Understanding ASA High Availability

In this blog I want to cover all things relating to high availability (HA) with the Cisco ASA. To start let's cover the requirements for HA:

  • When pairing ASAs they must be the same model with same interfaces, modules, & RAM

  • The ASAs must be running in the same mode (routed or transparent)

  • Running same software version

  • Have the same AnyConnect images on them

  • Be connected together via failover link

Now let's focus on the different failover types which are ACTIVE/ACTIVE & ACTIVE/STANDBY. In ACTIVE/STANDBY one unit is active & passing traffic while the other sits in STANDBY mode not passing traffic. Upon failover the STANDBY unit takes over & passes traffic. For ACTIVE/ACTIVE failover the following are requirements & important to know:

  • Only supported in multi-context mode

  • Both units pass traffic

  • Failover occurs at failover group level

  • Ensure contexts are segregated into 2 failover groups

  • One context is active in one group & standby in the other

Another important factor to consider is deciding on stateful versus stateless failover. The different between the two are as follows:


Stateless Failover = No connections are shared between the units so all connections are dropped.

Stateful Failover = the active ASA unit passes connection state information to standby unit so that upon failover the standby unit takes over and has connection state information.


With Stateful Failover the primary unit will pass the following information to the standby unit:

  • TCP/UDP connections

  • ARP table

  • NAT table

  • Bridge table

  • HTTP table & state if used

  • ISAKMP/IPsec table

  • SIP sessions

  • ICMP connections if used

  • Routing protocols

Next it is important to understand the different interface types used in ASA HA. There are 3 interface types I want to cover. The 3 interfaces types are:

  1. Typical normal interfaces used to handle traffic

  2. Failover interface/link

  3. Stateful interface/link

Normal interfaces are typically configured with active & standby IPs/MAC addresses. The failover interface allows the two units in the HA pair share the following information:

  • State

  • Link Status

  • Hello messages

  • Configuration replication/syncing

  • MAC addresses

A few things to note for the failover link/interface is that you can use a physical link or a port channel, but must have no nameif configured. This link must also not be a shared interface.

The stateful interface/link allows the units to share stateful information. The cool thing with this is that this link can actually be the same link as the failover link to conserve interfaces. This can also be just a physical interface or a port channel.


In this next section I will cover the so called Health checks performed between the two units. The units rely on hello messages to determine each other's health. It is important to note that if there are not 3 messages received in a row, the ASA will then send a message on all of the interfaces to see if the peer responds. There are a couple items to be aware of relating to health checks. These items are:

  • If no response on the failover link, it won't failover.

  • If the unit receives a response on one data interface, but not the failover the unit will NOT failover. It only marks the failover link as failed.

  • If all interfaces are unresponsive then the unit fails over & the other unit is declared failed

Lastly, Cisco recommends to only monitor important interfaces. However, you can monitor up to 250 interfaces.


This last topic for this blog, understanding ASA HA, I will briefly cover replication. The standby unit in an ACTIVE/STANDBY HA pair keeps the configuration in run. Note that the following is not replicated between the units:

  • AnyConnect images & profiles

  • Local CAs

  • ASA Images

  • ASDM Images

  • CSD Images

To see more check out the asa tag, & additional posts relating to ASA HA. Cheers!

0 comments

Recent Posts

See All

Securing Routing Protocols on FTD

"The What?" - In this post I will be covering how to configure several routing protocols on FTD via FMC, how to secure the protocols, how to verify routing authentication, & how to simply verify that

Configuring FTD Basics with FMC

"The What?" - In this blog I will be covering FTD/FMC basics to include managing FTD instances from FMC & deploying/managing interfaces. First, to see more about FMC/FTD Registration/Communications &