ASA Failover

Unanswered Question
Oct 1st, 2009

If an ASA has lan failover and statefull crossover-cables connected without an intermediate switch. If one ASA goes down the other asa senses two links are down, will this be an issue ? In the cisco the second edition of the firewall handbook it is a tip not to connect the back to back but it does not say what happens in a real situation.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Thu, 10/01/2009 - 08:18

Each interface should connect to a switch port so that the link status is always up to one firewall interface if the other firewall interface fails. Otherwise, both units sense a link-down condition and assume that their own interfaces have a failure.

fvanlancker Thu, 10/01/2009 - 08:22

Hi Collin,

Thanks for the info, but do you think that the statefull en Lan link are also monitored ? There is certainly no option to monitor them.

And what if switch would fail ? Will both asa's become active ?

Collin Clark Thu, 10/01/2009 - 08:26

You typically attach each ASA to a different switch for full redundancy. The failover link is inherently monitored because that link is where the majority of failover communications occur. If that link fails, then each ASA thinks it's primary.

fvanlancker Fri, 10/02/2009 - 05:20



2 ASA connected via 2 failover interfaces in active/standby configuration. The secondary ASA goes down.

What happens ?

b: Same scenario but the primary goes down.

c: They both go down and come back up again,but the secondary is first. How will te switches mac-address tables and the routers handle their arp table ?

Collin Clark Fri, 10/02/2009 - 05:33

a. Nothing really. The primary still thinks it's primary and continues to pass traffic.

b. Once the heartbeat fails (2 times I believe) the secondary becomes primary and starts passing traffic.

c. The ARP tables will be empty because of the ASA outage so when the ASAs come back up, the switch will populate their ARP tables as normal. Since the 2nd ASA comes up first, it will be primary.

fvanlancker Fri, 10/02/2009 - 05:52

but the failover interfaces are monitored, so if I put the threshold on 1 no ASA will be active.

Collin Clark Fri, 10/02/2009 - 05:57

They both think they are active. They both want to be active. The active keeps telling the secondary to 'stand down, I'm in charge right now.' The standby keeps waiting and wanting to be in charge. As soon as it doesn't here from the one in charge, it takes over and assumes the role.


This Discussion