The Cisco ASA firewalls have supported active/passive failover for years. There has been a lot of confusion, though, because there are two types of failover:

  1. Basic Failover - With Basic Failover, the two units send heartbeats to each other over a dedicated interface. If the Primary stops responding, the Secondary unit assumes the Primary unit’s IP address and takes over. The important thing to remember here is that any state-based sessions (ssh, ftp, smtp, etc.) will get reset. This can be very disruptive!
  2. Stateful Failover - Think of this as an add-on feature to Basic Failover. In addition to the interface for Basic Failover, a second interface is required to pass state information from the Primary to the Secondary unit. With real-time state being synchronized between the two units, there should be zero interruption in the event of a failure.

Notes: In the examples below, you might notice that I am using the Management0/0 interface for Basic Failover. This isn’t a requirement - you can use any interface. However, since my budget isn’t infinite, I like to use Management0/0 to preserve as many of the ‘real’ interfaces as possible. Also, I should mention that for both Basic and Stateful Failover, I use crossover Ethernet cables. For example, Management0/0 on the Primary unit is plugged directly into Management0/0 on the Secondary unit.

# Basic Failover Example

In this example, we’ve got a pair of Cisco ASA 5510 running 7.2.1. Basic Failover requires 1 dedicated interface (Management0/0).

interface Ethernet0/0
 description Outside Network
 nameif outside
 security-level 90
 ip address 192.168.99.1 255.255.255.0 standby 192.168.99.2

interface Ethernet0/1
 description Inside Network
 nameif inside
 security-level 50
 ip address 192.168.55.1 255.255.255.0 standby 192.168.55.2

interface Management0/0
 description LAN Failover Interface


failover
failover lan unit primary
failover lan interface fobasic Management0/0
failover key *****
failover interface ip fobasic 192.168.200.1 255.255.255.0 standby 192.168.200.2

# Stateful Failover Example

In this example, I have a pair of Cisco ASA 5550 running 8.0.4. Stateful Failover requires 2 dedicated interfaces (Management0/0 and GigabitEthernet0/1).

interface GigabitEthernet0/0
 description Outside Network
 nameif outside
 security-level 90
 ip address 192.168.99.1 255.255.255.0 standby 192.168.99.2

interface GigabitEthernet0/1
 description STATE Failover Interface

interface Management0/0
 description LAN Failover Interface

interface GigabitEthernet1/0
 description Inside Network
 nameif inside
 security-level 50
 ip address 192.168.55.1 255.255.255.0 standby 192.168.55.2


failover
failover lan unit primary
failover lan interface fobasic Management0/0
failover key *****
failover link fostate GigabitEthernet0/1
failover interface ip fobasic 192.168.200.1 255.255.255.0 standby 192.168.200.2
failover interface ip fostate 192.168.201.1 255.255.255.0 standby 192.168.201.2

# Useful Failover Commands

I run show failover frequently, usually any time I’m logging onto an ASA that I haven’t touched in a few weeks. It’s the perfect way to verify that a) there has been no failover event and b) there is no Active/Standby flapping going on. Check out the example below - see how the ‘Active time’ on the Secondary unit is at zero? That is awesome. It means that since the last reboot, the Secondary unit has never become the Active member of the pair. I will almost always end a failover test or software upgrade with a gratuitous reboot of the Secondary unit to set the timer to zero - after all, it’s just polite to clean up after yourself.

fw01# show failover
Failover On 
Failover unit Primary
Failover LAN Interface: failover Management0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(4), Mate 8.0(4)
Last Failover at: 05:33:36 UTC Mar 27 2010
	This host: Primary - Active 
		Active time: 24502604 (sec)
		slot 0: ASA5550 hw/sw rev (2.0/8.0(4)) status (Up Sys)
		  Interface outside (192.168.99.1): Normal 
		  Interface inside (192.168.55.1): Normal 
		slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
	Other host: Secondary - Standby Ready 
		Active time: 0 (sec)
		slot 0: ASA5550 hw/sw rev (2.0/8.0(4)) status (Up Sys)
		  Interface outside (192.168.99.2): Normal 
		  Interface inside (192.168.55.2): Normal 
		slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)

The failover command can be quite useful. In particular, you should be aware that you can ssh into the Secondary unit and issue the failover active command if the Primary unit ever becomes non-responsive. Check out the options below:

fw01# failover ?

  active          Make this system to be the active unit of the failover pair
  exec            Execute command on the designated unit
  reload-standby  Force standby unit to reboot
  reset           Force an unit or failover group to an unfailed state