ASA in Active/Standby mode

Unanswered Question
Nov 28th, 2008

I have configured Active / Standby and it working perfectly. I also have configured Stateful failover in the Firewall using the same Interface of Failover Link Gig 0/0. That is I am using the same Interface for both Link Failover and Stateful Failover (GigabitEthernet 0/0).

Failover is happening perfectly. I donot have any problem. But when i login to Standby unit and enter "show local-host" command I am not seeing the state table, which is appearing in Active Unit. I am afraid whether the firewalls are really replicating the state table with each other. My understanding is that Active Unit will also replicate state information to Standby Unit.

How this works and why it behaves like this. If anybody have clue please guide me

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
torchris Sun, 11/30/2008 - 14:58

Yes, sure.

If you look at the following link, you will find the answer to your question:

The ASA exchange the following information on a failover environment:

•The unit state (active or standby).

•Power status (cable-based failover only-available only on the PIX 500 series security appliance).

•Hello messages (keep-alives).

•Network link status.

•MAC address exchange.

•Configuration replication and synchronization.

Therefore the state table is not sent to the other unit.

Please let me know if you have further doubts.

Fernando_Meza Sun, 11/30/2008 - 15:28

Hi ..

Would you mind elaborating a bit more on your answer ? statefull failover actually replicates stefull information such TCP/UDP connections, NAT .. etc so that if the active unit fails then the standy unit takes over without the requirement for re-stablishing new sessions .. are we in the same track here ..?

Regular and Stateful Failover

The security appliance supports two types of failover, regular and stateful. This section includes the following topics:

•Regular Failover

•Stateful Failover

Regular Failover

When a failover occurs, all active connections are dropped. Clients need to reestablish connections when the new active unit takes over.

Stateful Failover

When Stateful Failover is enabled, the active unit continually passes per-connection state information to the standby unit. After a failover occurs, the same connection information is available at the new active unit. Supported end-user applications are not required to reconnect to keep the same communication session.

The state information passed to the standby unit includes the following:

•NAT translation table.

•TCP connection states.

•UDP connection states.

•The ARP table.

•The Layer 2 bridge table (when running in transparent firewall mode).

•The HTTP connection states (if HTTP replication is enabled).

•The ISAKMP and IPSec SA table.

•GTP PDP connection database.

grant.maynard Mon, 12/01/2008 - 15:54

You are right, Fernando - state information is passed (except http). Try "sh conn" to see connections.

hclisschennai Tue, 12/02/2008 - 05:51

Hi, Thank you for your feedback.

I am using the stateful firewall failover.

If i issue the "show local-host" command in the stand-by Unit i am not seeing any information.

It is blank. I am surprised how it happening.


This Discussion