Cisco ASA High-Availibility & Fail-over – A Comprehensive Review

  • by
cisco asa ha

I’m going to go through some of the common issues, configurations, and optimizations for when one is deploying a highly-available Cisco ASA pair of Firewalls.

Operations

Verifying Cisco ASA HA

During ASA active/standby failover, what command on the Firewall will allow us to view how the failover has been behaving, whether it has failed in the past?

show failover history
asa show failover

How ASA Failover Behaves

Assume we have an active and standby ASA configuration. The active has just failed and we failover to the standby, what happens that allows traffic to continue flowing through?

The standby unit assumes the IPs and MACs of the primary unit.

In an active/standby pair of ASAs, what 2 ways does the standby unit monitor the active one?

  1. Use the failover lan interface for polling.
  2. Monitor interfaces in the dataplane (as long as you have a primary and secondary ip configured)

During Cisco ASA active/standby failover configuration, what is the default value if we do not explicitly configure a “failover interface-policy”?

The default configuration states that if we lose 1 interface we should failover.

If replacing a failed ASA in the active/standby pair, how do you add the new one in?

Just configure the unit as secondary along with the failover link, then enable failover. It should pull the config from the active unit.

On an Active/Standby PAIR of ASAs how are identity certs handled during failover?

They are copied over automatically via the config sync

During ASA active/standby failover, which certificate type is copied to the standby and which is not?

The identity certs are, but the local CA cert is not (if its a CA)

During ASA active/standby, assume the switchport leading to the active ASA’s inside interface G1/2 is misconfigured by accident. The interface has not technically gone down, nor the failover lan link, so what 3 ways can the the failover feature catch this software error?

asa failover topology

if ASA monitoring starts to fail these things are checked:

  • Is traffic being received on the interface
  • ARP request to all hosts from ARP cache
  • Pings broadcast address of subnet and wait for reply

If those fail then we consider this a software issue and failover to the standby. So in the case above the active ASA will check if traffic stops coming in, it will try to arp, and finally it will ping the broadcast address of the subnet. When those fail then a failover event will occur.

Switching HA Active Roles

With ASA active/standby, assume we are on the standby box and want to assume the active role, how do we do that?

en
failover active

Assume we have an ASA active/standby pair. Now assume we are on the active unit and want to failover to the standby, what command does that?

FROM THE ACTIVE UNIT:

en
conf t
no failover active

Assume we have an active and standby ASA pair. If we are on the active unit, how do we reboot the standby?

en
failover reload-standby

Configuration

Stateful HA

On an Active/Standby pair of ASAs, what addressing should you NOT configure on the failover and stateful links?

APIPA addressing. Otherwise, upgrades can fail because in later code an internal ASA interface uses it.

With ASA failover, what is the difference between stateless and stateful failover?

Stateless is when during a failover the state tables are not copied, and connections need to be re-established. This is the default mode.


In stateful failover the active unit constantly copies the xlates, tcp, udp and all other sessions to the standby unit constantly.

During ASA Active/Standby failover, what is the default mode stateless or stateful?

stateless is the default mode. This is bad and should always be changed or else you’ll find users notice when Firewalls failover.

On Cisco ASAs does the failover link have to be p2p or can it go through a switch?

It can go through a switch but it is recommended to just connect it p2p.

When configuring ASA active/standby what command assigns the FAILOVER link and what command assigns the STATEFUL link?

failover lan int - is for the FAILOVER link
failover link - is for the STATEFUL link

During ASA Active/Standby failover, what is required to change this config from stateless to stateful?

You must configure a stateful link via “failover link <NAME> <int>”
We can either dedicate a stateful link or we can double purpose the ‘failover lan’ link to be used for it.

In ASA active/standby, if you have stateful replication enabled, how do we enable HTTP flows to be statefully replicated as well?

en
conf t
failover replication http