ASA 5520 Failover Configurations

Answered Question
Nov 5th, 2009

Hi Experts

here is the show ver output of my 2xASA5520. I will be configuring Site-to-Site VPNs on the ASA. My plan is to have one unit as a Primary unit and the other as a Secondary (standby) unit. Will my VPNs work with the current failover mode (Active/Active) if I proceed to configuring the VPNs?

I have this problem too.
0 votes
Correct Answer by Panos Kampanakis about 7 years 2 months ago

8.2.1 can support active/active and active/standby.

But it will not change between them automatically unless configured.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

If you enable Stateful Failover, then VPN tunnels should failover in an active/standby configuration.

That said, in the real world I've seen problems with Firewall failover causing problems with VPN tunnels. Almost always the problem is with the tunnels that are terminated by older Cisco equipment or non-cisco equipment. I.e. Pix 501, 821 routers, etc. But in VPN tunnels between ASA's it seems to failover the tunnel just fine.

orbanattila Fri, 11/06/2009 - 22:00

When the ASA is configured for security contexts or Active/Active stateful failover, IPSec or SSL VPN cannot be enabled. Therefore, these features are unavailable.

bericaleb Mon, 11/16/2009 - 19:04



So in my case, if the ASAs are on a single security context and failover is Active/Active, what do I do, if I want to also run IPSEC and SSL VPNs on these firewalls?

bericaleb Sun, 11/22/2009 - 18:17

Does anybody has an answer to my query? Please help.



mgischernsnw Sun, 11/22/2009 - 22:28

If your firewall is in single context mode, you should have no issues with failover and VPN.  You can check by entering "show mode".  You will see something similar to "Security context mode: single".

The Active/Active text in the output of "show ver" is simply saying that you are licensed to use Active/Active mode, which is only available in multiple context mode.

I'd recommend that you upgrade the software image on your ASAs to a later release before you deploy them.

mgischernsnw Sun, 11/22/2009 - 23:07

If you are deploying WebVPN features, you will want an 8.X release.  8.0.4 has been the most stable for me, though I have had to move certain clients to an interim build to resolve issues with authentication to CIFS servers.  8.2.1 is the most current release and I have not had any issues with it - so far

bericaleb Mon, 11/23/2009 - 16:00

will version 8.2.1 change the failover mode to Active/Standby?

Correct Answer
Panos Kampanakis Tue, 11/24/2009 - 06:52

8.2.1 can support active/active and active/standby.

But it will not change between them automatically unless configured.


bericaleb Tue, 11/24/2009 - 16:22

thankyou for the help. I will upgrade the software with the recommended version.


This Discussion