.
  • Too many monitored interfaces fail.
  • The no failover active command is entered on the active unit or the failover active command is entered on the standby unit.

Configuring Active/Active Failover

In this section, we will discuss how to configure Active/Active failover using an Ethernet failover link. When configuring LAN-based failover, you must bootstrap the secondary device to recognize the failover link before the secondary device can obtain the running configuration from the primary device.

Follow these steps to configure Active/Active Failover:

These steps provide the minimum configuration needed to enable failover on the primary unit.

Configuring the Primary Failover Unit

Step 1 Configure the interface addresses from within each context. Use the change to context command to switch between contexts. The command prompt changes to hostname/context(config-if)#, where context is the name of the current context.

ciscoasa1(config)# changeto context context-a
ciscoasa1/context(config)# interface gigabitEthernet 0
ciscoasa1/context(config-if)# ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2

In transparent firewall mode, enter the command in global configuration mode. You must enter a management IP address for each context in transparent firewall mode.

Step 2 Change back to the system execution space.

ciscoasa1/context(config)# changeto system

Step 3 Designate the unit as the Primary unit

ciscoasa1(config)# failover lan unit primary

Step 4 Specify the interface to be used as the failover interface using failover lan interface if_name phy_if command, where the if_name argument assigns a name to the interface specified by the phy_if argument and the phy_if argument can be the physical port name, such as Ethernet1, or an existing subinterface, such as Ethernet0/2.3. On the ASA 5505 adaptive ASA, the phy_if specifies a VLAN. This interface should not be used for any other purpose

ciscoasa1(config)# failover lan interface folink GigabitEthernet 3

Step 5 Assigns the active and standby IP addresses to the failover link using failover interface ip if_name ip_address mask standby ip_address command, where standby IP address must be in the same subnet as the active IP address. You do not need to identify the standby address subnet mask. You can assign either an IPv4 or an IPv6 address to the interface. You cannot assign both types of addresses to the failover link.

ciscoasa1(config)# failover interface ip folink 192.168.10.1 255.255.255.0 standby 192.168.10.2

The failover link IP address and MAC address do not change at failover. The active IP address for the failover link always stays with the primary unit, while the standby IP address stays with the secondary unit.

Step 6 (Optional) Specify the interface to be used as the Stateful Failover link using failover link if_name phy_if command, where the if_name argument assigns a logical name to the interface specified by the phy_if argument. The phy_ifargument can be the physical port name, such as Ethernet1, or an existing subinterface, such as Ethernet0/2.3.

ciscoasa1(config)# failover link folink GigabitEthernet 2

Step 7 (Optional)  Assign an active and standby IP address to the Stateful Failover link. You can assign either an IPv4 or an IPv6 address to the interface. You cannot assign both types of addresses to the Stateful Failover link.

ciscoasa1(config)# failover interface ip folink 192.168.20.1 255.255.255.0 standby 192.168.20.2

Step 8 Enable the interface.

ciscoasa1(config)# interface GigabitEthernet 3
ciscoasa1(config-if)# no shutdown

Step 9 Configure the failover groups. You can have only two failover groups. The failover group command creates the specified failover group if it does not exist and enters the failover group configuration mode.

ciscoasa1(config)# failover group 1
ciscoasa1(config-fover-group)# primary
ciscoasa1(config-fover-group)# exit
ciscoasa1(config)# failover group 2
ciscoasa1(config-fover-group)# secondary
ciscoasa1(config-fover-group)# exit

For each failover group, specify whether the failover group has primary or secondary preference using the primary or secondary commands. You can assign the same preference to both failover groups. For traffic sharing configurations, you should assign each failover group a different unit preference.

Step 10 Assign each user context to a failover group (in context configuration mode).

ciscoasa1(config)# context admin
ciscoasa1(config-context)# join-failover-group 1
ciscoasa1(config-context) exit

Step 11 Define a key string that will be used to encrypt the LAN-based failover traffic between failover units.

ciscoasa1(config)# failover key Cisco123

The failover key must match on both ASAs.

Step 12 Enable the failover using failover global command.

ciscoasa1(config)# failover

Step 12 Save the system configuration to Flash memory.

ciscoasa1(config)# copy running-config startup-config

Configuring the Secondary Failover Unit

Follow these steps to configure the secondary unit in a LAN-based, Active/Active failover configuration.

Step 1 Specify the interface to be used as the failover interface.

ciscoasa2(config)# failover lan interface folink GigabitEthernet 3

Step 2 Assign the active and standby IP addresses to the failover link. You can assign either an IPv4 or an IPv6 address to the interface but cannot assign both types of addresses to the failover link.

ciscoasa2(config)# failover interface ip folink 192.168.10.1 255.255.255.0 standby 192.168.10.2

Step 3 Enable the interface.

ciscoasa2(config-if)# interface GigabitEthernet 3
ciscoasa2(config-if)# no shut

Step 4 Designate this unit as the secondary unit. This step is optional because, by default, units are designated as secondary unless previously configured.

ciscoasa2(config)# failover lan unit secondary

Step 5 Define a key string that will be used to encrypt the LAN-based failover traffic between failover units.

ciscoasa2(config)# failover key Cisco123

The failover key must match on both ASAs.

Step 6 Enable failover.

ciscoasa2(config)# failover

After you enable failover, the Active unit sends the configuration in running memory to the Standby unit. As the configuration synchronizes, the messages “Beginning configuration replication: Sending to mate” and “End Configuration Replication to mate” appear on the active unit console.

Step 6 Enter the following command to save running-config to flash memory after the running configuration has completed replication.

ciscoasa2(config)# copy running-config startup-config

Configuring Optional Active/Active Failover Settings

Configuring Failover Group Preemption

Assigning a primary or secondary priority to a failover group specifies which unit the failover group becomes active on when both units boot simultaneously. However, if one unit boots before the other, then both failover groups become active on that unit. When the other unit comes online, any failover groups that have the unit as a priority do not become active on that unit unless manually forced over, unless a failover occurs, or unless the failover group is configured with the preempt command. The preempt command causes a failover group to become active on the designated unit automatically when that unit becomes available.

Enter the following commands to configure preemption for the specified failover group:

Step 1 Specify the failover group.

ciscoasa1(config)# failover group 1

Step 2 Enable preempt to cause the failover group to become active on the designated unit.

ciscoasa1(config-fover-group)# preempt 

Enabling HTTP Replication with Stateful Failover

To allow HTTP connections to be included in the state information, you need to enable HTTP replication. Because HTTP connections are typically short-lived, and because HTTP clients typically retry failed connection attempts, HTTP connections are not automatically included in the replicated state information.

You can use the replication http command to cause a failover group to replicate HTTP state information when Stateful Failover is enabled.

Step 1 Specify the failover group.

ciscoasa1(config)# failover group 1

Step 2 Enable HTTP state replication for the specified failover group.

ciscoasa1(config-fover-group)# replication http 

This command affects only the failover group in which it was configured. To enable HTTP state replication for both failover groups you must enter this command in each group. This command should be entered in the system execution space.

Configuring Failover Criteria

By default, if a single interface fails failover occurs. You can specify a specific number of interfaces or a percentage of monitored interfaces that must fail before a failover occurs. The failover criteria is specified on a failover group basis.

To change the default failover criteria for the specified failover group, enter the following commands:

Step 1 Specify the failover group.

ciscoasa1(config)# failover group 1

Step 2 Specify the policy for failover when monitoring detects an interface failure.

asa1(config-fover-group)# interface-policy 1

Entering num signifies the number of interfaces. Entering num % (with a percent sign) signifies a percentage of the total number of interfaces.

Configuring Active/Standby Failover

In this section, we will configure the LAN-based, Active/Standby failover. These steps provide the minimum configuration needed to enable failover.

Configuring the Primary Unit

Step 1 Configure the active and standby IP addresses for each data interface (routed mode), for the management IP address (transparent mode), or for the management-only interface.

ciscoasa1(config-if)# ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2

In routed firewall mode and for the management-only interface, enter this command in interface configuration mode for each interface.

In transparent firewall mode, enter the command in global configuration mode.

In multiple context mode, configure the interface addresses from within each context. Use the changeto context command to switch between contexts.

Step 2 Designate the unit as the primary unit.

ciscoasa1(config-if)#  failover lan unit primary

Step 3 Specify the interface to be used as the failover interface using failover lan interface if_name phy_if command, where the if_name argument assigns a name to the interface specified by the phy_if argument and the phy_if argument can be the physical port name, such as Ethernet1, or an existing subinterface, such as Ethernet0/2.3. On the ASA 5505 adaptive ASA, the phy_if specifies a VLAN.

ciscoasa1(config)# failover lan interface folink GigabitEthernet 3

Step 4 Assigns the active and standby IP addresses to the failover link. You can assign either an IPv4 or an IPv6 address to the interface but not both types of addresses to the failover link.

ciscoasa1(config)# failover interface ip folink 192.168.20.1 255.255.255.0 standby 192.168.20.2

Step 5 Enable the interface.

ciscoasa1(config)# interface vlan 200
ciscoasa1(config-if)# no shutdown

Step 6 (Optional) Specify the interface to be used as the Stateful Failover link.

ciscoasa1(config)# failover link statelink GigabitEthernet 2

Step 7 (Optional) Assign an active and standby IP address to the Stateful Failover link. You can assign either an IPv4 or an IPv6 address to the interface. You cannot assign both types of addresses to the Stateful Failover link.

ciscoasa1(config)# failover interface ip folink 192.168.20.1 255.255.255.0 standby 192.168.20.2

Step 8 (Optional) Enable the interface. If the Stateful Failover link uses the failover link or a data interface, skip this step. You have already enabled the interface.

ciscoasa1(config)# interface vlan 200
ciscoasa1(config-if)# no shutdown

Step 9 Enable the failover using failover global command.

ciscoasa1(config)# failover

Step 10 Save the system configuration to Flash memory.

ciscoasa1(config)# copy running-config startup-config

Configuring the Secondary Unit

The only configuration required on the secondary unit is for the failover interface. The secondary unit requires these commands to communicate initially with the primary unit. After the primary unit sends its configuration to the secondary unit, the only permanent difference between the two configurations is the failover lan unit command, which identifies each unit as primary or secondary.

Step 1 Specify the interface to be used as the failover interface. (Use the same settings that you used for the primary unit.)

ciscoasa2(config)# failover lan interface folink vlan 200

Step 2 Assign the active and standby IP addresses to the failover link. You can assign either an IPv4 or an IPv6 address to the interface but not both types of addresses to the failover link.

ciscoasa2(config)# failover interface ip folink 192.168.20.1 255.255.255.0 standby 192.168.20.2

Enter this command exactly as you entered it on the primary unit when you configured the failover interface on the primary unit (including the same IP address).

Step 3 Enable the interface.

ciscoasa2(config)# interface vlan 200
ciscoasa2(config-if)# no shutdown

Step 4 (Optional) Designate this unit as the secondary unit

ciscoasa2(config)# failover lan unit secondary

This step is optional because, by default, units are designated as secondary unless previously configured.

Step 5 Enable failover.

ciscoasa2(config)# failover

After you enable failover, the active unit sends the configuration in running memory to the standby unit. As the configuration synchronizes, the messages “Beginning configuration replication: Sending to mate” and “End Configuration Replication to mate” appear on the active unit console.

Step 6 Save the configuration to Flash memory.

ciscoasa2(config)# copy running-config startup-config

Controlling Failover

Forcing Failover

To force the standby unit to become active, enter one of the following commands:

ciscoasa2# failover active

The above command forces a failover when entered on the standby unit in a failover pair. The standby unit becomes the active unit.

Disabling Failover

To disable failover, enter the following command:

ciscoasa1(config)#no failover

The above command disables failover. Disabling failover on an Active/Standby pair causes the active and standby state of each unit to be maintained until you restart. For example, the standby unit remains in standby mode so that both units do not start passing traffic.

Restoring a Failed Unit

To restore a failed unit to an unfailed state, enter the following command:

ciscoasa2(config)#failover reset

The above command restores a failed unit to an unfailed state. Restoring a failed unit to an unfailed state does not automatically make it active; restored units remain in the standby state until made active by failover (forced or natural).

Testing the Failover Functionality

To test failover functionality, perform the following steps:

Step 1 Test that your active unit is passing traffic as expected by using FTP (for example) to send a file between hosts on different interfaces.

Step 2 Force a failover by entering the following command on the active unit:

ciscoasa1(config)# no failover active

Step 3 Use FTP to send another file between the same two hosts.

Step 4 If the test was not successful, enter the show failover command to check the failover status.

Step 5 When you are finished, you can restore the unit to active status by enter the following command on the newly active unit:

ciscoasa1(config)# no failover active

Monitoring Failover

To monitor Active/Active or Active/Standby Failover, you can use the following commands:

  • show failover : Displays information about the failover state of the unit.
  • show monitor-interface : Displays information about the monitored interface. Enter this command within a security context.
  • show running-config failover : Displays the failover commands in the running configuration.

Back



Microsoft Certified | Cisco Certified