Understanding ASA High Availability

In this blog I want to cover all things relating to high availability (HA) with the Cisco ASA. To start let's cover the requirements for HA:

  • When pairing ASAs they must be the same model with same interfaces, modules, & RAM

  • The ASAs must be running in the same mode (routed or transparent)

  • Running same software version

  • Have the same AnyConnect images on them

  • Be connected together via failover link

Now let's focus on the different failover types which are ACTIVE/ACTIVE & ACTIVE/STANDBY. In ACTIVE/STANDBY one unit is active & passing traffic while the other sits in STANDBY mode not passing traffic. Upon failover the STANDBY unit takes over & passes traffic. For ACTIVE/ACTIVE failover the following are requirements & important to know:

  • Only supported in multi-context mode

  • Both units pass traffic

  • Failover occurs at failover group level

  • Ensure contexts are segregated into 2 failover groups

  • One context is active in one group & standby in the other

Another important factor to consider is deciding on stateful versus stateless failover. The different between the two are as follows:

Stateless Failover = No connections are shared between the units so all connections are dropped.

Stateful Failover = the active ASA unit passes connection state information to standby unit so that upon failover the standby unit takes over and has connection state information.

With Stateful Failover the primary unit will pass the following information to the standby unit:

  • TCP/UDP connections

  • ARP table

  • NAT table

  • Bridge table

  • HTTP table & state if used

  • ISAKMP/IPsec table

  • SIP sessions

  • ICMP connections if used

  • Routing protocols

Next it is important to understand the different interface types used in ASA HA. There are 3 interface types I want to cover. The 3 interfaces types are:

  1. Typical normal interfaces used to handle traffic

  2. Failover interface/link

  3. Stateful interface/link

Normal interfaces are typically configured with active & standby IPs/MAC addresses. The failover interface allows the two units in the HA pair share the following information:

  • State

  • Link Status

  • Hello messages

  • Configuration replication/syncing

  • MAC addresses

A few things to note for the failover link/interface is that you can use a physical link or a port channel, but must have no nameif configured. This link must also not be a shared interface.

The stateful interface/link allows the units to share stateful information. The cool thing with this is that this link can actually be the same link as the failover link to conserve interfaces. This can also be just a physical interface or a port channel.

In this next section I will cover the so called Health checks performed between the two units. The units rely on hello messages to determine each other's health. It is important to note that if there are not 3 messages received in a row, the ASA will then send a message on all of the interfaces to see if the peer responds. There are a couple items to be aware of relating to health checks. These items are:

  • If no response on the failover link, it won't failover.

  • If the unit receives a response on one data interface, but not the failover the unit will NOT failover. It only marks the failover link as failed.

  • If all interfaces are unresponsive then the unit fails over & the other unit is declared failed

Lastly, Cisco recommends to only monitor important interfaces. However, you can monitor up to 250 interfaces.

This last topic for this blog, understanding ASA HA, I will briefly cover replication. The standby unit in an ACTIVE/STANDBY HA pair keeps the configuration in run. Note that the following is not replicated between the units:

  • AnyConnect images & profiles

  • Local CAs

  • ASA Images

  • ASDM Images

  • CSD Images

To see more check out the asa tag, & additional posts relating to ASA HA. Cheers!


Recent Posts

See All

"The What?" - In this blog I want to share some valuable Digital Network Architecture Center (DNAC) tips & tricks that I have collected that are quite useful when needing to troubleshoot/perform some

In this post I want to cover the ESA Email pipeline. The email pipeline represents how emails are processed through the system from start to finish. The pipeline consists of 3 main phases: Receipt:

I recently started pursuing email security studies. Other posts have mentioned this, and a recent post shared a deeper look at SPF. In this blog I want to cover DKIM & DMARC. Starting with DKIM, it