Active & Standby Failover

This guide shows how to establish redundancy by connecting two Cisco ASA appliances. The firewalls are configured in failover mode.

Comments
Introduction
Topology
Configuration
Failover
Show Commands
Enterprise LAB

Introduction

Cisco ASA (Adaptive Security Appliance) is a firewall and security device produced by Cisco Systems. Failover in Cisco ASA refers to the ability of the device to seamlessly switch from one operational state to another in the event of a failure, ensuring high availability and continuity of service. Active/Standby failover mode is typically used in scenarios where high availability is crucial, such as in enterprise networks, data centers, or environments where uninterrupted access to network resources is essential. It provides redundancy and fault tolerance, minimizing the impact of hardware failures or maintenance activities on network operations.

Description
Active Unit: This is the ASA device that actively processes traffic and serves as the primary unit for handling network traffic. It is the unit that is currently active and functioning normally.
Standby Unit: This is the ASA device that remains in a standby state, ready to take over if the active unit fails. The standby unit continuously monitors the health and status of the active unit. It does not process traffic unless it becomes the active unit due to a failover event.
Stateful Failover: In Active/Standby mode, the standby unit continuously replicates the connections and states from the active unit. This ensures that if a failover occurs, the standby unit can seamlessly take over without disrupting existing connections.
Automatic Failover: If the active unit fails, the standby unit automatically becomes active, taking over the responsibilities of processing network traffic. This transition happens without requiring manual intervention, reducing downtime.
Health Monitoring: Both units constantly monitor each other's health and status. If the standby unit detects that the active unit is unreachable or has failed, it initiates a failover process.
Configuration Sync: Configuration changes made on the active unit are automatically synchronized with the standby unit. This ensures that both units have consistent configurations, making the failover process smoother.
Virtual MAC Address and IP Address: To ensure seamless failover, both units share a virtual MAC address and IP address. This virtual address floats between the units depending on which one is active.

Topology

The ASA firewalls use an ethernet port to establish a failover link between each other. The same link can be used to exchange connection state information. Otherwise a separate link can be configured just for connection state information exchange.

Description
1. Turn on the firewalls and open serial connections to the command line interfaces
2. Configure the interfaces for failover on each device - use the same interface on both devices
3. Interconnect the failover interfaces - the firewalls will start the configuration replication
4. Verify if the failover mode is running correctly - use the commands "show failover", and "show failover state"
5. Configure the ASA on the primary device - every configuration change will bereplicated to the standby device automatically

Premium Access

Log in or register - Premium members can access all content without restrictions.

Get Premium

0 Comments

Submit a Comment