Adaptive Security Appliance Failover

Adaptive Security Appliance ( ASA ) high availability offers the following:

Link High Availability : A generic solution achieved by dynamic routing running between interfaces. Dynamic routing enables reroute around failures. ASA offers up to three equal cost routes to the same destination network per interface. It does not support ECMP ( Equal Cost Multipath ) on multiple interfaces.

Reliable static routing with IP SLA instance : Redundancy achieved through enhanced object tracking and floating static routes.

Redundancy interface : Bind multiple physical interfaces together into one logical interface. Not the same as Etherchannel. One interface is active and forwarding at any one given time. Unlike Etherchannel, which can forward over all interfaces in a bundle. ASA redundancy interface is an active  / standby technology; one interface is active and the other is standby.

Node Availability :  Failover, which is the focus for this post.


Adaptive Security Appliance  Failover

A failover group consists of a pair of identical ASA connected via a dedicated failover link and an optional state link. Two types of failover modes: Active / Standby or Active / Active and works in Routed and Transparent mode. Depending on IOS version you can use a mixture of routed and transparent mode per contexts.

Active / Standby : One-forwarding path and active ASA. The standby forwards traffic when the active device fails over. Traffic is not evenly distributed over both units. Active / Standby uses single or multiple context mode.

Active / Active for groups of context: Not supported in single context mode. Only available in multiple context mode. Both ASAs forward at the same time by splitting the context into logical failover groups. Still, technically active / standby. Not like Gateway Load Balancing Protocol ( GLBP ). Two units do not forward for the same context at the same time.


ASA Failover

ASA Failover


Permits maximum of two-failover groups. One group assigned active on primary ASA, other group assigned active on secondary ASA.  Active / Active failover occur on a group and not system basis.

Upon failover event, either by primary unit failure or context group failure, the secondary takes over the primary IP and Media Access Control Address ( MAC ) address, and begins forwarding traffic immediately. The failover event is seamless; no change in IP or MAC results in zero refresh to Address Resolution Protocol ( ARP ) tables at Layer 3 hosts. If the failover was to change MAC addresses, all other Layer 3 devices on the network would have to flush their ARP tables.


Type of Failover

Two type of failovers are available A) Stateful failover and B) Stateless failover.

The default mode is Stateless; no state /  connection information is maintained and upon failover, existing connections are dropped and must be re-established. Uses a dedicated failover link to poll each other. Upon failover, which can be manual or detected, the unit change roles and standby assumes IP and MAC of primary unit.

Stateful failover; pass state / connection information to each other. Connection information could be Network Address Translation ( NAT ) tables, TCP / UDP connection states, IPSEC SA, ARP tables. The active unit constantly replicates state table. Every time a new connection comes into the table its copied to the standby unit. Processor intensive so you need to understand design requirements. Does your environment need-stateful redundancy? Does it matter if users have to redial or establish new AnyConnect session? Stateful failover requires a dedicated “stateful failover link.” The stateless failover link can be used but its recommended to separate these functions.


Dynamic routing protocols are maintained with stateful failover. The routes learned by the active unit are carried across to Routing Information Base ( RIB ) table on the standby unit. Hypertext Transfer Protocol ( HTTP ) connections are short-lived and HTTP clients usually retry failed connection attempts. As a result, by default, HTTP state is not replicated. The command failover replication http enables HTTP connections in replication.


Failover Link

The failover link is for Link Local communication between ASA’s and determines the status of each ASA. Layer 2 polling via HELLO Keepalives transmitted and configurations synchronized. Have the connecting switch ports in portfast mode ensuring if a flap of link occurs, no other Layer 2 convergence that will affect the failover convergence. For redundancy purposes use port-channels and do not use the same link used for stateless connectivity. Recommended to connect the failover and data links through different physical paths. Failover links should not use the same switch as the data interfaces as the state information may generate excessive amounts of traffic. You don’t want the replication of the state information to interfere with normal Keepalives.


The failover link can be connected direct or by Ethernet switch. If the failover link connects via an ethernet switch, ensure to uses separate vlan with no other devices in that Layer 2 broadcast domain. ASA supports Auto-MDI/MDIX enabling use of crossover or straight-through cable. MDI-MDIX automatically detects the cable type and swaps transmit/receive pairs to match the cable detected.


Note about Asymmetric routing

The problem with asymmetric traffic flows is if ASA receives a packet that it does not have any connection / state information for that packet, it will drop the packet. The issue may arise in the case of an Active / Active design connected to two different service providers. Does not apply to Active / Standby as the standby is not forwarding traffic, as a result will not receive returning traffic that was sent from active unit.

Possible to allow asymmetrical routed packets by assigning the similar interfaces to the same ASR group.


Asymmetric Traffic

Asymmetric Traffic


-An outbound session exists to ISP-A through Primary-A context.

-In this instance, return traffic flows from ISP-B to Primary-B context.

Traffic dropped as Primary-B does not have any state information for the original flow.

-However, due to interfaces configured in the same ASR Group, session information for the original outbound flow has replicated to Primary-B context. Layer 2 header rewritten and traffic redirected to Primary-B. Resulting in asymmetrical routed packets restored to correct interface.


Stateful failover and HTTP replication required.


Health Monitoring

Unit Monitoring: The failover link determines the health of the overall unit. HELLO packets are sent over the failover link. Lack of three consecutive HELLO’s cause ASA to send an additional HELLO packet out ALL data interfaces, including the failover link. Rules out failure of the actual failover link. The resulting action of ASA depends on the result of the additional HELLO packets. No action occurs if a response is received over the failover link or any of the data links. Failover actions occurs if no response is received on any of the links.


Interface Monitoring: The number of monitored interfaces depends on IOS version. You should always try to monitor important interfaces.

Note: In an IPv6 world, ASA uses IPv6 neighbor discovery instead of ARP for its health monitoring tests. If it has to broadcast to all nodes, it uses IPv6 FE02::1. FE02::1 is an all IPv6 speakers-multicast group.


About Matt Conran

Matt Conran has created 179 entries.

Leave a Reply