ASA LAN Failover question

Unanswered Question
Apr 1st, 2008


we have 2 5550 ASAs in active-standby mode - please see attached diagram.

the ASAs LAN Failover, Stateful Failover and Inside interfaces all physically connect into Cisco catalyst 6500s.

we're about to test the resiliance of our network design by powering of one of our 6500s. If ASA A was active and 6500 A was powered off, what would happen regarding failover?

The inside (monitored) interface and the LAN failover interface on ASA A both patch into 6500 A which has been powered off. does failover to ASA B happen because a monitored interface (inside) is down or is there no failover because a failover link (LAN Failover) failed during operation?

any insight appreciated


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
amohabir1 Tue, 04/01/2008 - 07:46

Hey its so funny that I am actually doing the same thing now and we posted a similar scenario.

Anyway the way it works is it will monitor the interfaces you specify. If one of your interfaces detects a link down (and it is specified as an interface that you are monitoring on the firewall) It will automatically force the secondary asa to become active.

andrewswanson Tue, 04/01/2008 - 07:52

thanks for the reply. the problem is that if the 6500 connected to the primary ASA loses power then the primary ASA Inside, LAN Failover and State Failover interfaces will all go down at the same time.

so the question is does failover occur because the primary ASA inside interface goes down or is there no failover because the LAN Failover interface went down during operation?



amohabir1 Tue, 04/01/2008 - 09:34

Hey can show me what your config looks like for the active and secondary asa's I'm still having trouble with the failover times.


amohabir1 Tue, 04/01/2008 - 07:48

Let me know how long your failover takes because right now my failover takes about a minute to recover sourcing a ping from the inside to any internet site.

A ping to the firewall shows about 2-4 dropped pings before the secondary becomes active. I am not sure if this is normal behavior. But since you are doing a similar test, let me know what your results are.

andrewswanson Tue, 04/01/2008 - 07:56

we've already conducted some testing by manually failing over the ASAs and we aren't dropping any packets. do you have Stateful Failover configured for your ASAs?


amohabir1 Tue, 04/01/2008 - 07:58

Yes I do have stateful configured however I do not have any of the interfaces terminated onto a secondary switch. I just have straight cables connecting the firewalls. I guess it would make more sense to create a seperate vlan on the switch for this purpose. I guess I'll have to do that instead to see how that works out.


This Discussion